NAT traversal, and how we're improving it (pt. 1)

Tailscale is enhancing its NAT traversal techniques to facilitate secure peer-to-peer (P2P) connections, focusing on improving direct connections between devices while minimizing reliance on DERP relay servers. Direct P2P connections, which bypass central servers and offer better performance, account for over 90% of Tailscale's traffic under normal conditions. However, challenges arise from symmetric or "hard" NATs, multiple NAT layers, strict firewalls, carrier-grade NAT, and restrictive endpoint configurations, often necessitating DERP's assistance. Tailscale is actively working to overcome these obstacles, including sponsoring a patch for FreeBSD's firewall to support endpoint-independent NAT mapping for UDP traffic, enhancing connectivity for P2P applications. This approach is considered safer and more effective than protocols like UPnP or NAT-PMP, which can pose security risks and are not universally supported. Tailscale continues to refine its client software to handle NAT traversal complexities, optimize connection paths, and improve diagnostics, all while preparing for future connectivity advancements, including expanding IPv6 support.