Tailscale won't create a direct connection

[demon_slayer]

So I'm facing this weird issue with my tailscale setup.
Device A - macbook - behind ISP(comway) NAT (delhi) - probably a hard nat
Device B - vps in oracle cloud - public ip - udp/41641 open for tailscale
Device C - desktop - behind ISP(airtel) NAT (bangalore) - probably a hard NAT

A can make a direct connection to B which I have always assumed is because B is on a public IP with the tailscale required port open, and hence that's why this is possible.
I added the device C recently and for the life of me, I cannot get it to get a direct connection to B.

Has someone ran into such a issue with tailscale before?
I'm writing this out of frustration in the middle of the night, so might have missed details, please bear with me and do ask me for more

 

[badwhitevision]

So tailscale doesn't require any open ports in oracle vps. I run one and I haven't opened any ports on mine. But that is unrelated to your issue. Just some free advice.

Try using Device C with a different network (say mobile hotspot - which is definitelly NATted) and check if you're able to form a direct connection. Do confirm you're getting an IPv4 address for all devices. Tailscale uses DERP for IPv6 to v4 tunneling.

Also sometimes it may take a few minutes/hours to get a direct connection.

My tailnet sometimes connects via Bangalore DERP before switching over to a direct connection, but atleast in my use case, using DERP hasn't been a bottleneck, hence haven't investigated further.

 

[kage]

If nothing works, just set up a custom DERP server on your VPS.

I too have my Oracle VPS as a tailscale node but everything seems to direct connect seamlessly to it.
Even ipv6 devices like my phone.
So not sure what's up with your instance.
My devices get both IPv6 and IPv4 addresses, so I think my direct connections are IPv4 to IPv4.
Your problem is probably what @badwhitevision said: Device C might just be getting an IPv6 address, which means it's connections are going to be relayed.
See this: https://tailscale.com/kb/1121/ipv6

Did you try pinging it via Tailscale and seeing if it eventually establishes a direct connection?
Some of my devices sometimes take like 10-20 pings to establish one.

Another thing you can try is allowing the whole Tailscale interface through your firewall instead of a specific port. See this (assuming you're using UFW and Ubuntu): https://tailscale.com/kb/1077/secure-server-ubuntu

 

[demon_slayer]

Hmm, I do see that device getting a ipv6 and ipv4 IP. I'll try to vnc to it, and disable ipv6 in the airtel router itself. Doing some office work right now, will update this thread after this config change.