DERP servers
DERP (Designated Encrypted Relay for Packets) servers manage device connections and NAT traversal. They serve two primary purposes: negotiating direct connections between tailnet devices and serving as a relay server when a direct connection isn’t possible.
Most connections between tailnet devices only use DERP servers to establish a direct connection to another tailnet device. But as a last resort, when a direct connection isn’t possible due to hard NAT, firewalls, or another reason, devices can communicate using a DERP server as a relay. DERP servers are dual-stack, meaning they support IPv4 and IPv6. As a result, they can facilitate connections between IPv4-only and IPv6-only devices.
Data sent between devices using a DERP relayed connection is encrypted using WireGuard. Because Tailscale private keys never leave the device where they were generated, it’s impossible for a DERP server to decrypt your traffic. A DERP server blindly forwards already-encrypted traffic from one device to another.
DERP server locations
Tailscale has DERP servers across multiple geographic regions to facilitate high availability and low latency. Most regions have at least three DERP servers. You can also run your own custom DERP servers.
Each Tailscale client receives a DERP map from the Tailscale coordination server. This map describes all the DERP servers available to the client. The client selects a home DERP server based on latency information and reports its selection to the coordination server. The coordination server then shares each client’s selection with the other clients across the tailnet.
Tailscale runs DERP servers in the following locations:
- Australia (Sydney)
- Brazil (São Paulo)
- Canada (Toronto)
- France (Paris)
- Germany (Frankfurt)
- Hong Kong (Hong Kong)
- India (Bangalore)
- Japan (Tokyo)
- Kenya (Nairobi)
- Netherlands (Amsterdam)
- Poland (Warsaw)
- Singapore (Singapore)
- South Africa (Johannesburg)
- Spain (Madrid)
- United Arab Emirates (Dubai)
- United Kingdom (London)
- United States (Chicago, Dallas, Denver, Honolulu, Los Angeles, Miami, New York City, San Francisco, and Seattle)
Tailscale clients automatically select the nearest relay for low latency. Tailscale is continually expanding and adding more DERP servers as needed to provide low-latency connections.
Custom DERP servers
In most cases, there’s no need to run a custom DERP server. However, there are some rare cases in which it makes sense to run a custom DERP server. To do so, you must build, deploy, and update the cmd/derper
binary.
Running your own DERP servers is an advanced operation that requires significant resources on your part to set up and maintain. Additionally, running a custom DERP servers have the following caveats:
- Custom DERP servers don’t support device sharing or other cross-tailnet features.
- Custom DERP servers, just like normal DERP servers, have no visibility of the data exchanged between devices because they’re encrypted. As a result, DERP servers aren’t helpful for network-level debugging.
- Custom DERP servers won’t benefit from some optimizations from the Tailscale control plane.
Customize your DERP map
You can customize the DERP map that Tailscale uses for your tailnet. To do so, add a derpMap
object to your tailnet policy file. In the derpMap
object, you can explicitly disable using a DERP region by setting its RegionID
to null
. For example, to disable using DERP servers in the New York DERP region (which has the RegionID:1
), add the following to your tailnet policy file.
{
// ... other parts of the tailnet policy file
"derpMap": {
"Regions":
{ "1": null },
}
},
// ...
If you don't know the RegionID of a DERP region, you can retrieve the official Tailscale DERP map, which includes region IDs, from https://controlplane.tailscale.com/derpmap/default
. You can visit this URL in a web browser or a curl
command.
curl https://controlplane.tailscale.com/derpmap/default
If you have jq
installed, you can use the following command to list Tailscale's default DERP regions and their IDs:
curl --silent https://controlplane.tailscale.com/derpmap/default | jq -r '.Regions[] | "\(.RegionID) \(.RegionName)"'
Contact support to restrict your tailnet to US-only DERP servers for compliance purposes.
DERP packets
DERP servers relay two types of packets: DISCO packets and encrypted WireGuard packets. In most cases, DERP servers primarily use DISCO packets (discovery messages) to establish and negotiate a direct connection between two tailnet devices. However, when two devices use a DERP server as a fallback connection method, the DERP server relays encrypted WireGuard packets between the two devices.
DISCO is a protocol Tailscale DERP servers use to send discovery messages between tailnet devices before establishing a direct connection. These discovery messages are also called DISCO packets.
Availability and downtime
The Tailscale coordination server maintains a list of DERP servers. Devices running Tailscale retrieve the list of DERP servers from the coordination server and save the list locally. That way, if the coordination server is down but the DERP servers are up, the Tailscale client still has the last known state for list of DERP servers. This list of DERP servers persists even if the Tailscale client restarts.
In the event of DERP server (or region) outages, the following occurs:
- If a DERP server is added while the coordination server is down, it won't get shared out. It will be added the next time the Tailscale client connects to the coordination server.
- If one DERP server in a region becomes unreachable, the Tailscale client selects a different DERP server.
- If the DERP region becomes unreachable, the Tailscale client selects the next closest region.