Establishing direct connection between two endpoints via Tailscale (one device behind an OpenWrt router)

Reguna · February 29, 2024, 2:36pm

My setup:

OpenWrt on a GL-iNET MT-6000 (No Tailscale, has public IPv4 address)
A synology NAS behind the router (with Tailscale installed)
Android phone (with Tailscale installed, should be behind CGNAT as it has private IPv4 address)

The NAS and my phone could not establish a direct connection (so they had to use Tailscale's DERP server as relay, which is very slow). This is fixed by forwarding port 41641/udp on my NAS, as documented in Tailscale's docs.

I think OpenWrt defaults to symmetric NAT, so Tailscale doesn't work OOTB. Tailscale listed firewalls that uses symmetric NAT by default (e.g. pfSense/OPNsense/Fortinet) and their workarounds, but OpenWrt is not on this list.

My question:
Is there a way to enable Tailscale direct connections without using UPnP or port forwarding 41641/udp on OpenWrt?

(This Reddit thread also mentioned that port forwarding is necessary for Tailscale direct connections)

krazeh · February 29, 2024, 2:40pm

No. You need to forward the required port to the relevant device.

ahuman · February 29, 2024, 3:30pm

I'm curious if there's a specific reason to not try running Tailscale on the MT6000 directly.

Reguna · February 29, 2024, 4:06pm

It's because I just got the MT-6000. Before that I use a Tp-Link router with stock firmware and Tailscale can connect directly without issue.

Reguna · February 29, 2024, 5:48pm

I am curious: does OpenWrt use symmetric NAT by default? If yes, is there no way to modify this to a more lax version of NAT?

krazeh · February 29, 2024, 6:04pm

What is the issue with forwarding the relevant port?

Reguna · March 1, 2024, 12:20am

No issue, I forwarded the port already. I am just curious about it

system · March 11, 2024, 12:20am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.