Tailscale Peer Relays is now generally available

Posted by sz4kerto 8 hours ago

Tailscale Peer Relays is now generally available(tailscale.com)

288 points | 154 commentspage 2

jak6jak 4 hours ago|

I looked into tailscale in the past as a way to host a game server such as minecraft on my local machine publicly without port forwarding . It seems that tailscale is mostly configured only to work with people you know and trust. I was hoping that Peer Relays would help alleviate some restrictions with tailwind funnel. Does anyone know any alternatives?

Computer0 3 hours ago|

if you have a cheap vps you can use it to forward the traffic to for some benefit, that is what i have been doing when i need compute accessible online and don't want to pay for cloud.

marcosscriven 3 hours ago||

I really like Tailscale. Recently though I’ve been having some hard-to-diagnose slowdowns even on a direct (non DERP) connection. I’m not sure if it’s something to do with MTUs or my ISP.

itissid 7 hours ago||

I have my homenas set up with Node Proxy Manager container forwarding requests to different docker machines:ports e.g. I have some TTS/STT/LLM services locally hosted. To increase bandwidth to internet facing nodes, would you use this or some other simpler solution?

tecleandor 7 hours ago|

Is it a typo and it's the Nginx Proxy Manager?

mikepurvis 7 hours ago|||

I assume so; I use the same thing with my Unraid box and then create the DNS entries in the unifi panel so I get jellyfin.lan, minecraft.lan, etc inside the house.

itissid 5 hours ago|||

Oh yeah Nginx* not Node.

aborsy 7 hours ago||

Is peer relay essentially a custom relay which was previously available, except now it’s one command?

So it runs a STUN server or similar, for discovery and relaying.

kabirx 6 hours ago|

Peer relays are a bit different from our previously available Custom DERP servers. While the custom DERPs do relay traffic, they also require a bunch of configuration and management for their other jobs and they open up availability concerns that are pretty tough for our average customer.

Conversely Peer Relays are built on top of the shoulders of DERP. For example, they don't need to do peer discovery set connections up end to end - instead connections are brokered via our DERP fleet and then in a sense "upgraded" to an available Peer Relay or Direct connection. Because of that they're super lightweight and much easier to deploy + manage. And, they scale horizontally so you can deploy many peer relays across your network, and they're resilient to downtime (we'll just fall back to DERP).

shj2105 5 hours ago||

I’m so confused. What is the difference between a peer relay and a DERP server that is self hosted?

The issue I have is I’m trying to connect two devices where one is behind a CGNAT that always causes the connection to be relayed even though the other one is not behind a cgnat with proper port forwarding. Would a peer relay solve this but is it like a DERp where I have to host it on a VPS separate from my existing two networks or is this something different where I can host the peer relay on the network not behind a CGNAT and somehow it will link the two networks through it?

kabirx 5 hours ago||

You should be able to stand up a peer relay on an existing tailscale device - so your proposal is correct! Try setting one of the devices up as a peer relay per the docs here: https://tailscale.com/docs/features/peer-relay

shj2105 6 hours ago||

I’m so confused. What is the difference between a peer relay and a DERP server that is self hosted?

apenwarr 5 hours ago||

(Tailscale founder here) Two main differences: first, every DERP server used by your tailnet must be accessible by every node on your tailnet at all times, otherwise you get hard-to-debug netsplits. That's a very high bar to maintain so we've historically recommended you don't try. In contrast, peer relays are "if a given pair of nodes can connect through any of the relays, go for it" so deploying one is always a performance and reliability improvement.

Secondly, peer relays support UDP while DERP is TCP-only. That would be fixable by simply improving the DERP protocol, but as we explored that option, we decided to implement the Peer Relay layer instead as a more complete solution.

shj2105 5 hours ago|||

Hmm got it not sure I entirely understand. The issue I have is I’m trying to connect two devices where one is behind a hard CGNAT that always causes the connection to be relayed even though the other one is not behind a cgnat with proper port forwarding. Would a peer relay solve this but is it like a DERP where I have to host it on a VPS separate from my existing two networks or is this something different where I can host the peer relay on the same network not behind a CGNAT and somehow it will link the two networks through it?

xeonmc 2 hours ago||||

What happens if your peer relay device is behind CGNAT/SymNat?

Also, offtopic question: is Tailscale named after the idea of UDP packets “tailgating” a connection?

kwakubiney 5 hours ago|||

> every DERP server used by your tailnet must be accessible by every node on your tailnet at all times, otherwise you get hard-to-debug netsplits.

What would allow a given pair of nodes access a peer relay? Isn’t the peer relay by default also accessible by every node on the tailnet since it’s in the tailnet as well?

allthetime 5 hours ago|||

Talking out my ass, but as with all things Tailscale, not much, aside from easier to use / less manual setup.

Nothing they do was impossible before, but their big win is making world wide private networking easy and accessible.

I’ve been on-boarding my friends who have their own local media servers setup so we can all share/stream content from each other.

yuvadam 7 hours ago||

Tailscale simp here, been using this feature since it launched in beta, can't believe it didn't exist earlier.

This solved every last remaining problem of my CGNAT'd devices having to hop through STUN servers (with the QoS being noticable), now they just route through my own nodes.

hashstring 3 hours ago|

Why does STUN impact your QoS? I thought STUN was just for discovering your own external IP/port.

alberto_delrio 5 hours ago||

Tried the other day, honestly so far surprised by the good results!

drnick1 6 hours ago||

It's a bit disingenuous to present solutions like Tailscale as more secure than opening a VPN port on one's on machine. The latter solution should always be preferred when available just because you don't want your infrastructure to depend on a "free" service which might cease to be free tomorrow.

drannex 5 hours ago||

This is a more all-included and resilient system, especially for logging, than just opening a VPN port. I do a lot of corporate installs, and if we had a system like Tailscale then I would be in heaven. The amount of user-created systems are heinous in regards to security, and hard to setup and keep running. Tailscale lets you setup quickly, and reliably with minimal errors OOTB.

If you feel that tailscale will fold, or the free plan will be future limited, then you can drop in headscale which is a near 1:1 API open source tailscale central server.

If you always want to be open source and not rely on API changes or staying up to green on the headscale development (made by a third party), then you can set up netbird, which is both hosted (for free) as an alternative to Tailscale more tailored for developers, but they also open-sourced their entire stack, so you can always leave and use that on your own servers.

nickburns 6 hours ago||

Things are much more unscrupulous than potentially ceasing to be free tomorrow. Nobody who values their privacy would ever route their network traffic through a 'free' service.

jon_adler 5 hours ago||

Isn’t there separation of the control and data planes? I don’t think Tailscale get to see any of your network traffic.

nickburns 5 hours ago||

They need to know how/where to route your outbound traffic. That inherently includes plaintext DNS, TLS handshakes, and otherwise plaintext traffic (like HTTP for example).

Anybody wanting to see what Tailscale is able to see can simply sniff any router interface passing outbound traffic before it enters the WireGuard tunnel interface.

himata4113 7 hours ago||

I never brought my self to use tailscale because it has a login screen and I absolutely despise that even as a concept for a private NAT. I know headscale exists, but it doesn't seem to even support the features I really want.

earthscienceman 3 hours ago|

I can't believe this isn't a show stopper for more people here. I literally couldn't figure out how use it the first time tried because I didn't know how to comprehend that it was trying to get me to auth via browser window. I kept digging around for a tailscale.conf.

Which is then when I realized it was less a piece of software and more so an auth management provider with some vaguely helpful auxillary services.

kittbuilds 6 hours ago|

The peer relay approach is interesting because it essentially turns every node in your tailnet into a potential relay for other nodes. This is a meaningful architectural shift from relying on Tailscale's centralized DERP servers.

For anyone worried about the "rug pull" concern raised in another comment — this actually makes me more optimistic, not less. By distributing relay infrastructure to the edges, Tailscale is reducing its own operational cost per user while improving performance. That's the kind of flywheel that makes a generous free tier more sustainable, not less. Each new node potentially helps the whole network.