Tailscale always relay never direct

JonSnow · July 30, 2025, 10:02pm

I do not have tailscale installed on openwrt, it is installed on proxmox. While testing tailscale I noticed that its always using the relayed connections.

The tailscale docs recommend enabling NAT-PMP and UPnP, but I would like to avoid enabling these do to security risk, is NAT-PMP safe?

The openwrt tailscale wiki does not specify needing port 41641 to be open, so is this not required when installed on openwrt?

However, this thread directly suggest port 41641 needs to be open as well as the linked reddit thread.

So what is the best way to get direct connection working with tailscale and openwrt?

brada4 · July 30, 2025, 10:08pm

Does tailscale traffic cross OpenWrt at all?

JonSnow · July 30, 2025, 10:10pm

The router running openwrt is my main router connected to my ISP, so I guess yes?

brada4 · July 30, 2025, 10:16pm

It was not clear from your post.
Sure, enable miniupnpd-nftables using luci-app-upnp. It is decent version and properly configured by default, ie no open control interfac€ to the internet.

JonSnow · July 30, 2025, 10:23pm

noted on this, but why isn't that needed when using tailscale openwrt package?

I forward port 41641 and have direct connection, so it's a good start but have two nodes on my lan for tailscale. So, if one goes down, I can still connect and will look into miniupnpd-nftables.

brada4 · July 30, 2025, 10:30pm

That would be dynamically opening port when needed.

JonSnow · July 30, 2025, 10:43pm

are you referring to miniupnpd or tailscale openwrt package?

The reason I'm hesitant on using miniupnpd, is that any device on my lan would be able to dynamically open ports, but I guess that's my only option.

brada4 · July 31, 2025, 4:25am

You can restrict that to one port or disable dservice if you dont like it.

JonSnow · July 31, 2025, 11:30am

thanks, but looks like luci app is broken on the latest 24 release.

As i understand miniupnp works just doesn't show open ports in luci?

brada4 · July 31, 2025, 2:37pm

Your observation is correct.

Summit48 · August 1, 2025, 1:57am

Not sure what you are doing but this works for me.

MacBook Pro(Tailscale) + OpenWrt Router <-- Internet --> ER-4 Router(Tailscale Exit Node) + LAN

Tailscale Exit Node is installed on the EdgeRouter running EdgeOS and is my Production Router.

Tailscale was installed on the OpenWrt Router as per the OpenWrt Tailscale Wiki some months ago and is my Test Router.

Tailscale was just disabled on the OpenWrt Router for this test.

root@usg-3p:~# tailscale down
root@usg-3p:~# tailscale status
Tailscale is stopped.
root@usg-3p:~#

To verify connection type:
1 MacBook Pro selects ER-4 as the Exit Node.
2 SSH into ER-4 and run tailscale status, the connection type confirmed as direct.

JonSnow · August 1, 2025, 2:53am

Unchecked 'Enable UPnP IGD protocol'
Checked 'Enable PCP/NAT-PMP protocols'

It is working just as expected, so I hope disabling upnp, this order and rules are correct?


config upnpd 'config'
        option enabled '1'
        option internal_iface 'lan'
        option upnp_lease_file '/var/run/miniupnpd.leases'
        option enable_upnp '0'
        option uuid 'deleted-uuid-for-privacy'

config perm_rule
        option comment 'Allow Tailscale'
        option int_addr 'x.x.x.x/32'
        option int_ports '41641'
        option ext_ports '41641'
        option action 'allow'

config perm_rule
        option action 'deny'
        option ext_ports '0-65535'
        option int_addr '0.0.0.0/0'
        option int_ports '0-65535'
        option comment 'Default deny'

JonSnow · August 1, 2025, 2:56am

You need to make sure its a direct connection my ping your external nodes, the first few pings use DERP relay but then you should get a direct conection.

you can also check tailscale netcheck.

Summit48 · August 1, 2025, 3:27am

I get a direct connection, tailscale status confirms that.

ubnt@ER-4:~$ tailscale status
100.xxx.xxx.xxx   er-4                xxx@    linux   idle; offers exit node
100.xxx.xxx.xxx   atv-1               xxx@    tvOS    idle; offers exit node
100.xxx.xxx.xxx   atv-2               xxx@    tvOS    active; direct xxx.xxx.xxx.xxx:41641, tx 315886464 rx 39734200
100.xxx.xxx.xxx   macbookpro          xxx@    macOS   active; direct xxx.xxx.xxx.xxx:41641, tx 275667328 rx 31882000

JonSnow · August 1, 2025, 12:26pm

maybe because you are running directly on the routers, I am not.

Summit48 · August 2, 2025, 12:34am

Can you post a screenshot that shows the device is using the DERP Servers?

Note, tailscale netcheck will show the nearest DERP Server and also list global DERP Servers, but that does not indicate the device is connecting through a DERP Server.

JonSnow · August 3, 2025, 1:50am

It's working after I setup miniupnp.

bob.aitah · August 5, 2025, 1:26am

Please mention whether your ISP is mobile (CGNAT) or conventional? Thanks.

JonSnow · August 7, 2025, 12:27am

conventional FTTH

system · August 17, 2025, 12:27am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.