DERP

What is DERP?

DERP stands for Designated Encrypted Relay for Packets. It is a packet relay network specific to Tailscale.

In the Tailscale architecture (which is based on WireGuard), the goal is always to establish a direct Peer-to-Peer (P2P) connection between devices using UDP. However, due to complex firewalls, strict NATs (Network Address Translation), or ISP restrictions, a direct connection is sometimes impossible.

When a P2P connection fails, Tailscale falls back to DERP.

• How it works: It relays encrypted WireGuard traffic over HTTPS (TCP port 443).

• Security: The DERP server cannot read your traffic. It simply forwards the encrypted packets from Peer A to Peer B.

• Role: It acts as a "fallback" of last resort. It ensures you are always connected, even if the connection is slower than a direct link.

Here is an introduction to DERP, its deployment code, and the status of alternatives, all in English as requested.

What is DERP?

DERP stands for Designated Encrypted Relay for Packets. It is a packet relay network specific to Tailscale.

In the Tailscale architecture (which is based on WireGuard), the goal is always to establish a direct Peer-to-Peer (P2P) connection between devices using UDP. However, due to complex firewalls, strict NATs (Network Address Translation), or ISP restrictions, a direct connection is sometimes impossible.

When a P2P connection fails, Tailscale falls back to DERP.

• How it works: It relays encrypted WireGuard traffic over HTTPS (TCP port 443).

• Security: The DERP server cannot read your traffic. It simply forwards the encrypted packets from Peer A to Peer B.

• Role: It acts as a "fallback" of last resort. It ensures you are always connected, even if the connection is slower than a direct link.

Self-Hosted DERP Deployment

While Tailscale provides global DERP servers for free, you might want to host your own (Custom DERP) for lower latency or better privacy.

Prerequisites:

1. A server with a Public IP.

2. A valid Domain Name pointing to that IP.

3. Port 443 (TCP) and 3478 (UDP) opened.

Method 1: Docker (Recommended)

This is the easiest way to deploy the official derper binary.

1. Create a directory:

mkdir -p /opt/derp/certs

2. Run the Container: Replace your-domain.com with your actual domain.

docker run --restart always \
  --name derper \
  -p 443:443 \
  -p 3478:3478/udp \
  -v /opt/derp/certs:/app/certs \
  -e DERP_DOMAIN=your-domain.com \
  -e DERP_CERT_MODE=letsencrypt \
  -e DERP_CERT_DIR=/app/certs \
  -e DERP_ADDR=:443 \
  -e DERP_STUN=true \
  -d ghcr.io/yangchuansheng/derper:latest

Method 2: Configure Tailscale ACL

Your Tailscale network won't know about this server until you add it to your Access Control List (ACL) in the Tailscale Admin Console.

1. Go to the Access Controls page in the Admin Console.

2. Add the derpMap section to the JSON config:

{
  // ... existing ACL config ...

  "derpMap": {
    "Regions": {
      "900": {
        "RegionID": 900,
        "RegionCode": "my-derp",
        "RegionName": "My Custom DERP",
        "Nodes": [
          {
            "Name": "900a",
            "RegionID": 900,
            "HostName": "your-domain.com",
            "IPv4": "1.2.3.4", // Your Server IP
            "DERPPort": 443
          }
        ]
      }
    }
  }
}

Are there alternatives to DERP?

Short Answer: No, there is no direct protocol replacement for DERP within the Tailscale ecosystem, but there are ways to avoid using it.

DERP is fundamental to how Tailscale handles NAT traversal failures. It is the only mechanism currently supported to tunnel WireGuard traffic over TCP/HTTPS when UDP is blocked.

However, here is the context on "alternatives":

1. "Direct" is the Alternative The "alternative" to using a DERP relay is successfully establishing a direct connection. You can achieve this by:

• Enabling UPnP on your router.

• Static Port Mapping: Manually forwarding UDP port 41641 (Tailscale's default) on your firewall to your device.

• If you do this, your devices will connect via P2P and avoid the DERP relay entirely.

2. Headscale (Self-hosted Control Plane) If you are looking for an alternative because you want total control and don't want to use Tailscale's official coordination server, people use Headscale. Headscale has an embedded DERP server built-in, so you don't need to run a separate Docker container for it.

3. WebRTC / STUN Improvements Tailscale constantly updates their NAT traversal logic (Magicsock). Recently, they have improved how they handle "hard" NATs (Symmetric NATs). While this isn't a replacement for DERP, these updates reduce the frequency with which you are forced to use DERP.

Summary

• DERP is the fallback relay (HTTPS).

• Deployment requires a public IP, domain, and an update to your ACL JSON.

• Alternatives: There is no new protocol replacing DERP. The goal is always to optimize your network to achieve a Direct (UDP) connection so you don't need the relay.