Why can't I get a direct connection with Tailscale?

I have the following configuration:


pi            > home router  > work router  > aorus
192.168.1.160   90.89.201.88   92.154.18.143  172.31.4.240

I have set up a port-forwarding rule on my home router:

90.89.201.88:41641/udp -> 192.168.1.160:41641

For some reason, when running tailscale ping aorus from pi, the packets are sent from the port 55886 instead of 41641.

$ sudo tcpdump -iany -n udp port 41641
09:23:35.821788 eth0  Out IP 192.168.1.160.55886 > 172.42.0.1.41641: UDP, length 124
09:23:35.821867 eth0  Out IP 192.168.1.160.55886 > 172.44.0.1.41641: UDP, length 124
09:23:35.821947 eth0  Out IP 192.168.1.160.55886 > 10.42.0.1.41641: UDP, length 124
09:23:35.822023 eth0  Out IP 192.168.1.160.55886 > 92.154.18.143.41641: UDP, length 124
09:23:35.822102 eth0  Out IP 192.168.1.160.55886 > 172.31.4.240.41641: UDP, length 124
09:23:35.822178 eth0  Out IP 192.168.1.160.55886 > 192.168.122.1.41641: UDP, length 124
09:23:35.822318 eth0  Out IP 192.168.1.160.55886 > 10.92.138.1.41641: UDP, length 124
09:23:35.822407 eth0  Out IP 192.168.1.160.55886 > 192.168.130.1.41641: UDP, length 124

My doubts were confirmed when I went to the Tailscale UI:

$ sudo journalctl -u tailscaled --since="1 day ago" | grep magicsock
Mar 09 08:48:58 pi tailscaled[616]: magicsock: endpoints changed: 90.89.201.88:41641 (stun), 172.17.0.1:41641 (local), 172.18.0.1:41641 (local), 172.19.0.1:41641 (local), 192.168.1.160:41641 (local), [2001:db8:1::1]:41641 (local)
Mar 09 09:07:52 pi tailscaled[193332]: magicsock: unable to bind udp4 port 41641: listen udp4 :41641: bind: address already in use
Mar 09 09:07:52 pi tailscaled[193332]: magicsock: endpoints changed: 90.89.201.88:55886 (stun), 172.17.0.1:55886 (local), 172.18.0.1:55886 (local), 172.19.0.1:55886 (local), 192.168.1.160:55886 (local), [2001:db8:1::1]:55886 (local)

unable to bind udp4 port 41641: listen udp4 :41641: bind: address already in use

Do I have tailscale running twice?

I restarted tailscaled on the pi, and it went back to 41641:

$ sudo systemctl restart tailscaled.service
$ sudo journalctl -u tailscaled --since="5 minutes ago" | grep magicsock
Mar 09 09:37:40 pi tailscaled[194545]: magicsock: endpoints changed: 90.89.201.88:41641 (stun), 172.17.0.1:41641 (local), 172.18.0.1:41641 (local), 172.19.0.1:41641 (local), 192.168.1.160:41641 (local), [2001:db8:1::1]:41641 (local)

This time, the direct connection was working!

# From pi.
$ tailscale ping aorus
pong from aorus (100.74.203.69) via 92.154.18.143:3997 in 20ms

Changing 41641 to something else

I want two devices on my home network to be able to establish direct connections to aorus.

# On pi.
sudo vim /etc/default/tailscaled

Then:

# Set the port to listen on for incoming VPN packets.
# Remote nodes will automatically be informed about the new port number,
# but you might want to configure this in order to set external firewall
# settings.
PORT="41642"

# Extra flags you might want to pass to tailscaled.
FLAGS=""

Then, I added a rule in my home router:

90.89.201.88:41642/udp -> other-device:41642/udp

Why can't I get a direct connection with Tailscale?

Changing 41641 to something else

Read more

My macOS tweaks coming from Ubuntu

Work Around An Always-On VPN on macOS (Global Protect Edition)

Troubleshooting Venafi Kubernetes Agent

Gateway API: cool, but what about my certs?