The relay worked over tcp port 443, tls. I have this set up with headscale via nginx reverse proxy. The only way this will blocked via deep packet inspection is if the firewal breaks (man-in-the-middle’s) tls. Some companies do this, but require you to have their self-signed cert installed. I will test this with my firewall and see what it responds with, last I checked, it thought it was web traffic.
Almost every company breaks TLS. If you do VPN over TCP (TCP over TCP) you end up with terrible performance.
Yep. But it still works. The tcp over tcp is usually only up the the relay, but the relay from there established a udp wireguard tunnel to the other node. No, not every company breaks TLS. It’s not even possible with TLS1.3. Most companies are moving to doing inspection at the client level and not the firewall (the likes of zscaler for example).
Yes, lets add GRE and more to the mix while we are at it. Using TURN and what not to circumvent what the firewall blocks will always result in poor end performance. In the end it depends on the goal one wants to achieve and any network has the right to block anything they like, except your ISP which should not block anything (sadly they do). Just because it “works” does not mean that it does work “well” and TLS 1.3 will and can still be inspected, be it with more elaborate schemes like GRE.
I just did some experimenting. Relay is being done over TLS port 443. My firewall is doing deep packet inspection and can only reports it’s TLS traffic that’s carrying non-https traffic (just like onedrive, etc). This is because tailscale is using a websocket in the https connection as part of the negotiation, state managment, and relay. Remote Desktop is still performant and I almost can’t tell a difference between direct udp wireguard connections and a relay that 15-20ms away from me (that I am hosting on a vps). If you were to block https websockets via the firewall, you will break a lot of services and websites. Not sure what you’re ranting about over there…
I also think you misunderstood tcp over tcp when it comes to tailscale. It’s TCP traffic TO the relay carrying UDP wireguard traffic. There is no TCP over TCP like how you would traditonally think about. Maybe think about it like a few hops hop TCP, the rest UDP.