Tailscale Peer Relays became generally available on February 18, 2026, marking a significant milestone for organizations seeking true peer-to-peer (P2P) networking capabilities. This feature enables devices within a Tailscale network (tailnet) to act as high-throughput relay servers when direct connections fail due to restrictive NATs or firewalls. Unlike Tailscale’s global DERP (Designated Encrypted Relay for Packets) servers, peer relays run on your own infrastructure, delivering significantly lower latency and higher throughput while maintaining end-to-end encryption.
What Are Tailscale Peer Relays?
Tailscale Peer Relays are customer-deployed relay servers that forward encrypted traffic between tailnet devices when direct P2P connections cannot be established. When two devices cannot connect directly due to network restrictions, Tailscale first attempts to use an available peer relay before falling back to DERP servers. (Tailscale. “Tailscale Peer Relays.” Tailscale Docs, 2026)
The concept addresses a fundamental limitation in mesh VPN architectures: while direct connections provide optimal performance, real-world networks often block them through strict NAT configurations, corporate firewalls, or cloud networking constraints. Before peer relays, Tailscale users had to rely on DERP servers—globally distributed relay infrastructure maintained by Tailscale—which could introduce additional latency, especially for high-throughput applications. (Tailscale. “Tailscale Peer Relays is now generally available.” Tailscale Blog, February 18, 2026)
Peer relays require Tailscale version 1.86 or later and are available on all Tailscale plans, including the free Personal plan. They support any operating system except iOS, Apple TV, or Android for the relay server itself, while client devices can use any supported Tailscale platform. (Tailscale. “Peer Relay Requirements.” Tailscale Docs, 2026)
How Do Peer Relays Work?
The architecture of Tailscale Peer Relays integrates seamlessly with Tailscale’s existing connectivity model. When a device attempts to establish a connection, Tailscale evaluates the network path according to the following priority:
- Direct connection via UDP hole punching using STUN and ICE protocols
- Peer relay connection through customer-deployed relay servers
- DERP relay connection via Tailscale’s global relay infrastructure (Tailscale. “Device Connectivity.” Tailscale Docs, 2026)
When you designate a device as a peer relay, it listens on a specified UDP port for relay traffic. Other devices in the tailnet can then forward encrypted packets through this relay when direct paths are unavailable. The relay server receives already-encrypted WireGuard packets and forwards them to the destination—because private keys never leave the local device, the relay cannot decrypt traffic. (Tailscale. “DERP Servers.” Tailscale Docs, 2026)
Configuration Requirements
Setting up a peer relay involves two steps. First, configure the relay device using the Tailscale CLI:
tailscale set --relay-server-port=40000Optionally, specify static endpoints for environments where automatic endpoint discovery fails:
tailscale set --relay-server-static-endpoints="203.0.113.1:40000,[2001:db8::1]:40000"Second, create a grant policy in your tailnet policy file to authorize specific devices to use the relay:
{ "src": ["tag:us-east-vpc"], "dst": ["tag:peer-relay"], "app": { "tailscale.com/cap/relay": {} }}Why Do Peer Relays Matter?
Peer relays address three critical challenges in enterprise networking: performance, control, and visibility.
Performance Improvements
The GA release of Peer Relays delivers substantial throughput optimizations. Connecting clients now select optimal interfaces and address families when multiple options exist within a single relay. The relay server itself benefits from reduced lock contention and multi-socket UDP handling on multi-core systems. (Tailscale. “Changelog - Tailscale v1.94.1.” Tailscale, January 26, 2026)
For high-throughput scenarios—such as large file transfers, media streaming, or database replication—peer relays offer performance much closer to true mesh networking than DERP servers can provide. Because you control the relay infrastructure, you can provision bandwidth according to your specific requirements rather than sharing public relay capacity.
Cloud and Restrictive Environment Support
Many cloud environments present challenges for traditional NAT traversal. Instances may sit behind strict firewall rules, rely on port forwarding, or operate behind load balancers that prevent automatic endpoint discovery. Peer relays now support static endpoints specifically for these scenarios. (Tailscale. “Static Endpoints for Peer Relays.” Tailscale Blog, February 18, 2026)
Using the --relay-server-static-endpoints flag, a peer relay can advertise fixed IP
Enhanced Observability
The GA release integrates peer relays deeply into Tailscale’s visibility tooling. Administrators can use tailscale ping to verify relay connectivity and measure latency impact. Additionally, peer relays expose Prometheus-compatible metrics including tailscaled_peer_relay_forwarded_packets_total and tailscaled_peer_relay_forwarded_bytes_total, enabling teams to monitor relay usage, detect anomalies, and understand traffic patterns at scale. (Tailscale. “Client Metrics.” Tailscale Docs, 2026)
Connection Types: A Comparison
Tailscale devices can establish three types of connections depending on network conditions. The following table compares their characteristics:
| Connection Type | When Used | Performance | Infrastructure |
|---|---|---|---|
| Direct | Both devices have public IPs or easy NAT | Optimal—no intermediary | None required |
| Peer Relay | One or both devices behind hard NAT | High—customer-controlled infrastructure | Customer-deployed relay |
| DERP Relay | Direct and peer relay unavailable | Good—may have higher latency | Tailscale-managed global servers |
The NAT configuration of each device determines the connection type. When both devices operate behind “hard NAT” configurations—restrictive NATs that use complex port allocation strategies and disable port mapping protocols—Tailscale cannot establish direct connections and must use relayed connections. (Wikipedia contributors. “NAT Traversal.” Wikipedia, The Free Encyclopedia)
NAT Traversal: The Technical Foundation
Understanding peer relays requires understanding NAT traversal. Network Address Translation (NAT) maps private IP addresses to public IPs, enabling multiple devices to share internet connectivity. However, NAT creates challenges for P2P networking because devices behind NATs cannot easily receive unsolicited inbound connections. (Tailscale. “How NAT Traversal Works.” Tailscale Blog)
Tailscale employs several IETF-standard techniques to traverse NATs:
- STUN (Session Traversal Utilities for NAT): RFC 5389 defines this protocol for discovering the public IP and port allocated by a NAT device (Rosenberg, J., et al. “RFC 5389: Session Traversal Utilities for NAT (STUN).” IETF, October 2008)
- ICE (Interactive Connectivity Establishment): RFC 8445 describes this framework for establishing connectivity between peers across NATs (Keranen, A., et al. “RFC 8445: Interactive Connectivity Establishment (ICE).” IETF, July 2018)
- TURN (Traversal Using Relays around NAT): RFC 5766 specifies relay-based traversal when direct connections fail (Reddy, A., et al. “RFC 5766: Traversal Using Relays around NAT (TURN).” IETF, April 2010)
When STUN and ICE succeed, devices establish direct WireGuard tunnels. When they fail—such as in symmetric NAT scenarios or when UDP is blocked—Tailscale falls back to relayed connections via peer relays or DERP servers.
Enterprise Use Cases
Peer Relays unlock several enterprise scenarios that were previously challenging with mesh VPNs:
- Multi-cloud connectivity: Deploy peer relays in each cloud region to ensure low-latency paths between VPCs when direct connections fail
- Strict compliance environments: Maintain complete control over relay infrastructure while still benefiting from Tailscale’s mesh architecture
- High-throughput workloads: Support video production, scientific computing, or data pipeline workloads that require sustained bandwidth
- Legacy network integration: Replace subnet routers with full-mesh deployments that support Tailscale SSH and MagicDNS (Tailscale. “Subnet Routers vs Peer Relays.” Tailscale Docs, 2026)
Frequently Asked Questions
Q: What is the difference between a peer relay and a DERP server? A: Peer relays are customer-deployed devices within your tailnet that relay encrypted traffic when direct connections fail. DERP servers are Tailscale-managed global relays that serve as the final fallback. Peer relays typically offer better performance because they run on your infrastructure closer to your devices.
Q: Can peer relays decrypt my traffic? A: No. Peer relays forward already-encrypted WireGuard packets. Because Tailscale private keys never leave the local device that generated them, it is impossible for any relay to decrypt traffic.
Q: When should I use peer relays instead of subnet routers? A: Peer relays can replace subnet routers when you want full-mesh connectivity with features like Tailscale SSH and MagicDNS. Subnet routers require traffic to flow through a central node, while peer relays enable direct device-to-device connections even through restrictive NATs.
Q: Are peer relays available on all Tailscale plans? A: Yes. Peer Relays are available on all Tailscale plans, including the free Personal plan, as of the February 18, 2026 GA announcement.
Q: How do I verify that traffic is using a peer relay?
A: Use the tailscale status command and look for connections marked as peer-relay instead of direct or relay. You can also use tailscale ping to test connectivity and observe the connection path.