Multiple tailscale devices direct?

We have a tailscale router in our network. Port forwarding ensures connections are direct from the outside world. No issues there.

We have a NAS though that we need to share with third parties. If we share it though it goes through a relay.

Can we specify a port for Tailscale on a specific node to listen on to forward direct tailscale traffic to?

tailscaled takes a --port=12345 argument, is that what you mean?

Does it?

flag provided but not defined: -port

So the issue is that I can’t provide a direct connection to a machine within a subnet behind a NAT that already has tail scale. It’s I assume hitting the subnet router (router) when I need to guide connections toward a second tailscale device within the subnet that isn’t the subnet router.

I believe you were running the tailscale CLI command. The --port argument is for tailscaled:

$ tailscaled --help
Usage of tailscaled:
  -port value
        UDP port to listen on for WireGuard and peer-to-peer traffic; 0 means automatically select (default 0)

You will likely need to use systemctl edit tailscaled to provide extra arguments to tailscaled.

Is that available on Windows? This is a Win Server 2022 file server.

The tailscaled binary on Windows does support using an alternate port. I don’t understand well enough how it gets started as a Windows Service to know where one could add arguments to it.

So I tried and tried, but no luck getting tailscale to use a port I defined.
Upnp and everything is enabled on all devices, but all stil tries to connect on port 41461, so most of them uses fallsback relay or DERP - only one gets direct contact at the time.

I have forwarded ports 41641 → 41649, and would like to uses those ports, but I cant get tailscale to do it.

I have googled and more for hours and hours.

-port 41642
–port 41642
Is some of the symtaxes I have seen.
CLI shows it like -port 41641, but it is not working.

All this is on Linux.

Please help

The tailscale command, as used with “tailscale up”, does not take a -port argument. tailscaled takes the -port argument.

The most straightforward way to set the port is to create or edit a text file in /etc/default/tailscaled containing:


Then use: sudo systemctl restart tailscaled

Ok if you launch the TailscaleD exe from a terminal with the port flag it works.

If you though create a service with the flag, it only seems to half-heartedly implement it. It seems to see it in the startup logs…

> 2022-04-11T17:08:31.062-07:00: Program starting: v1.22.2-t60b671955-gecc5d9846, Go 1.17.8-tsdce70b6d32: []string{"C:\\Program Files (x86)\\Tailscale IPN\\tailscaled.exe", "--port=51234"}
> 2022-04-11T17:08:31.325-07:00: Creating adapter
> 2022-04-11T17:08:46.369-07:00: Timed out waiting for device query: The wait operation timed out. (Code 0x00000102)
> 2022-04-11T17:08:46.369-07:00: Failed to setup adapter (problem code: 0x1F, ntstatus: 0xC0000035): Cannot create a file when that file already exists. (Code 0x000000B7)
> 2022-04-11T17:08:46.394-07:00: tailscaled: engine fetch error (try 1) in 15.204s (total 15.204s, sysUptime 1h19m36s): TUN: Error creating interface: Cannot create a file when that file already exists.
> 2022-04-11T17:08:51.397-07:00: tailscaled: getting engine... (try 2)
> 2022-04-11T17:08:51.497-07:00: Using existing driver 0.14
> 2022-04-11T17:08:51.513-07:00: Creating adapter
> 2022-04-11T17:08:51.735-07:00: waitInterfaceUp: TUN interface already up; no need to wait


2022-04-11T17:08:52.078-07:00: [v1] magicsock: ignoring pre-DERP map, STUN-less endpoint update: [{ local}

But then acts like the daemon is already running when it’s not in the tasklist.

On the other hand if I start it from command line it has no issues at all.

2022-04-11T17:38:13.249-07:00: Program starting: v1.22.2-t60b671955-gecc5d9846, Go 1.17.8-tsdce70b6d32: []string{"tailscaled.exe", "--port=41666"}
2022-04-11T17:38:13.416-07:00: Using existing driver 0.14
2022-04-11T17:38:13.432-07:00: Creating adapter
2022-04-11T17:38:13.644-07:00: waitInterfaceUp: TUN interface already up; no need to wait


2022-04-11T17:38:14.267-07:00: [v1] magicsock: ignoring pre-DERP map, STUN-less endpoint update: [{ local}

Thank you for your time.
Yes, I was using tailscaled.
I’m trying to do as you suggest, but /etc is a read only dir. - I cant change that or do anything in /etc.

Some information I should have given is that I’m using coreelec/libreelec (just linux for kodi) and have installed tailscale though entware.

tailscaled --port=41462

logtail started
Program starting: v1.18.1-1.18.1, Go 1.17.4: []string{“tailscaled”, “–port=41462”}
LogID: 229c952f5aeb77fa9b1c0d4185b5ce82bce28d4a64929d45ff7609d40f69ff1b
logpolicy: using UserCacheDir, “/storage/.cache/Tailscale”
–statedir (or at least --state) is required

Could the last line be an issue?
tailscaled.state is located in ./opt/var

output from init.d dir S06tailscaled



. /opt/etc/init.d/rc.func

I have tried to add ports argument here, but did not get it to work.

I did spin up a Odroid C4 with armbian Jammy, but no luck yet.

Tailscale connect just fine - but only my windows PC sometimes gets direct connection, and speed + latency is not great over relay.

UPNP is enabled and port are even forwared.
If I just could get Tailscaled to use the ports I want it to.

Well I did find and changed /etc/default/tailscaled on my Armbian machine

Set the port to listen on for incoming VPN packets.

Remote nodes will automatically be informed about the new port number,

but you might want to configure this in order to set external firewall



Extra flags you might want to pass to tailscaled.


But I get port 56196 and traffic goes though a DERP

I did run sudo systemctl restart tailscaled
afterward I cant ping any off my devices, I get this ^Cread unix @->/run/tailscale/tailscaled.sock: use of closed network connection (tailscaled stopped running?)
But I do see status running tailscale status command.

Reboot do not help, and now I changed the port back to 41461 and run sudo systemctl restart tailscaled + reboot.
I stil cant to tailscale ping

So some how I worse :frowning:

but /etc is a read only dir

If needed, you can instead set RandomizeClientPort in Tailscale to affect all machines on the tailnet:

  "RandomizeClientPort": true,

afterward I cant ping any off my devices, I get this
read unix @->/run/tailscale/tailscaled.sock: use of closed network connection (tailscaled stopped running?)

Does this show the process running? “ps auxw | grep tailscaled”

If not, “journalctl -u tailscaled” should show the last lines it printed which may say why it exited.


ps auxw | grep tailscaled

3823 root 21:15 tailscaled --state=/opt/var/tailscaled.state
4556 root 0:00 grep tailscaled

$ ps auxw | grep tailscaled
root 2883 0.7 0.7 719952 27936 ? Ssl 13:55 0:04 /usr/sbin/tailscaled --state=/var/lib/tailscale/tailscaled.state --socket=/run/tailscale/tailscaled.sock --port 41641
4401 0.0 0.0 19596 2020 pts/0 S+ 14:04 0:00 grep --color=auto tailscaled

$ ps auxw | grep tailscaled
root 732 12.4 0.2 720320 24004 ? Ssl apr13 107:54 /usr/sbin/tailscaled --state=/v ar/lib/tailscale/tailscaled.state --socket=/run/tailscale/tailscaled.sock --port 41641
5508 0.0 0.0 12164 2472 pts/0 S+ 14:05 0:00 grep --color=auto tailscaled

I added this yesterday to my ACL setup and I have rebooted everything many times.

"RandomizeClientPort": true,

Stil no luck getting this set up to use other then 41641 other then one time last night where 2 of the uses completely other ports. But to day no luck :frowning:

everything is connecting and is work so that I can tranfer files, but it is slow.

My windows 10 machine do connect direct every time though - right now it is using port 4766.

On Windows, I’ve gotten a Service to start with a specified port flag specified… however it is completely ignoring it. (Unlike launching the daemon from the commandline)

2022-05-24T11:46:07.714-07:00: Program starting: v1.24.2-t9d6867fb0-g2d0f7ddc3, Go 1.18.1-ts710a0d8610: []string{"C:\\Program Files (x86)\\Tailscale IPN\\tailscaled.exe", "--port=51234"}

2022-05-24T11:46:07.715-07:00: LogID: abe60bc8b1abd0726ea544870bee0abd58cdb1440bc6745885c49c557ab8431a

2022-05-24T11:46:07.715-07:00: logpolicy: using dir C:\ProgramData\Tailscale

2022-05-24T11:46:07.726-07:00: Running service...

2022-05-24T11:46:07.727-07:00: registry.OpenKey(SOFTWARE\Policies\Tailscale): The system cannot find the file specified.

2022-05-24T11:46:07.728-07:00: exec: "C:\\Program Files (x86)\\Tailscale IPN\\tailscaled.exe" [/subproc abe60bc8b1abd0726ea544870bee0abd58cdb1440bc6745885c49c557ab8431a]

2022-05-24T11:46:07.782-07:00: Program starting: v1.24.2-t9d6867fb0-g2d0f7ddc3: []string{"C:\\Program Files (x86)\\Tailscale IPN\\tailscaled.exe", "/subproc", "abe60bc8b1abd0726ea544870bee0abd58cdb1440bc6745885c49c557ab8431a"}

There’s that additional exec after the service starts that actually starts the daemon but then without any port flags.

So I tried adding a key to the HKEY_LOCAL_MACHINE\SOFTWARE\POLICIES\Tailscae\ {port:“51222”}
And the log entry for the open key error is gone, but still no dice on injecting a port into the tailscaled service.

If I start tailscaled.exe --port ##### with windows task scheduler at boot time I can get the service to come up on an alternate port. This is a workaround until the Windows build can accept the --port argument as part of the service startup.