Tailscale Peer Relays: Production-Ready Mesh Networking for Hard NATs

When Tailscale works best, devices connect directly and packets take the shortest path. But firewalls, NATs, and cloud networking constraints can block direct connections. Tailscale Peer Relays solve this by enabling customer-deployed relay nodes that keep traffic moving securely.

What Are Tailscale Peer Relays?

Peer Relays are Tailscale nodes configured to relay traffic for other nodes in your tailnet. Unlike the default DERP (Designated Encrypted Relay for Packets) servers that Tailscale operates, Peer Relays run on your infrastructure. This gives you control over relay placement, performance characteristics, and network topology.

The feature graduated from beta with significant improvements: better throughput through lock contention fixes, multi-socket UDP handling, and smarter interface selection when multiple addresses are available.

Key Features

• Static endpoints for cloud environments: Advertise fixed IP:port pairs using --relay-server-static-endpoints, enabling relaying behind AWS NLBs and similar infrastructure
• Prometheus metrics: Export tailscaled_peer_relay_forwarded_packets_total and tailscaled_peer_relay_forwarded_bytes_total for monitoring relay health
• Integrated diagnostics: Use tailscale ping to verify relay reachability and measure latency impact
• Full mesh enablement: Replace subnet routers with peer relays to unlock Tailscale SSH and MagicDNS in private subnets

Quick Setup

Enable a peer relay on any Tailscale node:

tailscale set --advertise-relay-server

For nodes behind load balancers, specify static endpoints:

tailscale set --advertise-relay-server \
  --relay-server-static-endpoints=203.0.113.10:41641

Control access through ACL grants in your policy file.

Operational Tips

Deploy peer relays in regions where your infrastructure clusters. Monitor the forwarded bytes and packets metrics to detect traffic patterns and capacity needs. Use tailscale ping during incident response to quickly determine if relays are contributing to latency issues.

For cloud deployments, place peer relays behind Network Load Balancers with health checks. This provides redundancy without complex failover logic.

Conclusion

Tailscale Peer Relays transform hard-to-reach networks into full mesh participants. With GA-level stability, static endpoint support, and built-in observability, they solve real connectivity problems that DevOps teams face in cloud and hybrid environments.

If you want intelligent alerts when your infrastructure drifts or fails, Akmatori monitors your systems and notifies you before users notice. Powered by Gcore infrastructure for global reliability.