Tailscale Peer Relays provides a customer-deployed and managed traffic relaying mechanism. By advertising itself as a peer relay, a Tailscale node can relay traffic for any peer nodes on the tailnet, even for traffic bound to itself. Tailscale Peer Relays can only relay traffic for nodes on your tailnet, and only for nodes that have access to the peer relay. Because they’re managed entirely by the customer, peer relays are less throughput-constrained than Tailscale’s managed DERP relays, and can provide higher throughput connections for traffic to and from locked-down cloud infrastructure, or behind strict network firewalls.
In testing with early design partners, we’ve seen throughputs nearing that of a direct connection; often multiple orders of magnitude higher than Tailscale’s managed DERP fleet.
Over the past few weeks, you’ve heard us talk about improvements we’ve made to Network Address Translation (NAT) traversal techniques, so that Tailscale can establish direct connections wherever possible (hint: it’s over 90% of the time). However, we’ve also outlined places where this isn’t possible or desirable today for a variety of reasons, especially in cloud environments. And, we’ve postulated a bit about where we think the industry is going.
While we’ve been keeping your network reliably connected for years with DERP, we’ve heard from customers that the throughput and performance aspects of a QoS-aware managed relay fleet makes deployments in certain environments difficult or untenable. Furthermore, customers have noted that it’s non-trivial to deploy and manage custom DERP fleets (which run as a separate service and binary).
DERP provides an incredibly valuable service, setting up reliable connections between Tailscale clients anywhere in the world (including negotiating connections through peer relays). But often, DERP’s focus as a reliability and NAT traversal tool results in performance tradeoffs.
By contrast, Tailscale Peer Relays is designed as a performant connectivity tool, and can perform at a level rivaling direct connections. Peer relays can be placed right next to the resources they serve, and peer relays also run on top of UDP, both characteristics beneficial to lower latency and resource overhead. And, they are built into the Tailscale client itself for ease of deployment.
We want to move past even more hard NATs, and put Tailscale’s relaying technology in our customers’ hands, so they can use Tailscale at scale, anywhere, with ease. We believe our new Tailscale Peer Relays connectivity option—unique to Tailscale—gives customers the best performance and flexibility.
Peer relays are configured with a single UDP port that must be available to both sides of a connection. Tailscale Peer Relays is built right into the Tailscale client, and can be enabled with a simple command, using the tailscale set --relay-server-port flag from the Tailscale CLI. Once enabled via the steps in our documentation, clients can connect to infrastructure in hard NAT environments over the peer relay.
And don’t worry, we still prefer to fly direct. Tailscale prefers direct connections wherever possible. Clients can then fall back to available peer relays, and finally leverage Tailscale’s managed DERP fleet, or any customer-deployed custom DERPs, to ensure you have connectivity wherever you need it. All of this traffic, over any connection, is still end-to-end encrypted via WireGuard®.
Tailscale Peer Relays is designed for the real world, based on the feedback we’ve received from customers and our own hard-earned networking expertise. It allows customers to make just one firewall exception for connections only coming from their tailnet. Peer relays scale across regions, are resilient to real-world network conditions, and graciously fall back to DERP (Tailscale’s or custom). Your network maintains its shape, but gains all kinds of flexibility.
... continue reading