Subnet router newbie question

Hi, I have a subnet router set up so I can connect to our EC2 servers in AWS.

It works, but I’m not 100% sure how

Our subnet router has no ingress rules… How is the traffic from my laptop, or anyone else’s laptop, which has tailscale installed, getting routed?

I imagine the subnet router is proactively initialising a tunnel to… somewhere?

Sorry for the basic question, it just feels like magic and I can’t find documentation explaining it

Let’s assume you have the Tailscale app installed on a number of your devices, and you have an EC2 node which was started with tailscale up --advertise-routes=

The Tailscale app on your other devices added an entry in the local routing table, setting the next hop for tp be

Ah, that makes sense. Although I still don’t get the whole picture… Say I wanted to SSH onto a node within, as an example.

I will then be looking to connect to port 22 on the target host.

However, my subnet router,, doesn’t have an ingress rule allowing traffic in on port 22. So, I’m obviously not just sending my traffic to the router, which is forwarding it on, right, because I couldn’t connect to the router itself on port 22.

This is the magic bit, can you say how it works?

That is routing: neither TCP nor UDP on the router examine the packets flowing through, and the iptables FORWARDING table is evaluated before INPUT.

Since the destination IP is not any of the router’s own IP addresses, the FORWARDING table handles it before the TCP header is even looked at.

Ok, that accounts for the firewall on the host.

Considering the AWS Security Group though - that allows no ingress traffic either. I’ve been reading How NAT traversal works · Tailscale and it now appears to me that the coordination server somehow bootstraps the communication between the servers by instructing them to start sending UDP packets to each other, am I correct?