Configure my routers to allow direct connections with Tailscale?

Tailscale version: 1.16.2
Your operating system & version: Fedora 35 & Ubuntu Server 20.04

Just started using Tailscale and it’s magical already. My setup is a bit convoluted, but here goes…

My apartment ISP does not allow port forwarding of any kind and the only IP addresses you can get are in the private range. They require you to register any new devices, so I use my own router (Router A) to avoid that.

I’m starting to self-host some things that I want to access remotely. My server is sitting behind a separate router (Router B). So, the WAN ports of Routers A & B are both on the same ISP private subnet.

Clients (Tailscale) <-> Router A (WAN 172.16.25.201) <-> ISP private subnet (172.16.25.0/24) <-> Router B (WAN 172.16.25.200) <-> Server (Tailscale)

My hope was that Tailscale would be able to perform some of that NAT Transversal magic to form a direct connection between my clients behind Router A and my server behind Router B. However, the status command indicates that traffic is going through a DERP relay. I understand that this will likely be required when I’m accessing my server from a different location, but I was hoping a direct connection would be possible when I’m at home.

Since I control both Router A & B, is there anything I can configure to allow Tailscale to form a direct connection between the two?

“easy NAT” == tailscaled sends a UDP packet with source port 41641, which the NAT router rewrites to be the same port on its public side every time. tailscaled figures this out by sending UDP packets to a number of DERP servers and checking if they all report seeing the same port number.

“hard NAT” == every destination gets rewritten to a different port number.

Direct connections can’t be established if both sides are hard NAT. Neither side of the connection can determine what port number to send to the other side. This appears to be the situation you are in, Router A and B are both hard NAT.

If one of the routers supports a way to open a port, like UPnP or NAT-PMP, or PCP, tailscaled will use it. Since you say no port forwarding I guess this isn’t workable.

Alternately, if you can configure one of Router A or B to not do any rewriting, just pass the port through, I think that will be enough. The other side will know it should try to send to port 12345, and the router passes it straight through.

If you do the passthrough, there is a RandomizeClientPort setting in the ACL file which can help. It will ensure that each client has a different port number and not all using 41641.

{
  "RandomizeClientPort": true,

  // Access control lists.
  "ACLs": [
1 Like

Thanks. Just to clarify, Router A & B are both fully controlled by me. Their WAN connections are both in the LAN provided by my ISP from the Ethernet jacks in the wall. It’s a weird setup I know. My ISP just doesn’t allow port forwarding from the public Internet, which is why I’m using Tailscale to remotely access my server.

I will try your suggestions and report back. Might just move Router B to be behind Router A instead, so that way there’s just one NAT for Tailscale to deal with locally. The whole purpose of Router B is to isolate my server from everything on my home network, so I suppose it could fulfill that purpose just as well from behind Router A. Don’t have the funds to purchase VLAN capable gear right now, unfortunately.

Neither UPnP or forwarding UDP port 41641 allowed a direct connection. Ended up putting Router B behind Router A, which does allow a direct connection.