Device connectivity
Devices within a tailnet can communicate using one of two types of connections:
- Direct connections
- Relayed connections using DERP relay servers
Ideally, all devices would use direct connections, but a direct connection isn’t always possible. Sometimes, a device might use a relayed connection even though a direct connection is possible, which can cause performance problems. You can determine the connection type a device is using with the tailscale status command.
The network type and NAT type of both sides of a connection determine if Tailscale uses a direct or relayed connection.
NAT types
NAT is a common method of mapping private IP address space behind a publicly routable address to deal with the effects of IPv4 address exhaustion. Tailscale automatically traverses NAT on the user's behalf to ensure connections between devices aren't hindered by the complications caused by NAT.
Device connectivity in Tailscale differs depending on whether the device is in a no NAT, easy NAT, or hard NAT scenario.
IPv6 and NAT
NAT is most commonly employed in environments where outbound IPv4 addresses are limited. IPv6 has many more available addresses, so using NAT to preserve public-facing addresses is optional (however, there are other reasons to use NAT with IPv6). As a result, devices using IPv6 addresses are considered easy NAT because they create direct connections in almost every situation.
No NAT
In a no NAT scenario, the tailnet device isn't behind a NAT device and has a publicly accessible IP address.
Easy NAT
Easy NAT describes a less restrictive NAT configuration that makes it easier to access devices behind the NAT device from the internet. Some examples of easy NAT configurations include full cone NAT, support for port mapping protocols (such as UPnP, PCP, or NAT-PMP), support for hairpinning, and consistent port mapping.
Hard NAT
Hard NAT refers to a restrictive network address translation configuration that prioritizes security but makes it challenging to access devices behind the NAT from the internet. In a hard NAT scenario:
- The tailnet device has a private address behind a NAT device.
- When the tailnet device initiates a connection, the NAT device employs various protective techniques, which might include:
- Using complex port allocation strategies.
- Disabling port mapping protocols (such as UPnP).
- Implementing short timeout periods for idle connections.
These measures enhance security but can complicate establishing and maintaining connections, especially for incoming traffic.
This configuration affects how Tailscale devices communicate, particularly in complex network environments.
Firewalls and NAT
Stateful firewalls that block inbound UDP connections are not NAT. However, if your device has a public IP address but is behind a firewall that blocks inbound UDP connections on the port tailscaled listens on, that device operates in the same manner as an easy NAT device.
For more information on how Tailscale handles firewalls, read How NAT traversal works.
Troubleshooting with netcheck
If a device uses a relayed connection instead of a direct connection, you can troubleshoot why using the tailscale netcheck command. For step-by-step step troubleshooting instructions, refer to Troubleshooting device connectivity.
The tailscale netcheck command returns information about a client’s current network connection. The information comes from STUN and the Tailscale client running on the device and can help you troubleshoot connectivity issues. For example, you can use the tailscale netcheck output to troubleshoot why a client might use a DERP relay server instead of a direct connection.
The tailscale netcheck output includes the following fields:
UDP
The UDP field indicates whether the device can send outbound UDP packets.
| Value | Meaning | Interpretation |
|---|---|---|
| True | The STUN servers have received outbound UDP packets. | The device has outbound connectivity, which is critical for getting direct connections. |
| False | The STUN servers haven’t received outbound UDP packets. | The device doesn’t have outbound UDP connections and likely isn’t using direct connections. |
IPv4
The IPv4 field shows the device's public IPv4 address and port number.
| Value | Meaning | Interpretation |
|---|---|---|
Yes, <IPv4 address> | The device has a valid IPv4 address and port number. | The device has outbound connectivity, which is crucial for direct connections. |
| No | The device doesn’t have an IPv4 address. | If there’s no IPv4 address, the device doesn’t have network connectivity. |
IPv6
The IPv6 field shows whether the device supports IPv6. It includes the device’s public IPv6 address and port number if it does.
| Value | Meaning | Interpretation |
|---|---|---|
Yes, <IPv6 address> | The device has an IPv6 address and port number. | The device has outbound connectivity, which is critical for getting direct connections. |
| No | The device doesn’t have an IPv6 address, and the operating system doesn’t support IPv6. | The device doesn’t have IPv6 support and might or might not have outbound connectivity using IPv4. |
| No, but OS has support | The device doesn’t have an IPv6 address, but the operating system supports IPv6. | The device either doesn’t have outbound connectivity or is using IPv4. It can still access other devices using their tailnet IPv6 address. |
Mapping varies by destination IP address
The MappingVariesByDestIP field states whether the device’s IP address differs between DERP relay servers. It’s the most important field to determine why a device isn’t using direct connections.
| Value | Meaning | Interpretation |
|---|---|---|
| True | The device’s IP address and port number combination varies between DERP relay servers. | If two DERP relay servers return different results, it indicates that the device is behind a hard NAT that randomly selects the port IP address and port number combination. Hard NAT makes it difficult for Tailscale to enable direct connections, so the device is likely using a DERP relay server. |
| False | The device’s IP address and port number combination are the same across DERP relay servers. | If all DERP relay servers return the same result, it indicates that the device either has no NAT or is behind an easy NAT. The device is likely to use direct connections. |
When Tailscale initiates a connection, it contacts multiple DERP relay servers to obtain the outbound IP address and port combination. Each DERP relay server reports this information back to Tailscale.
If the outbound IP address varies between DERP servers, it indicates that the device is behind a NAT that varies the IP addresses between destinations. This is sometimes referred to as hard NAT.
If the outbound IP address is the same between DERP servers, it indicates that the device is behind an easy NAT or no NAT.
It’s difficult to distinguish between an easy NAT and no NAT. In the cases where a device has no NAT, the device itself has the same public IP address that it reported to the STUN servers, as well as predictable ports. In many scenarios, this means the public interface is directly attached to the client on which Tailscale is installed. However, this doesn’t always mean the IP address is available locally in the operating system. In some scenarios (such as with AWS EC2), the public IP address is not available directly in the operating system but is attached directly to the host.
Port mapping
The PortMapping field indicates which port mapping protocols the current device supports. If a device is using any of the following port mapping protocols, it is generally considered to be easy NAT.
| Value | Meaning |
|---|---|
| UPnP | The current device supports port mapping using UPnP. |
| NAT-PMP | The current device supports port mapping using NAT-PMP. |
| PCP | The current device supports port mapping using PCP. |
| False | The current device doesn’t support any of the three port mapping services. |
The device likely cannot use direct connections if the value is false.
UPnP, NAT-PMP, and PCP are all different mechanisms that allow a device behind a NAT to open external ports to help with direct connections.
If the PortMapping field is false, the device cannot open external ports behind the NAT device, which makes creating direct connections difficult and likely leads to a hard NAT circumstance.
If the device supports any of the three port mapping protocols, it might be able to use direct connections, even if the IP address varies between DERP relay servers (that is, MappingVariesByDestIP is true).