Option to force a static UDP source port number

[crawshaw]

Some firewalls only allow UDP to pass if it is from a known port. We should have a way for clients to be configured to use a predictable port.

It's not clear yet whether this is a network-wide setting, or a client setting.

[bradfitz]

We already have this, at least on tailscaled.

Or are you talking about the iOS app? But in that case, the answer would be DERP.

What remains here, @crawshaw?

[crawshaw]

tailscaled lets people use a fixed UDP port on linux. There is no equivalent option on macOS.

[apenwarr]

Note that this option really should be enabled by default, so that we can document the behaviour more easily. Perhaps unlike regular WireGuard, tailscale users generally are not interested in hiding their encrypted traffic from their corporate IT department; quite the opposite.

[Oujiii]

What is the flag to force a specific UDP port to be used on linux? I have a need for this as I can't use the default port on one of my servers, but I have a set of other ports I can use.

[apenwarr]

You have to start tailscaled with the right --port option. The systemd unit we provide sets this to 41641, but you can change it if you like. ᐧ

…

On Fri, May 14, 2021 at 12:11 PM Oujiii ***@***.***> wrote: What is the flag to force a specific UDP port to be used on linux? I have a need for this as I can't use the default port on one of my servers, but I have a set of other ports I can use. — You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub <#6 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAAFA4CYH25DG5VJ4RMMNITTNVDTNANCNFSM4KSVE2BQ> .

-- Avery Pennarun // CEO @ Tailscale

[hronro]

@apenwarr Can I force a specific UDP port on mac or windows please?

[Notfast]

I'm waiting for this option

[icepigeon-dev]

Please consider adding this option to other platforms (e.g. Windows, macOS and Synology)

--Edit--
Found the method to change the port on Synology.

/var/packages/Tailscale/scripts/start-stop-status in line 15,
/var/packages/Tailscale/target/conf/Tailscale.sc in lines 5-6

change the port to any other port.

[yabostone]

As you can change /etc/default/tailscaled option values, if you use linux.

# Set the port to listen on for incoming VPN packets.
# Remote nodes will automatically be informed about the new port number,
# but you might want to configure this in order to set external firewall
# settings.
PORT="42006"

# Extra flags you might want to pass to tailscaled.
FLAGS=""

In this config files, I changed Port value from 41641 to 42006 cause ISP blocked default port。

route configuration

if cat a public ip in your router,and you can add port forwarding，port forwarding from wan port 42006 to lan ip port 42006.(keep the port same,in this section ,changed port is 42006, you need to configure router port exposed the same-42006.)
Tailscale will generate default port mapping to test this link is up and can be directed.
if not , nat mapping will use "The benefits of birthdays" algorithm...

[haris2887]

This does not work on the Tailscale docker .
Looks Like this option was removed.