Basic DERP Relay Flow

Visualizing how Tailscale uses DERP servers for UDP relay and connection establishment

July 24, 2025

#tailscale #derp #udp #relay #nat-traversal #mesh-vpn #p2p

Overview

This diagram illustrates the basic DERP relay flow in Tailscale, showing how DERP (Designated Encrypted Relay Points) servers facilitate connection establishment and serve as fallback relays when direct peer-to-peer connections are not possible.

graph TD
    subgraph "Node A Network"
        NodeA[Node A
100.64.1.10
Behind NAT]
    end
    
    subgraph "DERP Infrastructure"
        DERP[DERP Server
nyc.derp.example
Relay Only]
    end
    
    subgraph "Node B Network"
        NodeB[Node B
100.64.2.20
Behind NAT]
    end
    
    subgraph "Connection Flow"
        NodeA -->|1. Initial Connection
via DERP| DERP
        DERP -->|2. Relay Encrypted
WireGuard Traffic| NodeB
        NodeA -.->|3. Attempt Direct
Connection
NAT Traversal| NodeB
        NodeA ==>|4. Upgrade to Direct
P2P Connection
When Successful| NodeB
    end
    
    style NodeA fill:#1976d2,stroke:#fff,stroke-width:2px,color:#fff
    style NodeB fill:#1976d2,stroke:#fff,stroke-width:2px,color:#fff
    style DERP fill:#f57c00,stroke:#fff,stroke-width:2px,color:#fff
    
    classDef relay stroke-dasharray: 5 5
    class DERP relay

Key Points

Initial Connection: All connections start through DERP for instant connectivity
Encrypted Relay: DERP servers only relay encrypted WireGuard packets, they cannot decrypt the traffic
Parallel Discovery: While maintaining DERP connection, nodes attempt direct NAT traversal
Transparent Upgrade: When direct connection succeeds, traffic seamlessly switches from relay to P2P

Connection Types

Solid Lines: Active data flow
Dashed Lines: NAT traversal attempts
Double Lines: Upgraded direct P2P connection