diff --git a/services/tailscale.nix b/services/tailscale.nix
index ff3a4b1..41fe9f8 100644
--- a/services/tailscale.nix
+++ b/services/tailscale.nix
@@ -28,6 +28,8 @@ in {
     networking.firewall = {
       trustedInterfaces = ["tailscale0"];
       allowedUDPPorts = [config.services.tailscale.port];
+      # needed for exit node usage
+      checkReversePath = mkIf (!cfg.exitNode) "loose";
     };
 
     # enable IP forwarding to use as exit node