Nat traversal, and how we're improving it
a day ago
- #Peer-to-peer networking
- #WireGuard
- #NAT traversal
- Tailscale primarily uses direct peer-to-peer (P2P) connections with WireGuard™ encryption, minimizing reliance on DERP relay servers.
- NAT traversal techniques are employed to establish direct connections, with DERP used as a fallback when direct P2P fails.
- Symmetric NATs, multiple NAT layers, strict firewalls, and carrier-grade NATs are common obstacles to direct P2P connections.
- Tailscale has sponsored a FreeBSD patch to enable endpoint-independent NAT mapping, improving P2P connectivity for UDP traffic.
- Improvements in NAT traversal techniques, including enhancements to Tailscale's magicsock library, aim to reduce reliance on DERP.
- IPv6 is leveraged where available to bypass NAT issues, though IPv4 remains critical for most connections.
- Tailscale avoids relying on UPnP/NAT-PMP due to security risks and lack of universal availability, preferring protocol-level solutions.