Tailscale Peer Relays is now generally available
Source: Hacker News
Tailscale Peer Relays Are Now Generally Available (GA)
When Tailscale works best, it feels effortless—almost boring. Devices connect directly, packets take the shortest possible path, and performance ceases to be a pressing concern.
But real‑world networks aren’t always that cooperative. Firewalls, NATs, and cloud‑networking constraints can block direct peer‑to‑peer connections. When that happens, Tailscale falls back to relays (DERP) to keep traffic moving securely and reliably.
What’s new?
- Tailscale Peer Relays are now generally available.
- They provide a customer‑deployed, high‑throughput relaying option that runs on any Tailscale node.
- Since the beta release, we’ve focused on major improvements in performance, reliability, and visibility.
“What started as a way to work around hard NATs has grown into a production‑grade connectivity option. One that gives teams the performance, control, and flexibility they need to scale Tailscale in even the most challenging network environments.”
Why use Peer Relays?
- Tailnet‑native relaying – no need for external services.
- High‑throughput – suitable for production workloads.
- Full control – run relays on nodes you manage.
- Better observability – built‑in metrics and logs.
Learn more
- Overview of connection types (including DERP):
- Peer Relay documentation:
- Blog post announcing the beta:
Vertical Scaling Boost That Improves Throughput
We’ve made substantial throughput improvements for Tailscale Peer Relays, especially noticeable when many clients forward through them.
What’s new
- Smarter client selection – When a relay offers multiple interfaces or address families, connecting clients now automatically choose the most optimal one. This speeds up bootstrapping and improves overall connection quality.
- Reduced lock contention – Packets are now processed more efficiently on every Peer Relay, eliminating many of the bottlenecks that previously limited throughput.
- Multi‑socket UDP handling – Traffic is distributed across multiple UDP sockets (when available), further increasing parallelism and bandwidth.
Impact
- Higher performance – Expect noticeable gains in day‑to‑day tailnet traffic, even under heavy load.
- Improved reliability – Relays are less likely to become a choke point, keeping connections stable.
- Closer to true mesh behavior – When direct peer‑to‑peer connections aren’t possible, relays now deliver performance that approaches a full mesh network.
These changes together provide a more responsive and robust experience for all Tailscale users.
Static Endpoints for Restrictive Cloud Environments {#static-endpoints-for-restrictive-cloud-environments}
In many public‑cloud networks automatic endpoint discovery isn’t possible. Instances may:
- Sit behind strict firewall rules.
- Rely on port‑forwarding or load balancers in peered public subnets.
- Operate in environments where opening arbitrary ports is prohibited.
Often the infrastructure in front of those instances can’t run Tailscale directly, so the standard discovery mechanisms are ineffective.
How Peer Relays Solve This
Peer relays now support static endpoints. By using the --relay-server-static-endpoints flag with tailscale set, a relay can advertise one or more fixed IP:port pairs to the tailnet. These static endpoints can be placed behind infrastructure such as an AWS Network Load Balancer, allowing external clients to relay traffic through the peer relay even when automatic discovery fails.
# Example: configure a relay with two static endpoints
tailscale set --relay-server-static-endpoints \
"203.0.113.10:443,203.0.113.11:443"Benefits
- High‑throughput connectivity in environments where NAT traversal and endpoint discovery don’t work.
- Ability to deploy peer relays behind load balancers while still providing reliable, high‑performance relay paths to external clients.
- Peer relays can replace subnet routers, enabling full‑mesh deployments with core Tailscale features such as:
Visual Overview
By leveraging static endpoints, customers can achieve robust, high‑performance connectivity in even the most restrictive cloud environments.
Improved Auditability and Visibility
Tailscale Peer Relays are now generally available and integrate more deeply with Tailscale’s visibility and observability tooling, making relay behavior clear, measurable, and auditable.
Integrated with tailscale ping
- Visibility –
tailscale pingnow shows whether a relay is being used, if it’s reachable, and how it affects latency and reliability. - Troubleshooting – Quickly determine if traffic is being relayed, whether the relay is healthy, and if it’s contributing to degraded performance.
Note: See the full CLI reference.
Exportable client metrics
Peer Relays now expose the following Prometheus‑compatible metrics:
| Metric | Description |
|---|---|
tailscaled_peer_relay_forwarded_packets_total | Total number of packets forwarded by the relay. |
tailscaled_peer_relay_forwarded_bytes_total | Total number of bytes forwarded by the relay. |
These metrics can be scraped and visualized in monitoring stacks such as Prometheus and Grafana, alongside existing Tailscale client metrics. This enables teams to:
- Track relay usage over time.
- Understand traffic patterns and detect anomalies.
- Monitor overall tailnet health at scale.
What’s Next {#whats-next}
With general availability, Tailscale Peer Relays become a core building block for scaling Tailscale in real‑world networks. They enable:
- High‑throughput, low‑latency connections when direct paths are unavailable.
- Deployments in restricted cloud environments through static endpoints.
- Full mesh in private subnets, with controlled ingress/egress paths.
At the same time, Peer Relays deliver intelligent, resilient path selection across the tailnet, along with first‑class observability, auditability, and debuggability. All of this comes without compromising Tailscale’s foundational guarantees:
- End‑to‑end encryption.
- Least‑privilege access.
- Simple, predictable operation.
Getting started is straightforward. Peer Relays can be enabled on any supported Tailscale node using the CLI, controlled through grants in your ACLs, and deployed incrementally alongside existing relay infrastructure. Read more in our documentation.
Peer Relays are available on all Tailscale plans, including the free Personal plan. If you need deployment support or have specific throughput goals, don’t hesitate to reach out to us.