Summary: Tailscale builds a peer-to-peer mesh VPN using WireGuard, with STUN/ICE for NAT traversal and DERP relay servers as an encrypted fallback when direct UDP is blocked.
Tailscale wraps WireGuard in a control plane that handles key distribution, NAT traversal, and relay fallback automatically. Each node gets a stable IP in the 100.64.0.0/10 CGNAT range (Tailscale calls this the "tailnet").
Node A ──[WireGuard UDP]──► Node B (ideal — direct P2P)
Node A ──[WireGuard UDP via DERP]──► Node B (fallback — relayed)
The control plane (Tailscale's coordination server or a self-hosted Headscale instance) handles:
acls.hujson)Traffic itself is always end-to-end encrypted by WireGuard — even when relayed through DERP.
Tailscale uses WireGuard for all data-plane encryption.
| Attribute | Detail |
|---|---|
| Transport | UDP |
| Default port | 41641 (configurable; may also use ephemeral ports) |
| Encryption | ChaCha20-Poly1305 |
| Key exchange | Curve25519 ECDH |
| Auth | Static public/private keypair per node |
Each node generates a WireGuard keypair on enrolment. The public key is registered with the coordination server and distributed to authorised peers. No certificates, no PKI.
WireGuard is stateless on the wire — no handshake keepalive unless configured. Tailscale adds its own keepalive to maintain NAT mappings.
Before attempting a direct connection, Tailscale uses STUN to discover the node's public IP and port, then tries multiple connection paths via an ICE-like process.
Node ──UDP──► STUN server (port 3478)
◄────── Reflexive address: <public-IP>:<public-port>
Once both peers know their reflexive addresses, Tailscale attempts:
| NAT Type | Direct Connection | Notes |
|---|---|---|
| Full cone / port-restricted cone | ✓ Usually succeeds | Most home/office routers |
| Symmetric NAT | ✗ Often fails | Each new destination gets a different external port — breaks hole punching |
| CGNAT (carrier-grade) | Depends | Double NAT; usually requires DERP fallback |
| No NAT (public IP) | ✓ Always direct | Servers with public IPs connect directly |
DERP is Tailscale's relay network. Traffic is still WireGuard-encrypted end-to-end — DERP servers see only encrypted bytes and cannot decrypt payloads.
Node A ──TLS 443──► DERP server ──TLS 443──► Node B
(opaque WireGuard payload carried inside HTTPS)
derp1.tailscale.com, derp2.tailscale.com)| Attribute | Detail |
|---|---|
| Protocol | HTTPS (HTTP/2 over TLS) |
| Port | TCP 443 |
| Fallback port | TCP 80 (HTTP upgrade, rare) |
| Direction | Outbound only from the node — no inbound required |
DERP is used only when direct UDP is impossible. Tailscale continuously retries direct paths in the background and will upgrade from DERP to direct as soon as a hole punch succeeds.
| Protocol | Destination | Port | Purpose |
|---|---|---|---|
| UDP | Any | 41641 | WireGuard data plane (direct P2P) |
| UDP | Any | 3478 | STUN (NAT traversal discovery) |
| TCP | DERP servers | 443 | DERP relay + control plane |
| TCP | controlplane.tailscale.com | 443 | Coordination server (key exchange, policy) |
⚠️ UDP 41641
If UDP 41641 is blocked outbound, Tailscale will fall back to DERP for all connections. The network will function but with higher latency and through Tailscale's relay infrastructure. For best performance, permit outbound UDP 41641 to any destination.
Tailscale nodes initiate all connections outbound. Inbound firewall rules are not required for clients. The exception is subnet routers and exit nodes, where you may want to permit inbound UDP 41641 so remote peers can reach the node directly rather than through DERP.
Inbound UDP <any> → <node-IP> port 41641 # allows direct P2P inbound
IP forwarding enabled on the host:
sysctl -w net.ipv4.ip_forward=1
sysctl -w net.ipv6.conf.all.forwarding=1
If running a private DERP server (derper):
| Protocol | Port | Purpose |
|---|---|---|
| TCP | 443 | DERP relay (HTTPS) |
| TCP | 80 | HTTP → HTTPS redirect |
| UDP | 3478 | STUN |
When a Tailscale node sits behind a VLAN ACL that permits only standard outbound internet traffic, three explicit permit entries are needed. Everything else is handled by the router's stateful inspection returning matched reply traffic.
| Entry | Why |
|---|---|
permit udp <host> any eq 41641 |
WireGuard data plane — direct P2P tunnels to peers. Without this, all traffic falls back to DERP. |
permit udp <host> any eq 3478 |
STUN — discovers the node's public IP/port for NAT traversal. Blocked STUN degrades hole-punch success rate. |
permit tcp <host> any eq 443 |
DERP relay and coordination server — both run over HTTPS. Required even when UDP 41641 is permitted (used for initial path negotiation and fallback). |
A standard extended ACL applied inbound on the VLAN interface with ip inspect or a stateful firewall (ZBF / ASA) will automatically permit return traffic for the TCP and UDP sessions above — no explicit inbound permit entries needed.
For a simple extended ACL without stateful inspection, add:
permit udp any host <tailscale-node-ip> established
permit tcp any host <tailscale-node-ip> established
Tailscale detects the block during the initial tailscale netcheck and switches every peer connection to DERP relay:
derp*.tailscale.com on TCP 443tailscale ping will show via DERP(lon) instead of a direct UDP addressTCP 443 must still be permitted outbound. If both UDP 41641 and TCP 443 are blocked, Tailscale cannot connect at all.
ACL applied inbound on the VLAN SVI (traffic leaving the VLAN toward the internet):
ip access-list extended ACL_VLAN10_OUT
!
remark -- Tailscale: WireGuard direct P2P
permit udp 192.168.10.0 0.0.0.255 any eq 41641
!
remark -- Tailscale: STUN (NAT traversal)
permit udp 192.168.10.0 0.0.0.255 any eq 3478
!
remark -- Tailscale: DERP relay + coordination server (also covers general HTTPS)
permit tcp 192.168.10.0 0.0.0.255 any eq 443
!
remark -- General internet (HTTP, DNS)
permit tcp 192.168.10.0 0.0.0.255 any eq 80
permit udp 192.168.10.0 0.0.0.255 any eq 53
permit tcp 192.168.10.0 0.0.0.255 any eq 53
!
deny ip any any log
!
interface Vlan10
ip access-group ACL_VLAN10_OUT in
⚠️ UDP Return Traffic
IOS-XE extended ACLs are stateless by default. If you are not runningip inspector Zone-Based Firewall, add explicit return permits for UDP (WireGuard reply traffic has noestablishedkeyword — that applies to TCP only). Either enable stateful inspection or permit inboundudp any host <node-ip>for the relevant source ports.
# Show current connection status for all peers
tailscale status
# Ping a peer and show latency + path
tailscale ping <peer-ip>
tailscale ping --c 5 100.x.x.x
# Network connectivity report — shows DERP latency, UDP reachability, NAT type
tailscale netcheck
Sample tailscale ping output:
pong from node-name (100.x.x.x) via DERP(lon) in 28ms ← relayed via London DERP
pong from node-name (100.x.x.x) via 192.168.1.100:41641 in 2ms ← direct UDP
tailscale netcheck output shows:
* UDP: true
* IPv4: yes, <public-ip>:<port>
* MappingVariesByDestIP: false ← false = easy NAT; true = symmetric NAT (DERP likely)
* DERP latency:
- lon: 12ms
- fra: 18ms
- nyc: 85ms
MappingVariesByDestIP: true means symmetric NAT — direct connections to most peers will fail and DERP will be used.
# Node status and peer list
tailscale status
# Bring interface up/down
tailscale up
tailscale down
# Show current IP addresses
tailscale ip
# Network diagnostics
tailscale netcheck
# Ping a peer (shows path: direct or DERP)
tailscale ping <hostname-or-ip>
# Show detailed debug info
tailscale debug
# List available DERP regions
tailscale netcheck --verbose
| Port | Protocol | Direction | Required For |
|---|---|---|---|
| 41641 | UDP | Outbound | WireGuard direct P2P (best performance) |
| 3478 | UDP | Outbound | STUN (NAT type discovery) |
| 443 | TCP | Outbound | DERP relay + coordination server |
| 41641 | UDP | Inbound | Direct inbound to subnet routers / exit nodes |