Tailscale Mesh Performance Tuning
Tailscale Mesh VPN WireGuard Peer-to-peer NAT Traversal Direct Connection DERP Relay Performance Tuning MTU Optimization Latency Bandwidth
| VPN Type | Architecture | Latency | Bandwidth | Scale |
|---|---|---|---|---|
| Traditional VPN | Hub-and-spoke | สูง (ผ่าน Server) | จำกัด (Server) | จำกัด |
| Tailscale | Mesh (P2P) | ต่ำ (Direct) | สูง (P2P) | ดีมาก |
| WireGuard | Point-to-point | ต่ำ | สูง | Manual Config |
| ZeroTier | Mesh (P2P) | ต่ำ | สูง | ดี |
Tailscale Setup และ Connection Check
# === Tailscale Installation & Performance Check ===
# Install
# curl -fsSL https://tailscale.com/install.sh | sh
# Windows: Download from tailscale.com
# Docker: docker run -d --name tailscale \
# -v /var/lib/tailscale:/var/lib/tailscale \
# -v /dev/net/tun:/dev/net/tun \
# --cap-add=NET_ADMIN --cap-add=NET_RAW \
# tailscale/tailscale
# Basic Commands
# tailscale up # เชื่อมต่อ
# tailscale down # ตัดการเชื่อมต่อ
# tailscale status # สถานะทั้งหมด
# tailscale ip # แสดง IP
# tailscale ping # ทดสอบ Connection
# tailscale netcheck # ตรวจสอบ Network
# tailscale debug derp-map # แสดง DERP Servers
# Performance Check
# tailscale ping myserver
# pong from myserver (100.x.x.x) via 203.0.113.5:41641 in 12ms
# ถ้าเห็น "via DERP(tok)" = ผ่าน Relay (ช้ากว่า)
# ถ้าเห็น "via :" = Direct Connection (เร็ว)
# Network Check
# tailscale netcheck
# Report:
# * UDP: true
# * IPv4: yes, 203.0.113.5:41641
# * IPv6: yes
# * MappingVariesByDestIP: false (Easy NAT = ดี)
# * PortMapping: UPnP
# * Nearest DERP: Tokyo
# * DERP latency:
# - tok: 15ms (Tokyo)
# - sin: 45ms (Singapore)
# - sfo: 120ms (San Francisco)
from dataclasses import dataclass, field
from typing import List, Optional
@dataclass
class TailscaleNode:
hostname: str
ip: str
os: str
online: bool
direct: bool
relay: Optional[str]
latency_ms: float
last_seen: str
nodes = [
TailscaleNode("web-server", "100.64.0.1", "Ubuntu 22.04", True, True, None, 5.2, "now"),
TailscaleNode("db-server", "100.64.0.2", "Ubuntu 22.04", True, True, None, 8.1, "now"),
TailscaleNode("dev-laptop", "100.64.0.3", "macOS 14", True, True, None, 12.5, "now"),
TailscaleNode("home-nas", "100.64.0.4", "Synology DSM", True, False, "DERP(tok)", 45.3, "now"),
TailscaleNode("mobile", "100.64.0.5", "iOS 17", True, True, None, 25.0, "2min ago"),
]
print("=== Tailscale Network Status ===")
for node in nodes:
conn = "Direct" if node.direct else f"Relay ({node.relay})"
status = "Online" if node.online else "Offline"
print(f" {node.hostname:<14} {node.ip:<14} {conn:<16} "
f"{node.latency_ms:>6.1f}ms {node.os}") Performance Tuning
# === Performance Tuning Techniques ===
# 1. Force Direct Connection
# ตรวจสอบ Firewall เปิด UDP Port 41641
# sudo ufw allow 41641/udp
# sudo iptables -A INPUT -p udp --dport 41641 -j ACCEPT
# 2. MTU Optimization
# tailscale set --accept-routes --netfilter-mode=off
# ip link show tailscale0
# # ปรับ MTU (default 1280, max ~1420 สำหรับ WireGuard)
# sudo ip link set dev tailscale0 mtu 1400
#
# # ทดสอบ MTU ที่เหมาะสม
# ping -M do -s 1372 100.64.0.1 # 1372 + 28 (header) = 1400
# ถ้าได้ = MTU 1400 ใช้ได้
# ถ้า "Message too long" = ลด MTU ลง
# 3. Router Configuration
# เปิด NAT-PMP หรือ UPnP บน Router
# ใช้ Port 41641 UDP สำหรับ WireGuard
# ถ้าเป็น Symmetric NAT = DERP Relay เท่านั้น
# 4. Self-hosted DERP Server
# docker run -d --name derp \
# -p 443:443 -p 3478:3478/udp \
# -e DERP_DOMAIN=derp.example.com \
# -e DERP_CERT_MODE=letsencrypt \
# -e DERP_ADDR=:443 \
# tailscale/derper
tuning_checklist = {
"Direct Connection": {
"check": "tailscale ping — ดูว่า via IP หรือ DERP",
"fix": "เปิด UDP 41641, เปิด UPnP/NAT-PMP",
"impact": "ลด Latency 50-200ms",
},
"MTU Optimization": {
"check": "ping -M do -s — หา MTU ที่ใหญ่ที่สุด",
"fix": "ip link set dev tailscale0 mtu 1400",
"impact": "เพิ่ม Throughput 5-15%",
},
"UDP Port": {
"check": "tailscale netcheck — ดู UDP: true/false",
"fix": "Firewall allow UDP 41641",
"impact": "เปิด Direct Connection ได้",
},
"NAT Type": {
"check": "tailscale netcheck — ดู MappingVariesByDestIP",
"fix": "false = Easy NAT (ดี), true = Hard NAT (DERP only)",
"impact": "Easy NAT = Direct Connection ได้ทุก Peer",
},
"DERP Region": {
"check": "tailscale netcheck — ดู Nearest DERP",
"fix": "Self-host DERP Server ใกล้ที่สุด",
"impact": "ลด Relay Latency 10-50ms",
},
"Version": {
"check": "tailscale version",
"fix": "อัปเดตเป็นเวอร์ชันล่าสุดเสมอ",
"impact": "Bug fixes, Performance improvements",
},
}
print("\n=== Performance Tuning Checklist ===")
for item, info in tuning_checklist.items():
print(f"\n [{item}]")
for k, v in info.items():
print(f" {k}: {v}") Monitoring และ ACL
# === Monitoring & ACL Configuration ===
# ACL (Access Control List) — tailscale.com/admin/acls
# {
# "acls": [
# // Allow servers to communicate
# {"action": "accept", "src": ["tag:server"], "dst": ["tag:server:*"]},
# // Allow dev to access servers
# {"action": "accept", "src": ["tag:dev"], "dst": ["tag:server:22,80,443"]},
# // Allow all to DNS
# {"action": "accept", "src": ["*"], "dst": ["tag:dns:53"]},
# ],
# "tagOwners": {
# "tag:server": ["admin@example.com"],
# "tag:dev": ["admin@example.com"],
# "tag:dns": ["admin@example.com"],
# },
# "ssh": [
# {"action": "accept", "src": ["tag:dev"], "dst": ["tag:server"],
# "users": ["autogroup:nonroot"]}
# ],
# }
# Monitoring Script
# import subprocess
# import json
# import time
#
# def get_tailscale_status():
# result = subprocess.run(
# ["tailscale", "status", "--json"],
# capture_output=True, text=True
# )
# return json.loads(result.stdout)
#
# def check_peers():
# status = get_tailscale_status()
# for peer_id, peer in status.get("Peer", {}).items():
# hostname = peer.get("HostName", "unknown")
# online = peer.get("Online", False)
# relay = peer.get("Relay", "")
# direct = peer.get("CurAddr", "") != ""
#
# if not online:
# print(f"ALERT: {hostname} is OFFLINE")
# elif not direct and relay:
# print(f"WARN: {hostname} using relay {relay}")
# else:
# print(f"OK: {hostname} direct connection")
# Benchmark
benchmarks = {
"Direct (LAN)": {"latency": "1-5ms", "bandwidth": "800-950 Mbps", "jitter": "< 1ms"},
"Direct (WAN)": {"latency": "10-50ms", "bandwidth": "200-500 Mbps", "jitter": "1-5ms"},
"DERP Relay": {"latency": "30-150ms", "bandwidth": "50-200 Mbps", "jitter": "5-20ms"},
"Traditional VPN": {"latency": "20-100ms", "bandwidth": "100-300 Mbps", "jitter": "2-10ms"},
}
print("Tailscale Performance Benchmarks:")
for conn_type, metrics in benchmarks.items():
print(f"\n [{conn_type}]")
for k, v in metrics.items():
print(f" {k}: {v}")
# Use Cases
use_cases = [
"Remote Access — เข้าถึง Home Lab จากที่ไหนัก็ได้",
"Multi-cloud — เชื่อม AWS + GCP + On-premise",
"Dev Environment — เข้าถึง Dev Server จาก Laptop",
"IoT — เชื่อม IoT Devices อย่างปลอดภัย",
"Gaming — LAN Party ข้าม Internet",
"Kubernetes — Pod-to-Pod ข้าม Cluster",
]
print(f"\n\nTailscale Use Cases:")
for i, uc in enumerate(use_cases, 1):
print(f" {i}. {uc}")เคล็ดลับ
- Direct: ตรวจสอบ Direct Connection ด้วย tailscale ping ทุกครั้ง
- UDP: เปิด UDP Port 41641 ที่ Firewall เพื่อให้ Direct Connection ได้
- MTU: ปรับ MTU ให้สูงที่สุดที่ไม่ Fragment เพิ่ม Throughput
- DERP: Self-host DERP Server ถ้า Relay Latency สูง
- ACL: ตั้ง ACL จำกัดสิทธิ์ Least Privilege ปลอดภัยกว่า
Tailscale คืออะไร
Mesh VPN WireGuard Peer-to-peer NAT Traversal ไม่ต้อง Port Forwarding ไม่ต้อง VPN Server กลาง ติดตั้งง่าย ทุก Platform
Mesh VPN ต่างจาก Traditional VPN อย่างไร
Traditional Hub-and-spoke Server กลาง Bottleneck Mesh P2P Direct Latency ต่ำ Bandwidth สูง Scale ดี DERP Fallback
เพิ่มความเร็ว Tailscale ทำอย่างไร
Direct Connection ไม่ Relay ปรับ MTU 1280-1420 UDP Port 41641 Exit Node ใกล้ อัปเดตเวอร์ชัน Easy NAT tailscale ping ตรวจสอบ
DERP Relay คืออะไร
Designated Encrypted Relay Packets Relay Server Direct ไม่ได้ Symmetric NAT End-to-end Encryption ช้ากว่า Direct Self-host ได้
สรุป
Tailscale Mesh VPN WireGuard P2P Direct Connection DERP Relay NAT Traversal MTU Optimization UDP Port 41641 ACL Monitoring Performance Tuning Self-host DERP Latency Bandwidth
