DERP Servers

Tailscale runs DERP relay servers distributed around the world to link your Tailscale nodes peer-to-peer as a side channel during NAT traversal, and as a fallback in case NAT traversal fails and a direct connection cannot be established.

Because Tailscale private keys never leave the node where they were generated, there is never a way for a DERP server to decrypt your traffic. A DERP server just blindly forwards already-encrypted traffic from one node to another.

Tailscale runs DERP servers in many locations. As of September 2022, this list includes:

  • Australia (Sydney)
  • Brazil (São Paulo)
  • Canada (Toronto)
  • Dubai (Dubai)
  • France (Paris)
  • Germany (Frankfurt)
  • Hong Kong (Hong Kong)
  • India (Bangalore)
  • Japan (Tokyo)
  • Netherlands (Amsterdam)
  • Poland (Warsaw)
  • Singapore (Singapore)
  • South Africa (Johannesburg)
  • Spain (Madrid)
  • United Kingdom (London)
  • United States (Chicago, Dallas, Denver, Honolulu, Los Angeles, Miami, New York City, San Francisco, and Seattle)

Tailscale clients automatically select the nearest relay for low latency. Tailscale is continually expanding and adding more DERP servers as needed in order to provide low-latency connections.

Generally, you don’t need to customize Tailscale DERP servers. However, in addition to or instead of using the Tailscale DERP servers, you can run your own custom DERP servers. Possible use cases are for policy compliance and lower latency.

Running your own DERP servers is an advanced operation that requires significant resources on your part to set up and maintain.

Last updated