Understanding how Tailscale's new generally available Peer Relays (DERP) allow P2P connections where they shouldn't be possible.

SitePoint is a  web development resource that offers tutorials, articles, and courses covering a wide range of topics, from frontend technologies like HTML, CSS, and JavaScript to backend frameworks and tools like Node.js, PHP, and Ruby on Rails. With a focus on practical, hands-on learning, SitePoint provides step-by-step guides, code samples, and real-world examples to help developers master essential skills and techniques. Whether you're a beginner looking to learn the basics of web development or an experienced developer seeking to expand your knowledge, SitePoint offers resources to support your learning journey.

SitePoint

Tailscale's DERP (Designated Encrypted Relay for Packets) protocol solves NAT traversal failures caused by symmetric NAT, carrier-grade NAT, and restrictive firewalls. DERP relays forward WireGuard-encrypted packets over HTTPS port 443 without ever decrypting them, acting as a fallback when direct peer-to-peer connections fail. The article explains why symmetric NAT defeats STUN-based hole-punching, how DERP differs from TURN and other relay solutions, and provides a complete step-by-step guide to deploying a self-hosted DERP relay using Docker Compose or systemd, including DERPMap ACL configuration, TLS setup, client verification, and encryption verification via tcpdump and wg show. Use cases for self-hosting include latency optimization, data sovereignty, and egress-restricted enterprise environments.

Tailscale Peer Relays: Solving the NAT Traversal Nightmare

The "Hard" NAT Problem: Why Hole Punching Fails

How Tailscale's DERP Protocol Actually Works

When and Why You Need a Self-Hosted DERP Relay

Deploying a Self-Hosted DERP Relay: Step by Step

DERP vs. the Alternatives: Where It Fits in the Ecosystem

Direct When Possible, Relayed When Necessary