BUG - Windows Clients 2019/10 and Newer use DERP only


I have an ongoing ticket with Tailscale support that seems to have grown cold. Sometime in the past couple of weeks I believe some change to have happened in the backend resulting in Windows clients routing via DERP relays (producing 150ms~ latency) rather than making direct connections to other nodes. These relays do not necessarily make sense (some of my nodes are routing through Honolulu despite it being 100ms~ and SFO, SEA, LAX all being sub 20ms). After a not-small amount of troubleshooting I’ve figured out the following:

Windows → Windows - Ping will route via DERP
Windows → Linux - DERP (unless Server 2016 or older, then direct connect)
Windows → MacOS - DERP

Linux → Linux - Direct Connect
Linux → MacOS - Direct Connect
Linux → Windows - DERP

MacOS → MacOS - Unknown, I only have a single MacOS device online in my tailnet currently
MacOS → Linux - Direct Connect
MacOS → Windows - DERP


  • All devices tested were either 1.38.3 or 1.38.4
  • Our environment is almost exclusively tagged devices, of which ACLs are properly configured (and do not differentiate between OS)
  • Windows firewall and Webroot (our only AV) were disabled for these tests.
  • All devices are on the same LAN (though different subnets in some cases) and can ping directly outside of tailscale on their local IP addresses.
  • Sophos XG firewall rules have been built per documentation at What firewall ports should I open to use Tailscale? · Tailscale (see attachment)
  • This issue is causing major problems for our throughput in our environment. Our File Server is transferring at rates of less than 1mbit/s on DERP connections which is how this came to our attention to begin with.
  • I’ve received less than one message a day on average on this ticket despite being very responsive myself and I’m getting pretty frustrated at the lack of communication. I’ve even sent my Calendly link so that they could schedule time themselves for us to connect.