Using Tailscale with your firewall

Most of the time, Tailscale should work with your firewall out of the box. Thanks to NAT traversal, nodes in your tailnet can connect directly peer to peer, even through firewalls. To get many firewalls working with Tailscale, try opening a firewall port to establish a direct connection.

For some firewalls, though, it is particularly difficult to establish a direct connection, so your traffic relies on DERP relay servers as a fallback, which may lead to slower connections. See below the list of known issues and workarounds for using Tailscale with your firewall provider.

Types of connections

Tailscale will either connect your nodes directly or via a DERP relay.

Tailscale tries to connect your nodes directly peer to peer, and does so nearly all of the time. Where this is not possible, Tailscale will use DERP relays to forward traffic from one node to another. DERP relays are normally used as a side channel, to help initially establish a direct connection, but in some cases such as with more complex firewall configurations, are used to relay all traffic.

To determine which devices you are actively connected to and whether they connect directly or use a relay, run:

tailscale status

To determine if a specific connection from your device to another device is using a relay, run:

tailscale ping <hostname-or-ip>

Latency vs security

Your organization may have configured a firewall to protect their network from unsolicited, unnecessary, or malicious traffic. Although the workarounds below may help Tailscale to establish direct connectivity between nodes, these may also make it easier for other traffic to reach your network. Before implementing any of these changes, consider if your organization wants to make this trade-off between security and latency.

Specifically:

  • By enabling NAT-PMP and UPnP, your network can allow in and forward all traffic.
  • By opening a firewall port, your network will allow traffic on a certain port and meeting certain rules to leave your network. Restrict this traffic only to what is needed. Subscribe to this GitHub issue for updates on a Tailscale ruleset.

Firewall compatibility and workarounds

Firewall Expected behavior Workaround
OPNsense Connects via DERP Enable NAT-PMP
pfSense Connects via DERP Enable NAT-PMP
Barracuda Connects via DERP Increase Max UDP sessions, and open a firewall port
Check Point Connects directly n/a
Cisco Connects via DERP Open a firewall port
Cisco with Cisco Umbrella Endpoint Security Connects via DERP None
Fortinet Connects via DERP Randomize port
Fortinet with FortiGate deep packet inspection Unable to connect to control plane None
Palo Alto Networks Connects via DERP None

For other firewalls, if your connections are using DERP relays by default, try opening a port to establish a direct connection.

If you experience an issue with a firewall not listed here, or need help configuring a particular firewall with Tailscale, contact support.

OPNsense and pfSense

In networks with OPNsense and pfSense firewalls, Tailscale nodes will have difficulties making direct connections, and often resort to DERP relays. To allow direct connections, enable the NAT Port Mapping Protocol (NAT-PMP). See instructions for OPNsense and pfSense.

In addition to NAT-PMP, you may also consider enabling Universal Plug and Play (UPnP) to help with routing traffic for other applications.

You can also run Tailscale on OPNsense routers. We’ve also heard feature requests for a Tailscale pfSense package—subscribe to this GitHub issue for updates.

Barracuda

In networks with Barracuda firewalls, Tailscale nodes will have difficulties making direct connections, and often resort to DERP relays.

To help Tailscale make direct connections, modify the maximum number of UDP sessions that a Barracuda firewall allows, making it easier for multiple Tailscale clients to connect, without competing with each other for UDP ports. To modify this, increase the “Max UDP” parameter in your firewall configuration.

You can also consider opening a firewall port.

Check Point

In networks with Check Point firewalls, Tailscale nodes should be able to establish direct connections by default.

Cisco

In networks with Cisco firewalls, Tailscale nodes will have difficulties making direct connections, and often resort to DERP relays.

To help Tailscale make direct connections, consider opening a firewall port.

If you are using Cisco Umbrella endpoint security, then the above will not work to establish direct connections, and your traffic will always resort to DERP relays.

Fortinet

In networks with Fortinet firewalls, Tailscale nodes will have difficulties making direct connections, and often resort to DERP relays. This issue might not be present at a smaller scale, with issues occurring once more than 5 individuals are using Tailscale behind the same firewall.

To allow direct connections, in the Access controls tab of the admin console, include an option in your tailnet policy file to randomizeClientPort. This makes devices use a random port for WireGuard rather than the default static port 41641.

{
  // ACL rules and other configurations
  "randomizeClientPort": true
}

If you are using FortiGate deep packet inspection, your firewall will intercept HTTPS connections to the Tailscale control plane and nodes on your network will be unable to connect to Tailscale. There is no known workaround to run Tailscale on your network.

Palo Alto Networks

In networks with Palo Alto Networks firewalls, Tailscale nodes will have difficulties making direct connections, and often resort to DERP relays. Every time you send a UDP stream, the firewall will use a random UDP port, so opening a specific port will not allow traffic through. There is no known workaround to establish direct connections for your traffic.

UniFi gateways

In networks with UniFi security gateways, when threat detection is enabled, allow peer-to-peer traffic to ensure your tailnet nodes can connect to each other. In the UniFi gateway interface, navigate to Settings > Firewall & Security > Edit threat categories, and uncheck P2P.

Only allow traffic over Tailscale

You can also use a firewall to restrict traffic in your network to require the use of Tailscale. For example, see instructions on using ufw to lock down an Ubuntu server.

Last updated

WireGuard is a registered
trademark of Jason A. Donenfeld.

© 2022 Tailscale Inc.

Privacy & Terms