We have a tailscale router in our network. Port forwarding ensures connections are direct from the outside world. No issues there.
We have a NAS though that we need to share with third parties. If we share it though it goes through a relay.
Can we specify a port for Tailscale on a specific node to listen on to forward direct tailscale traffic to?
tailscaled takes a --port=12345 argument, is that what you mean?
Does it?
flag provided but not defined: -port
So the issue is that I can’t provide a direct connection to a machine within a subnet behind a NAT that already has tail scale. It’s I assume hitting the subnet router (router) when I need to guide connections toward a second tailscale device within the subnet that isn’t the subnet router.
I believe you were running the tailscale CLI command. The --port argument is for tailscaled:
$ tailscaled --help
Usage of tailscaled:
...
-port value
UDP port to listen on for WireGuard and peer-to-peer traffic; 0 means automatically select (default 0)
You will likely need to use systemctl edit tailscaled to provide extra arguments to tailscaled.
Is that available on Windows? This is a Win Server 2022 file server.
The tailscaled binary on Windows does support using an alternate port. I don’t understand well enough how it gets started as a Windows Service to know where one could add arguments to it.
So I tried and tried, but no luck getting tailscale to use a port I defined.
Upnp and everything is enabled on all devices, but all stil tries to connect on port 41461, so most of them uses fallsback relay or DERP - only one gets direct contact at the time.
I have forwarded ports 41641 → 41649, and would like to uses those ports, but I cant get tailscale to do it.
I have googled and more for hours and hours.
-port 41642
–port 41642
-port=41642
–port=41642
Is some of the symtaxes I have seen.
CLI shows it like -port 41641, but it is not working.
All this is on Linux.
Please help
The tailscale command, as used with “tailscale up”, does not take a -port argument. tailscaled takes the -port argument.
The most straightforward way to set the port is to create or edit a text file in /etc/default/tailscaled containing:
PORT="41641"
Then use: sudo systemctl restart tailscaled
Ok if you launch the TailscaleD exe from a terminal with the port flag it works.
If you though create a service with the flag, it only seems to half-heartedly implement it. It seems to see it in the startup logs…
> 2022-04-11T17:08:31.062-07:00: Program starting: v1.22.2-t60b671955-gecc5d9846, Go 1.17.8-tsdce70b6d32: []string{"C:\\Program Files (x86)\\Tailscale IPN\\tailscaled.exe", "--port=51234"}
> 2022-04-11T17:08:31.325-07:00: Creating adapter
> 2022-04-11T17:08:46.369-07:00: Timed out waiting for device query: The wait operation timed out. (Code 0x00000102)
> 2022-04-11T17:08:46.369-07:00: Failed to setup adapter (problem code: 0x1F, ntstatus: 0xC0000035): Cannot create a file when that file already exists. (Code 0x000000B7)
> 2022-04-11T17:08:46.394-07:00: tailscaled: engine fetch error (try 1) in 15.204s (total 15.204s, sysUptime 1h19m36s): TUN: Error creating interface: Cannot create a file when that file already exists.
> 2022-04-11T17:08:51.397-07:00: tailscaled: getting engine... (try 2)
> 2022-04-11T17:08:51.497-07:00: Using existing driver 0.14
> 2022-04-11T17:08:51.513-07:00: Creating adapter
> 2022-04-11T17:08:51.735-07:00: waitInterfaceUp: TUN interface already up; no need to wait
...
2022-04-11T17:08:52.078-07:00: [v1] magicsock: ignoring pre-DERP map, STUN-less endpoint update: [{172.27.64.1:41641 local}
But then acts like the daemon is already running when it’s not in the tasklist.
On the other hand if I start it from command line it has no issues at all.
2022-04-11T17:38:13.249-07:00: Program starting: v1.22.2-t60b671955-gecc5d9846, Go 1.17.8-tsdce70b6d32: []string{"tailscaled.exe", "--port=41666"}
...
2022-04-11T17:38:13.416-07:00: Using existing driver 0.14
2022-04-11T17:38:13.432-07:00: Creating adapter
2022-04-11T17:38:13.644-07:00: waitInterfaceUp: TUN interface already up; no need to wait
...
2022-04-11T17:38:14.267-07:00: [v1] magicsock: ignoring pre-DERP map, STUN-less endpoint update: [{172.27.64.1:41666 local}
Thank you for your time.
Yes, I was using tailscaled.
I’m trying to do as you suggest, but /etc is a read only dir. - I cant change that or do anything in /etc.
Some information I should have given is that I’m using coreelec/libreelec (just linux for kodi) and have installed tailscale though entware.
Could the last line be an issue?
tailscaled.state is located in ./opt/var
#!/bin/sh
ENABLED=yes
PROCS=tailscaled
ARGS="–state=/opt/var/tailscaled.state"
PREARGS=""
DESC=$PROCS
PATH=/opt/sbin:/opt/bin:/opt/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
I have tried to add ports argument here, but did not get it to work.
I did spin up a Odroid C4 with armbian Jammy, but no luck yet.
Tailscale connect just fine - but only my windows PC sometimes gets direct connection, and speed + latency is not great over relay.
UPNP is enabled and port are even forwared.
If I just could get Tailscaled to use the ports I want it to.
Well I did find and changed /etc/default/tailscaled on my Armbian machine
PORT=“41642”
But I get port 56196 and traffic goes though a DERP
I did run sudo systemctl restart tailscaled
afterward I cant ping any off my devices, I get this ^Cread unix @->/run/tailscale/tailscaled.sock: use of closed network connection (tailscaled stopped running?)
But I do see status running tailscale status command.
Reboot do not help, and now I changed the port back to 41461 and run sudo systemctl restart tailscaled + reboot.
I stil cant to tailscale ping xx.xx.xxx.xxx
So some how I worse 
but /etc is a read only dir
If needed, you can instead set RandomizeClientPort in Tailscale to affect all machines on the tailnet:
{
"RandomizeClientPort": true,
afterward I cant ping any off my devices, I get this
read unix @->/run/tailscale/tailscaled.sock: use of closed network connection (tailscaled stopped running?)
Does this show the process running? “ps auxw | grep tailscaled”
If not, “journalctl -u tailscaled” should show the last lines it printed which may say why it exited.
Coreelec:
3823 root 21:15 tailscaled --state=/opt/var/tailscaled.state
4556 root 0:00 grep tailscaled
Armbian
$ ps auxw | grep tailscaled
root 2883 0.7 0.7 719952 27936 ? Ssl 13:55 0:04 /usr/sbin/tailscaled --state=/var/lib/tailscale/tailscaled.state --socket=/run/tailscale/tailscaled.sock --port 41641
4401 0.0 0.0 19596 2020 pts/0 S+ 14:04 0:00 grep --color=auto tailscaled
Ubuntu:
$ ps auxw | grep tailscaled
root 732 12.4 0.2 720320 24004 ? Ssl apr13 107:54 /usr/sbin/tailscaled --state=/v ar/lib/tailscale/tailscaled.state --socket=/run/tailscale/tailscaled.sock --port 41641
5508 0.0 0.0 12164 2472 pts/0 S+ 14:05 0:00 grep --color=auto tailscaled
I added this yesterday to my ACL setup and I have rebooted everything many times.
"RandomizeClientPort": true,
Stil no luck getting this set up to use other then 41641 other then one time last night where 2 of the uses completely other ports. But to day no luck
everything is connecting and is work so that I can tranfer files, but it is slow.
My windows 10 machine do connect direct every time though - right now it is using port 4766.
On Windows, I’ve gotten a Service to start with a specified port flag specified… however it is completely ignoring it. (Unlike launching the daemon from the commandline)
2022-05-24T11:46:07.714-07:00: Program starting: v1.24.2-t9d6867fb0-g2d0f7ddc3, Go 1.18.1-ts710a0d8610: []string{"C:\\Program Files (x86)\\Tailscale IPN\\tailscaled.exe", "--port=51234"}
2022-05-24T11:46:07.715-07:00: LogID: abe60bc8b1abd0726ea544870bee0abd58cdb1440bc6745885c49c557ab8431a
2022-05-24T11:46:07.715-07:00: logpolicy: using dir C:\ProgramData\Tailscale
2022-05-24T11:46:07.726-07:00: Running service...
2022-05-24T11:46:07.727-07:00: registry.OpenKey(SOFTWARE\Policies\Tailscale): The system cannot find the file specified.
2022-05-24T11:46:07.728-07:00: exec: "C:\\Program Files (x86)\\Tailscale IPN\\tailscaled.exe" [/subproc abe60bc8b1abd0726ea544870bee0abd58cdb1440bc6745885c49c557ab8431a]
2022-05-24T11:46:07.782-07:00: Program starting: v1.24.2-t9d6867fb0-g2d0f7ddc3: []string{"C:\\Program Files (x86)\\Tailscale IPN\\tailscaled.exe", "/subproc", "abe60bc8b1abd0726ea544870bee0abd58cdb1440bc6745885c49c557ab8431a"}
There’s that additional exec after the service starts that actually starts the daemon but then without any port flags.
So I tried adding a key to the HKEY_LOCAL_MACHINE\SOFTWARE\POLICIES\Tailscae\ {port:“51222”}
And the log entry for the open key error is gone, but still no dice on injecting a port into the tailscaled service.
If I start tailscaled.exe --port ##### with windows task scheduler at boot time I can get the service to come up on an alternate port. This is a workaround until the Windows build can accept the --port argument as part of the service startup.