Hello! Is there any way to configure tailscale to always connect peers without any relay (which is almost useless due to slow)?
Tailscaled uses the DERP relays to coordinate making a direct connection, but always tries to make a direct connection. There isn’t something to be configured to tell it to do so. It will fall back to the DERP relay if it cannot find a direct path.
To make direct connections we need one side of the connection to know a UDP port number which will make it from the Internet back through its NAT firewall and be delivered. We can accomplish this in one of a few ways:
- if one side of the connection uses “easy NAT”, where the rewritten source UDP port is always the same no matter what destination we send to. We figure this out by sending packets to our own DERP servers, and checking if they all see the same source port. By contrast, “hard NAT” is where the UDP source port is different for every destination. The NAT Gateway is hard NAT.
- if one side of the connection has a protocol available to ask its firewall to open a port: UPnP, NAT-PMP, or PCP. Cloud providers never do, but many residential routers do.
- if one side of the connection manually configures a known UDP port number to ingress through the firewall. By default we use port 41641, though taiscaled can be started with a --port=N argument.
Thank you for the detailed explanation. I do have both sides configured correctly so that they usually end up with direct connection. However, sometimes one client might have network route changes and direct connection might be broken in short period of time. Then tailscale choose to use relay. Once the client’s network gets normal again, tailscale still uses relay mode unless I manually do tailscale down and up.
Is there a way to make tailscale detect the possibility of direction connection more frequently?