diff --git a/hosts/boreal/default.nix b/hosts/boreal/default.nix
index c6d9c3f..f820f69 100644
--- a/hosts/boreal/default.nix
+++ b/hosts/boreal/default.nix
@@ -75,7 +75,10 @@
 
     pipewire.enable = true;
 
-    tailscale.enable = true;
+    tailscale = {
+      enable = true;
+      useRoutingFeatures = "both";
+    };
   };
 
   services = {
diff --git a/hosts/hades/default.nix b/hosts/hades/default.nix
index 0cb891b..0e4191b 100644
--- a/hosts/hades/default.nix
+++ b/hosts/hades/default.nix
@@ -133,7 +133,7 @@ in {
 
     tailscale = {
       enable = true;
-      exitNode = true;
+      useRoutingFeatures = "server";
     };
 
     transmission = {
diff --git a/hosts/hephaestus/default.nix b/hosts/hephaestus/default.nix
index f5cf2e4..5d4cced 100644
--- a/hosts/hephaestus/default.nix
+++ b/hosts/hephaestus/default.nix
@@ -49,7 +49,11 @@
 
   # List services that you want to enable:
   my.services = {
-    tailscale.enable = true;
+    tailscale = {
+      enable = true;
+      useRoutingFeatures = "client";
+    };
+
     pipewire.enable = true;
 
     restic-backup = {
diff --git a/hosts/thanatos/default.nix b/hosts/thanatos/default.nix
index 5a6711d..15cf5ce 100644
--- a/hosts/thanatos/default.nix
+++ b/hosts/thanatos/default.nix
@@ -28,7 +28,10 @@ in {
 
   # List services that you want to enable:
   my.services = {
-    tailscale.enable = true;
+    tailscale = {
+      enable = true;
+      useRoutingFeatures = "both";
+    };
   };
 
   services = {
diff --git a/services/tailscale.nix b/services/tailscale.nix
index 41fe9f8..b963b94 100644
--- a/services/tailscale.nix
+++ b/services/tailscale.nix
@@ -8,34 +8,30 @@
     (lib)
     mkEnableOption
     mkIf
+    mkOption
+    types
     ;
 
   cfg = config.my.services.tailscale;
 in {
   options.my.services.tailscale = {
     enable = mkEnableOption "Tailscale";
-
-    # NOTE: still have to do `tailscale up --advertise-exit-node`
-    exitNode = mkEnableOption "Use as exit node";
+    useRoutingFeatures = mkOption {
+      type = types.enum ["none" "client" "server" "both"];
+      default = "none";
+    };
   };
 
   config = mkIf cfg.enable {
     services.tailscale = {
       enable = true;
       package = pkgs.tailscale;
+      openFirewall = true;
+      useRoutingFeatures = cfg.useRoutingFeatures;
     };
 
     networking.firewall = {
-      trustedInterfaces = ["tailscale0"];
-      allowedUDPPorts = [config.services.tailscale.port];
-      # needed for exit node usage
-      checkReversePath = mkIf (!cfg.exitNode) "loose";
-    };
-
-    # enable IP forwarding to use as exit node
-    boot.kernel.sysctl = mkIf cfg.exitNode {
-      "net.ipv6.conf.all.forwarding" = true;
-      "net.ipv4.ip_forward" = true;
+      trustedInterfaces = [config.services.tailscale.interfaceName];
     };
   };
 }