I have many devices that just need to connect to a server that is working as a router to other networks. The devices doesn’t need connection between them.
I get connection with relay because ports aren’t open in the server network, the firewall doesn’t allow UPnP or anything similar.
So should I open ports in the server to get a direct connection?
Is tails scale secured and intended to work in this way (without relays)?
If it’s really just one host then I think just open port 41641 direct to that host and the relay should be gone.
If it’s multiple hosts in one network and the server elsewhere, see this page: Using Tailscale with your firewall · Tailscale - my router has issues when the numbers get larger (not very large - about 10 or 20 users I found), Switching to randomised ports helped, but then broke the cloud server’s direct connection due to the firewall there. It would be good to be able to ranomise the ports for some hosts and not others.
Having a few spare IP addresses helped here - I set a statc NAT for a few key hosts and mostly it’s worked. Also IPv6 solves that problem since you just open the firewall port and there’s no NAT table to worry about.