Tailscale Peer Relays Unlock Near-Direct Speeds in Restricted Networks

Tailscale's peer relays let devices forward encrypted traffic at high speeds when direct connections stall, outperforming DERP servers in tough network setups. Explore real cases and trade-offs.

Peer relays enable devices to securely forward traffic when direct connections fail. TechReviewer

Last Updated: October 30, 2025

Written by Rosa Torres

Devices Step In as Relays

Tailscale rolled out peer relays on October 28, 2025, giving users the ability to turn any compatible device in their tailnet into a traffic forwarder. When two nodes cannot link directly because of firewalls or NAT rules, the system routes packets through one of these customer-chosen relays. All data stays locked with WireGuard encryption from start to finish, so the relay sees only scrambled bits.

After initial setup, the client software handles the rest automatically, picking the best path without manual intervention. Direct connections are prioritized first. If they fail, peer relays kick in. Only then does the system lean on Tailscale's DERP servers.

Speed Gains in Real Deployments

Early tests with design partners showed peer relays hitting hundreds of megabits per second, sometimes gigabit speeds in ideal setups. That crushes the 10-50 Mbps ceiling common on DERP servers, which run over TCP and face quality-of-service caps.

One cloud team connected private VPC subnets across regions. Direct paths stayed blocked by managed NAT gateways. A peer relay in a public subnet pushed throughput past 500 Mbps for database backups, compared to 30 Mbps via DERP. Latency dropped too, making interactive sessions smooth.

A homelab user replaced an nginx reverse proxy farm with a single Linux box as relay. File transfers between containers jumped from 15 Mbps to 800 Mbps. The change cut maintenance and removed port-forwarding headaches.

Trade-Offs for Administrators

Relays need a reachable UDP port open bidirectionally between devices. That simplifies rules versus full proxy setups, but security teams still audit the exposure. iOS and Apple TV devices cannot host relays, though they use them as clients without issue.

Policy grants control who becomes a relay via the relay capability tag. Loose rules can send traffic on long detours, raising latency. Tight policies keep paths predictable and auditable, fitting zero-trust models.

Free accounts get two permanent relays. Extra ones tie to paid plans. Organizations weigh this against bandwidth they already own versus Tailscale's DERP costs.

Broader Impact on Network Design

Enterprises ditch load balancers for CI/CD pipelines. One firm swapped mutual TLS gateways for Tailscale Services plus peer relays, gaining reliability and cutting config time.

Remote teams access resources faster from spotty connections. Media servers stream HD video to family across continents with minimal buffering once local relays handle the load.

Tailscale saves on its own bandwidth as traffic shifts to customer relays. The shift aligns with zero-trust growth, where control stays in user hands without sacrificing encryption or access rules.