Tailscale Direct Connections
- Devices establish a direct peer-to-peer connection over the network
- Communication is secured using WireGuard end-to-end encryption
- Typically achieved when:
- Both devices are reachable over the internet
- NAT traversal (e.g., UDP hole punching) is successful
- Provides the lowest latency and highest throughput
- Does not rely on any intermediary or relay servers
- This is the preferred and most efficient connection method
Tailscale Peer Relay Connections
- Traffic is relayed through another Tailscale-connected device (peer) acting as an intermediary
- These are hosted by Functionize
- Occurs in scenarios where:
- Direct peer-to-peer connectivity is not fully possible
- Network topology allows routing through an intermediate peer
- Maintains end-to-end encryption between the original devices
- Performance is:
- Lower than direct connections
- Typically better than DERP relay connections
- Depends on network configuration and availability of suitable intermediary peers
Tailscale DERP Relay Connections
- Traffic is relayed through Tailscale’s DERP (Designated Encrypted Relay for Packets) servers
- Used as a fallback when:
- Direct connections cannot be established
- NAT or firewall restrictions block peer-to-peer communication
- Communication remains fully end-to-end encrypted
- Operates over TCP (commonly HTTPS/port 443) for maximum compatibility
- Provides:
- Higher latency compared to direct or peer relay connections
- Reliable connectivity in restrictive network environments
- Ensures connectivity even in environments with strict network controls
Please observe ping from GCP us-central data center to us-east data center.
tailscale ping test-node
pong from test-node (100.76.174.37) via DERP(mia) in 283ms
No direct or peer relayed connection possible, fallback to DERP
pong from test-node (100.76.174.37) via peer-relay(34.86.39.188:50000:vni:10318) in 39ms
No direct connection possible, Functionize Peer relay being used
pong from test-node (100.76.174.37) via peer-relay(34.86.39.188:50000:vni:10318) in 39ms
No direct connection possible, Functionize Peer relay being used
pong from test-node (100.76.174.37) via 34.73.189.140:41641 in 32ms
Direct connection is established dynamically, traffic will flow directly
Indirect / Relayed connection
Via DERP (Detoured Encrypted Relay for Packets)
- Reduced Performance: Because DERP relays traffic over TCP via a third-party server instead of using a direct UDP connection, throughput is generally lower and latency higher. The impact depends on network conditions and the geographic distance to the selected DERP region.
- Fully encrypted relay: DERP forwards WireGuard-encrypted packets end-to-end over TLS (HTTP/2). The relay only passes encrypted frames and cannot read, modify, or decrypt payloads.
- Proxy compatibility: DERP traffic can traverse a proxy only if the proxy transparently tunnels full-duplex TLS (for example, supports HTTP/2 CONNECT). Proxies that perform TLS termination, inspection, or re-encryption will disrupt or block the relay.
- Reliability vs. speed: DERP guarantees connectivity through restrictive NATs and firewalls but trades latency and throughput for reachability. It is intended as a fallback path rather than a primary data channel.
- End-to-end integrity: All DERP traffic remains authenticated and encrypted using WireGuard keys. The relay performs packet forwarding only and never terminates sessions or decrypts traffic.