Getting a 'relayed' connection

I have 2 accounts with Tailscale. 1 free personal account, and one for the company I work with.

On the company account I have a subnet router in the ‘office’, and a client at home. This connects directly.

On the personal account, I have a subnet router running on my EdgeRouter 4 at home, and a client at the ‘office’. This one connects through a relay no matter what I do.

I don’t get it. why does one connect direct, and the other through a relay. The personal account has always connected through a relay, even before I had the company account.

Things to note. I am using T-Mobile home internet at ‘home’, which is behind CG Nat, then that is connected to my EdgeRouter. The office is fiber with static IPs.

Since these 2 networks are literally the same networks, I don’t get it. The ONLY difference is what side the subnet router is on. Anyone have any idea where to start troubleshooting this?

The difference is likely to be that the office subnet router is set up properly to work with the router they have there. It’s important to note, that unless you’re in charge you really should be talking to the network guys there - I wouldn’t take kindly to a VPN running out of my office net to someone’s home.
Assuming it’s all done officially, the subnet router in the office probably has a static NAT translation that makes the difference compared to a standard client which could be jumping around between ports and even IP addresses externally.

T-Mobile and CGNat, to me, just screams ‘not going to happen’ - you’ll be relying on the port forwarding on the other side to make that happy, and if that’s not there then you’re out of luck.

I am the guy in charge.

There is nothing special set up for the office. I am running a subnet router internally, but no static NAT is set up for Tailscale on either side.

I agree that CGNAT would seem to need a relay, but since it is working for one connection, I can’t figure out why it isn’t working for the other. Ultimately, it’s just a connection between 2 PC’s in either case.

Is the office router/NAT using ‘symmetric’ NAT?
I think these kind of routers have issues with some VPNs (tested with zerotier as well), especially if the ‘routing’ device is in the internal network. Is it possible to install tailscale on the router itself and make it a subnet router? I am using pfsense and setting up tailscale on the router was quite easy.

But honestly speaking, even after setting up tailscale on the router, some (abit rare occasions) connections still went through a relay.

It’s installed on my Ubiquity router at home, which is the only account that matters in this case.

It is not (from what I can tell) Symmetric NAT.

Ubiquiti Edgerouter running EdgeOS, then it is symmetric NAT.
Confirmed by their own staff -

However I think one of our clients was using Edgerouter and tailscale did work quite well. I remembered them installing on the edgerouter as well. Don’t recall them complaining about going through relays. With that said, I think the issue more than likely hail from your office NAT instead.

Both sides of the connection are use the EdgeRouter, however, my home is the only one that is running Tailscale on the router that is logged into Tailscale with the account with issues.

[Working Scenario]:
PC at home behind CGNAT running Tailscale logged into the work tailscale account connected to the office subnet router (a VM hosted on our internal network). Office network has a static IP with Fiber connection to the internet. This scenario has a Direct connection between the home PC and the office subnet router.

[Relayed Scenario]
Router at home behind CGNAT running Tailscale logged into the personal free account connected to a PC in our office running Tailscale logged into my personal free account. This results in a relayed connection between my router at home and the PC at the office.

What is confusing, is that the Tailscale docs say that as long as 1 side can connect, then it will be a direct connection. I still don’t understand why 1 scenario works, and the other doesn’t. Ultimately, all connections are just end points in the same 2 networks.

It’s not a huge deal, I just figured if there was some way to make it work, I would look into it. I don’t really use the free account much for anything right now anyways.

On the one with issue, you can test by forwarding the UDP port (41641) to the PC at office to see whether this results in a direct connection. If it works, most likely is NAT issue.

That did work. Thanks!

That assertion in the Tailscale docs does not seem to check out. Other people and I regularly experience DERP-relayed connections between a machine with PCP and/or NAT-PMP available and one on a NATed VM in GCP or Azure.

Yes, some times even intermittently.
I have one user that reported slow performance and seems that it was being relayed in status.
A quick disconnect and connect and it is back to direct.
From what I know, he is using a very basic ISP provided router.

Yeah, I have found that if I reboot my modem or router, I go to relay. It won’t recover on it’s own. But I can easily manually fix it.

Is it possible for us to self host a DERP relay ourselves?
Might be good for those who often find themselves connected via the relay to get ‘relayed’ from server located nearby (assuming that there is no Tailscale relay located nearby) for better performance.

From the zerotier documentation, it seems that users can self host their own ‘moons’.


Source: Search Tailscale docs for “self-host derp relay”. First result is “DERP Servers,” which states:

Generally, you don’t need to customize Tailscale DERP servers. However, in addition to or instead of using the Tailscale DERP servers, you can run your own custom DERP servers.

So it appears that something has been changed/fixed on the Tailscale side as I am no longer getting a relayed connection from either setup.