diff --git a/hscontrol/types/node.go b/hscontrol/types/node.go
index 50b9b049..c6429669 100644
--- a/hscontrol/types/node.go
+++ b/hscontrol/types/node.go
@@ -319,9 +319,16 @@ func (node *Node) CanAccess(matchers []matcher.Match, node2 *Node) bool {
 			return true
 		}
 
+		// Check if the node has access to routes that might be part of a
+		// smaller subnet that is served from node2 as a subnet router.
 		if matcher.DestsOverlapsPrefixes(node2.SubnetRoutes()...) {
 			return true
 		}
+
+		// If the dst is "the internet" and node2 is an exit node, allow access.
+		if matcher.DestsIsTheInternet() && node2.IsExitNode() {
+			return true
+		}
 	}
 
 	return false