Connection types 连接类型

Tailscale connections devices within a tailnet using DERP relay servers and direct connections. In a typical scenario, two tailnet devices connect using the following sequence of events:
使用 DERP 中继服务器和直接连接在尾网内进行尾规模连接的设备。在典型情况下，两个尾网设备通过以下事件顺序进行连接：

Device A wants to connect to an application on a device B.
设备 A 想要连接到设备 B 上的应用程序。
Device A connects (if not already connected) to the DERP relay server that device B is already connected to.
设备 A 连接（如果尚未连接）到设备 B 已连接的 DERP 中继服务器。
Device A sends the application connection request through the DERP relay server.
设备 A 通过 DERP 中继服务器发送应用程序连接请求。
Device A sends a request for direct connection details through the DERP relay server.
设备 A 通过 DERP 中继服务器发送直接连接详情请求。
Device B responds to the application connection request through the DERP relay server.
设备 B 通过 DERP 中继服务器响应应用程序连接请求。
Device B responds with direct connection details through the DERP relay server and starts performing NAT traversal strategies.
设备 B 通过 DERP 中继服务器回应直接连接详情，并开始执行 NAT 穿越策略。
Device A continues to perform application communication through the DERP relay server until a direct connection succeeds. If that never happens, it uses the DERP relay server the entire time the connection is active.
设备 A 继续通过 DERP 中继服务器进行应用程序通信，直到直接连接成功。如果这种情况从未发生，则在整个连接激活期间都使用 DERP 中继服务器。

Direct connections vs relayed connections
直接连接与中继连接

Tailscale uses direct and relayed connections. All connections within a tailnet begin as a relayed connection, at which point, Tailscale attempts to establish a direct connection between the devices. If a direct connection isn't possible, the connection remains relayed.
Tailscale 使用直接连接和中继连接。tailnet 中的所有连接都以中继连接开始，此时，Tailscale 会尝试在设备之间建立直接连接。如果无法建立直接连接，则保持中继连接。

Direct connections 直接连接

A direct connection is a connection between two devices where the devices can send packets directly to each other (after establishing a direct connection).
直接连接是指两个设备之间的连接，在建立直接连接后，设备可直接相互发送数据包。

In most cases, a direct connection is preferable to a relayed connection because it has better throughout and reduced latency.
在大多数情况下，直接连接比中继连接更可取，因为它具有更好的贯穿性和更低的延迟。

Tailscale's ability to establish a direct connection relies on its NAT traversal logic. This logic allows Tailscale to build a UDP tunnel and negotiate a pair of ports. In most cases, Tailscale succeeds in establishing direct connections. However, certain network configurations can pose challenges, leading Tailscale to use relayed connections as an alternative.
Tailscale 建立直接连接的能力依赖于其 NAT 穿越逻辑。该逻辑允许 Tailscale 建立 UDP 通道并协商一对端口。在大多数情况下，Tailscale 都能成功建立直接连接。然而，某些网络配置会带来挑战，导致 Tailscale 使用中继连接作为替代。

Relayed connections 中继连接

A relayed connection is a connection between two devices that send packets to each other through a DERP relay server.
中继连接是两个设备之间的连接，它们通过 DERP 中继服务器相互发送数据包。

Tailscale operates a fleet of DERP relay servers worldwide. Any device that can open an HTTPS connection to an arbitrary host can build a tunnel using these DERP relays. These servers are reliable but have some quality of service (QoS) characteristics, so they are not as fast as a direct connection.
Tailscale 在全球范围内运营着一系列 DERP 中继服务器。任何可以打开 HTTPS 连接到任意主机的设备都可以使用这些 DERP 中继服务器建立隧道。这些服务器非常可靠，但具有一定的服务质量（QoS）特性，因此速度不如直接连接快。

One of the most common causes of performance issues is using a relayed connection where a direct connection is possible.
造成性能问题的最常见原因之一是在可以直接连接的情况下使用了中继连接。

Determine your connection type
确定连接类型

To determine your Tailscale connection type, start by attempting to communicate between devices. Then, check the output of the tailscale status command. If the output includes the word “direct,” the connection is direct. If it includes the word “relay,” the connection is relayed.
要确定 Tailscale 连接类型，首先要尝试在设备之间进行通信。然后，检查 tailscale status 命令的输出。如果输出包括 "direct（直接）"，则连接是直接的。如果输出中包含 "relay"（中继）字样，则表示连接是中继的。

If a device uses direct connections, the output includes the word “direct.” The following code block contains an example output from a device using direct connections.
如果设备使用直接连接，输出会包含 "直接 "一词。以下代码块包含一个使用直接连接的设备的输出示例。

100.113.160.82  testmy  tagged-devices linux    active; offers exit node; direct 140.82.13.138:41641

If a device uses relayed connections, the output includes the word “relay.” The following code block contains an example output from a device using relayed connections.
如果设备使用中继连接，输出会包含 "中继 "字样。以下代码块包含一个使用中继连接的设备的输出示例。

100.104.93.78   localhost-0          jay@         android active; relay "tor"

You can also use the tailscale ping command to check if a device uses direct connections. The following example output shows that the device can use a direct connection.
您还可以使用 tailscale ping 命令检查设备是否使用直接连接。以下示例输出显示设备可以使用直接连接。

> ubuntu@living-razorfish:~$ tailscale ping testmy
pong from testmy (100.113.160.82) via DERP(nyc) in 130ms
pong from testmy (100.113.160.82) via DERP(nyc) in 37ms
pong from testmy (100.113.160.82) via DERP(nyc) in 50ms
pong from testmy (100.113.160.82) via DERP(nyc) in 38ms
pong from testmy (100.113.160.82) via 140.82.13.138:41641 in 35ms

The first few packets go to the nearest DERP server while Tailscale negotiates the direct connection. After establishing a direct connection, the packets go directly to the destination.
在 Tailscale 协商建立直接连接时，前几个数据包会发送到最近的 DERP 服务器。建立直接连接后，数据包将直接到达目的地。

If Tailscale can’t establish a direct connection, the tailscale ping command gives up after 10 attempts.
如果 Tailscale 无法建立直接连接， tailscale ping 命令会在尝试 10 次后放弃。

> ubuntu@living-razorfish:~$ tailscale ping localhost-0
pong from localhost-0 (100.104.93.78) via DERP(tor) in 53ms
pong from localhost-0 (100.104.93.78) via DERP(tor) in 196ms
pong from localhost-0 (100.104.93.78) via DERP(tor) in 50ms
pong from localhost-0 (100.104.93.78) via DERP(tor) in 214ms
pong from localhost-0 (100.104.93.78) via DERP(tor) in 273ms
pong from localhost-0 (100.104.93.78) via DERP(tor) in 274ms
pong from localhost-0 (100.104.93.78) via DERP(tor) in 282ms
pong from localhost-0 (100.104.93.78) via DERP(tor) in 273ms
pong from localhost-0 (100.104.93.78) via DERP(tor) in 76ms
pong from localhost-0 (100.104.93.78) via DERP(tor) in 152ms
direct connection not established

Relaying packets through the DERP servers adds latency because the DERP servers have varied quality of service (QoS) characteristics that limit the maximum throughput. Consequently, it’s best to use direct connections whenever possible.
通过 DERP 服务器转发数据包会增加延迟，因为 DERP 服务器的服务质量（QoS）特性各不相同，限制了最大吞吐量。因此，最好尽可能使用直接连接。

Some network configurations can prevent Tailscale from establishing direct connections. Two of the most common configurations that prevent direct connections include blocked UDP packets and hard NAT.
某些网络配置会阻止 Tailscale 建立直接连接。阻止直接连接最常见的两种配置包括阻止 UDP 数据包和硬 NAT。

Obstacles to a direct connection
直接连接的障碍

Tailscale can't always establish a direct connection between devices, and sometimes a direct connection might revert to a relayed connection. In most cases, the cause is that a device is using hard NAT or direct UDP packets are blocked.
Tailscale 并不总能在设备间建立直接连接，有时直接连接可能会恢复为中继连接。大多数情况下，原因是设备使用了硬 NAT 或直接 UDP 数据包被阻止。

Blocked UDP packets 被阻止的 UDP 数据包

Tailscale can only establish direct connections if the device supports sending and receiving UDP packets. If a device can only use TCP connections, all connections go through the DERP relay servers. For the DERP links, Tailscale encapsulates the WireGuard frames in a TLS stream over TCP.
只有当设备支持收发 UDP 数据包时，Tailscale 才能建立直接连接。如果设备只能使用 TCP 连接，则所有连接都要通过 DERP 中继服务器。对于 DERP 链接，Tailscale 会通过 TCP 将 WireGuard 框架封装为 TLS 流。

Devices can't establish a direct connection if something on the network blocks direct UDP connections. However, you can still use a relayed connection. The only remediation is to ask your provider to unblock UDP packets.
如果网络上有东西阻止 UDP 直接连接，设备就无法建立直接连接。不过，您仍然可以使用中继连接。唯一的补救措施是要求提供商解除对 UDP 数据包的屏蔽。

Hard NAT 硬 NAT

Hard NAT makes establishing direct connections difficult (if not impossible). Tailscale can’t establish a direct connection if both devices use hard NAT.
硬 NAT 使建立直接连接变得困难（如果不是不可能的话）。如果两台设备都使用硬 NAT，Tailscale 就无法建立直接连接。

If a device uses hard NAT, you have a few options available to improve the odds of getting a direct connection. For example, using NAT-PMP or uPnP port mapping on your router often facilitates a direct connection.
如果设备使用硬 NAT，你有几种方法可以提高直接连接的几率。例如，在路由器上使用 NAT-PMP 或 uPnP 端口映射通常有助于实现直接连接。

Some firewall-specific mechanisms can improve the odds of direct connections. In general, look for something named “static port mapping” or similar configuration settings, which provide predictable (static) port numbers. Predictive port numbers allow Tailscale to reliably get direct connections through a firewall.

Many cloud platforms, like AWS, have a NAT gateway solution. Relayed connections on these services are often due to a hard NAT. You can expose public IP addresses for your Tailscale devices to ensure a direct connection. These IP addresses can be dynamic; you don’t need to use an elastic or static IP. If you ensure UDP port 41641 is not blocked and that outgoing UDP and TCP packets on port 443 are permitted, Tailscale can reliably serve direct connections.

By default, opening incoming UDP port 41641 on a device’s public IP address guarantees a direct connection from any peer where it is possible. You can configure this port by passing a value to tailscaled. On Linux machines, you can set it in /etc/defaults/tailscaled. This is useful if there is more than one endpoint behind a hard NAT public IP address, and you need to ensure direct connections to each. Set the port to a unique value and forward that port through to the correct endpoint.

For devices (such as exit nodes) that intentionally egress through a NAT gateway, you can use Tailscale’s Terraform templates to set up routing for incoming traffic through the public interface and egress through the NAT gateway.

Contact our Solutions Engineering team at se@tailscale.com for assistance deploying this. This allows the egress traffic to have a predictable public IP address, but the ingress traffic to establish a direct connection to the exit node.