What firewall ports should I open to use Tailscale?

Nearly all of the time, you don’t need to open any firewall ports for Tailscale. Tailscale uses various NAT traversal techniques to safely connect to other Tailscale nodes without manual intervention — it “just works.”

However, when both devices are on difficult networks Tailscale may not be able to connect devices peer-to-peer. You’ll still be able to send and receive traffic, thanks to our secure relays, but the relayed connection won’t be as fast as a peer-to-peer one.

In these cases, you may consider opening a firewall port to help Tailscale connect peer-to-peer:

  • Let your internal devices initiate TCP connections to *:443
  • Let your internal devices initiate UDP from :41641 to *:*
  • Let your internal devices initiate UDP from :3478 to *:*

How can I tell if my devices are using a relay?

Relays are used per-device-pair. To check if device A is talking to device B over a relay, run tailscale status (docs) from either device.

It will return a table of results for every device it can see over Tailscale.

[AWyGE] linux   device-b  tx=    7663 rx=   13346  *nyc* <ip addresses>
[AbSXv] macOS   device-c  tx=    7291 rx=   12518  sfo   <ip addresses>
[BPQDp] windows   device-d  tx=       0 rx=       0  nyc   <ip addresses>
[BsW1u] linux   device-e  tx=       0 rx=       0  sfo   <ip addresses>

In this table, *asterisks* in the right-most columns indicate active connections. Asterisks around IP addresses are peer-to-peer connections, whereas asterisks around city codes (e.g. nyc, sfo, fra, tok) indicate that connection is happening through one of our relays.

My devices are using a relay. What can I do to help them connect peer-to-peer?

If two of your devices are on difficult networks, allowing connections to UDP port 41641 on one of them may help Tailscale make a peer-to-peer connection, rather than falling back to a relay.

On Ubuntu, for example, you can do this with the built-in ufw command by running:

sudo ufw allow 41641/udp

For more details on NAT traversal, our blog post How NAT Traversal Works shares all the details.

What if I really, really want to specify the hostnames that Tailscale uses to operate its service?

In situations where this is unavoidable you can allow exceptions for a list of fully qualified domain names (FQDNs). We strongly recommend against allowing specific hostnames because they may change over time and impact the connectivity of your network.

The list of control plane servers (required for authentication, key exchange, firewall updates, and so on) is likely to change, but infrequently:

  • login.tailscale.com
  • controlplane.tailscale.com
  • log.tailscale.com

Additionally, the DERP relay servers (which will definitely change from time to time) are accessed via TCP port 443:

  • derp1.tailscale.com
  • derp2.tailscale.com
  • ...
  • derp11.tailscale.com

Note that some regions have multiple relays (ex. derp1b.tailscale.com, derp2b.tailscale.com). A list is available at https://login.tailscale.com/derpmap/default but be aware that it changes over time and will need to be periodically re-fetched for updates.

It is preferable to simply open outgoing connections to *:443. This will minimize disruptions when our list of relay servers changes; if a device can’t reach the other device’s preferred relay, then communication may not succeed.

Last updated

WireGuard is a registered
trademark of Jason A. Donenfeld.

© 2022 Tailscale Inc.

Privacy & Terms