Avoiding DERP on cell network

Tailscale version
iOS 14.6 - 1.12.3
Windows Server 2019 - 1.12.3


I’m looking at replacing my OpenVPN server with Tailscale and love the general feature set. One of my main use cases is making my BlueIris instance available to specific mobile devices off network and so far that only works over DERP (confirmed by looking at current connections at the firewall - the server is only communicating with derp4e.tailscale.com).

My understanding is the carrier is putting the iPhone behind an IPv4 NAT but not IPv6. My home router gets both an IPv4 as well as an IPv6 address. The BlueIris server itself does NOT have an IPv6 address.

Is there any way I’m missing I can avoid getting the phone to use DERP to connect to the server?
I understand I could:

  • forward a port to the BlueIris server (confirmed to be working)
  • set up an exit node (?) with port forwarding that would serve my network and/or defined servers (instead of installing it on each individual machine)

I’m not too happy with either solution for various reasons. Is there any configuration piece that I’m missing?


Regarding the router within the home:

  • The Tailscale client can use NAT-PMP to ask a local router to open a port through the firewall, allowing direct connections to be made.
  • Tailscale 1.12.1 added UPnP, an older but still widespread protocol, to add another way to get direct connections through firewalls. 1.12.3, the current release, fixed an issue in UPnP that prevented it from working in a number of scenarios.
  • Tailscale 1.14 will add PCP, a newer iteration of NAT-PMP which is not that widely adopted so far but nonetheless should incrementally help. You can get PCP support today by running a 1.13.x unstable image: https://pkgs.tailscale.com/unstable/

This can be seen in the output of tailscale netcheck:

linux# tailscale netcheck

        * UDP: true
        * IPv4: yes, w.x.y.z:38434
        * IPv6: no
        * MappingVariesByDestIP: true
        * HairPinning: false
        * PortMapping: UPnP, NAT-PMP, PCP
        * Nearest DERP: San Francisco
        * DERP latency:
                - sfo: 14.5ms  (San Francisco)
                - sea: 29.4ms  (Seattle)
                - dfw: 56.2ms  (Dallas)
                - nyc: 81.3ms  (New York City)
                - tok: 118.4ms (Tokyo)
                - lhr: 152.3ms (London)
                - fra: 167.3ms (Frankfurt)

Thank you. Looks like both of my current firewall as well as the one I’m eyeing (Untangle, VyOS) only support UPnP but that’s at least a start.

Just also realized two things
a) I can manually pick a different port on Linux and forward accordingly (confirmed works!) so I can run multiple tailscale instances
b) I could also probably just forward different outside ports to the same 41641 port on different machines with the same result now that I think about it…
EDIT: okay that didn’t work. had to make sure the forwarded port number is equal to the one the tailscale service is running on? i.e. 41643 to 41641 still used DERP, 41643 to 41643 works as expected. Or I messed up the test somehow.