Tailscale won't create a direct connection

[demon_slayer]

So I'm facing this weird issue with my tailscale setup.
Device A - macbook - behind ISP(comway) NAT (delhi) - probably a hard nat
Device B - vps in oracle cloud - public ip - udp/41641 open for tailscale
Device C - desktop - behind ISP(airtel) NAT (bangalore) - probably a hard NAT

A can make a direct connection to B which I have always assumed is because B is on a public IP with the tailscale required port open, and hence that's why this is possible.
I added the device C recently and for the life of me, I cannot get it to get a direct connection to B.

Has someone ran into such a issue with tailscale before?
I'm writing this out of frustration in the middle of the night, so might have missed details, please bear with me and do ask me for more

 

[badwhitevision]

So tailscale doesn't require any open ports in oracle vps. I run one and I haven't opened any ports on mine. But that is unrelated to your issue. Just some free advice.

Try using Device C with a different network (say mobile hotspot - which is definitely NATted) and check if you're able to form a direct connection. Do confirm you're getting an IPv4 address for all devices. Tailscale uses DERP for IPv6 to v4 tunneling.

Also sometimes it may take a few minutes/hours to get a direct connection.

My tailnet sometimes connects via Bangalore DERP before switching over to a direct connection, but atleast in my use case, using DERP hasn't been a bottleneck, hence haven't investigated further.

 

[kage]

If nothing works, just set up a custom DERP server on your VPS.

I too have my Oracle VPS as a tailscale node but everything seems to direct connect seamlessly to it.
Even ipv6 devices like my phone.
So not sure what's up with your instance.
My devices get both IPv6 and IPv4 addresses, so I think my direct connections are IPv4 to IPv4.
Your problem is probably what @badwhitevision said: Device C might just be getting an IPv6 address, which means it's connections are going to be relayed.
See this: https://tailscale.com/kb/1121/ipv6

Did you try pinging it via Tailscale and seeing if it eventually establishes a direct connection?
Some of my devices sometimes take like 10-20 pings to establish one.

Another thing you can try is allowing the whole Tailscale interface through your firewall instead of a specific port. See this (assuming you're using UFW and Ubuntu): https://tailscale.com/kb/1077/secure-server-ubuntu

 

[demon_slayer]

Hmm, I do see that device getting a ipv6 and ipv4 IP. I'll try to vnc to it, and disable ipv6 in the airtel router itself. Doing some office work right now, will update this thread after this config change.

 

[vivek.krishnan]

My tailnet sometimes connects via Bangalore DERP before switching over to a direct connection, but atleast in my use case, using DERP hasn't been a bottleneck, hence haven't investigated further.

second this - DERP has not been a bottleneck. Using it as a fallback to IPSEC (behind NAT)

 

[kage]

second this - DERP has not been a bottleneck. Using it as a fallback to IPSEC (behind NAT)

Unfortunately it can be a huge bottleneck for bandwidth intensive applications.
At least it was in my case.

I was trying to connect two devices together for Immich (both behind a hard NAT), and the Bangalore relay was a slog fest.

 

[demon_slayer]

So tailscale doesn't require any open ports in oracle vps. I run one and I haven't opened any ports on mine. But that is unrelated to your issue. Just some free advice.

Try using Device C with a different network (say mobile hotspot - which is definitely NATted) and check if you're able to form a direct connection. Do confirm you're getting an IPv4 address for all devices. Tailscale uses DERP for IPv6 to v4 tunneling.

Also sometimes it may take a few minutes/hours to get a direct connection.

My tailnet sometimes connects via Bangalore DERP before switching over to a direct connection, but atleast in my use case, using DERP hasn't been a bottleneck, hence haven't investigated further.

second this - DERP has not been a bottleneck. Using it as a fallback to IPSEC (behind NAT)

Really ? What kind of speeds are you folks getting over the relays ? I can get around 30Mbps between the devices, that's it.

You can check link speed using the tool "iperf3"

Run "iperf3 -s" on one machine and "iperf3 -c <machine-ip>" from the second machine to get the raw link speeds.

Unfortunately it can be a huge bottleneck for bandwidth intensive applications.
At least it was in my case.

I was trying to connect two devices together for Immich (both behind a hard NAT), and the Bangalore relay was a slog fest.

Yes, I'm trying to replicate 600+ GBs of backups to a remote location as part of my 321 backup strategy

 

[kage]

Yes, I'm trying to replicate 600+ GBs of backups to a remote location as part of my 321 backup strategy

Oof that's going to hurt on 30mbps.
Almost 2 days for the initial replication.

Although, if subsequent backups are incremental, and relatively small, then I suppose it shouldn't be much of a bother after the first one.
Since backups are mostly background operations.

Oh btw have you tried any config changes yet?

 

[demon_slayer]

Oof that's going to hurt on 30mbps.
Almost 2 days for the initial replication.

Although, if subsequent backups are incremental, and relatively small, then I suppose it shouldn't be much of a bother after the first one.
Since backups are mostly background operations.

Oh btw have you tried any config changes yet?

These are proxmox machine backups and hence not incremental, which is unfortunate.
Still responding here from office laptop, will try those tonight

 

[badwhitevision]

Really ? What kind of speeds are you folks getting over the relays ? I can get around 30Mbps between the devices, that's it.

I've maxed out my internet connection on DERP. (100 Mbps).

My usecase was similar too, backing up data from A to B, both behind CGNAT.

I don't explicitly know which DERP relay was used, but whenever I use tailscale ping, only Bangalore shows up. (Geographically closest)

Tailscale does have a clause though, about bandwidth limitations when using DERP. I figured it must have been for those with Gigabit internet.

 

[kage]

I've maxed out my internet connection on DERP. (100 Mbps).

Interesting.
I guess it depends on the amount of traffic already on that relay.

I must have chosen a particularly bad time for mine lol.

 

[guest_999]

These are proxmox machine backups and hence not incremental, which is unfortunate.

Do you have any cloud backups of these? Have you thought about trying onedrive bundled with office 365?

 

[demon_slayer]

Do you have any cloud backups of these? Have you thought about trying onedrive bundled with office 365?

lol yes that is what I'm coming from.
Everything was being backed up to OneDrive and then synced to other devices for redundancy.
Onedrive family managed by a friend expired
Got notifications from all my backup sync crons about how onedrive sync is failing
Found out due to expiry, my onedrive account has 600+gb of data with a 5GB upper limit lol
Friend will renew onedrive this week, meanwhile my data backup freak said, data must be replicated

And I landed where I am, trying to sync my data from source to source, rather than source-onedrive-source.

Oh, and anything on Onedrive is being massively. throttled now, as I'm trying to download stuff, being maxed at 200-200KiB/sec speeds.

I've maxed out my internet connection on DERP. (100 Mbps).

My usecase was similar too, backing up data from A to B, both behind CGNAT.

I don't explicitly know which DERP relay was used, but whenever I use tailscale ping, only Bangalore shows up. (Geographically closest)

Tailscale does have a clause though, about bandwidth limitations when using DERP. I figured it must have been for those with Gigabit internet.

This will make you feel sympathetic for me

IPs are tailscale private IPs, not worried about "exposing" them.

 

[kage]

Is there a particular reason why you're backing up your stuff to an Oracle VPS?

 

[demon_slayer]

Is there a particular reason why you're backing up your stuff to an Oracle VPS?

The plan was that if both devices can connect via a direct connection to the vps, I can bounce the replication from A to C via vps B.

I
I sound like a madman, don't I ?

 

[kage]

The plan was that if both devices can connect via a direct connection to the vps, I can bounce the replication from A to C via vps B.

Ah I see.

If you try the changes tonight and they still don't work, then make B a custom DERP relay: https://tailscale.com/kb/1118/custom-derp-servers
I think your usecase should fit this perfectly.

I haven't personally used it, but headscale could be a solution too.

 

[demon_slayer]

Well, I checked the machine interface, it is receiving both a ipv4 as well as a ipv6 address. `tailscale netcheck` reports the same, true for both protocols

Ah I see.

If you try the changes tonight and they still don't work, then make B a custom DERP relay: https://tailscale.com/kb/1118/custom-derp-servers
I think your usecase should fit this perfectly.

I haven't personally used it, but headscale could be a solution too.

I did try this once before, could not get it to work though, and I cannot remember why.

 

[badwhitevision]

Have you tried restarting your router?

Sometimes an IP change might allow direct access.

As a last resort, try using VPS as an exit node, then check iperf speeds.

Maybe turning it into an exit node, might force a direct connection.

I'm talking out of my arse at this point, so you may experience no difference.

Otherwise kage Has solid advice regarding custom DERP/Headscale.

 

[kage]

Well, I checked the machine interface, it is receiving both a ipv4 as well as a ipv6 address. `tailscale netcheck` reports the same, true for both protocols

Interesting.

We could try isolating the cause by disabling ipv6 completely.
That way we could be absolutely sure that it isn't an ipv6/ipv4 relay problem.

Also try the two other things I mentioned above: Pinging via Tailscale to see if it eventually direct connects, and/or passing through the whole Tailscale interface instead of just the UDP port.

I did try this once before, could not get it to work though, and I cannot remember why.

Which one? Custom DERP or Headscale?

I sound like a madman, don't I ?

Haha not really.
I eventually had to resort to something similar for my Immich connection problem.
I turned the VPS into a public frontend for it (public subdomain routing via a reverse proxy through tailscale to my Immich server at home).
I did not know about custom relay servers back then.

 

[vivek.krishnan]

Really ? What kind of speeds are you folks getting over the relays ? I can get around 30Mbps between the devices, that's it.

You can check link speed using the tool "iperf3"

Run "iperf3 -s" on one machine and "iperf3 -c <machine-ip>" from the second machine to get the raw link speeds.

Yes, I'm trying to replicate 600+ GBs of backups to a remote location as part of my 321 backup strategy

I had to copy an ISO file for MS Office - was facing issue with downloading from VLSC, it took about 90 secs. This was around 11PM or so. The file is around 700 MB. On a 100 mb link. So about 60mbps - not bad. Other updates were also running on the other system.