diff --git a/fly/fly.toml b/fly/fly.toml
index 17e3de8..11aac9c 100644
--- a/fly/fly.toml
+++ b/fly/fly.toml
@@ -22,3 +22,12 @@ interval = "10s"
 method = "GET"
 path = "/healthz"
 timeout = "5s"
+
+# Expose Tailscale's WireGuard port so direct peer-to-peer connections can
+# establish instead of falling back to DERP relay. Requires a dedicated IPv4.
+[[services]]
+internal_port = 41641
+protocol = "udp"
+
+[[services.ports]]
+port = 41641
diff --git a/fly/start.sh b/fly/start.sh
index 8fd1fd4..1f2acaa 100644
--- a/fly/start.sh
+++ b/fly/start.sh
@@ -5,7 +5,7 @@ set -e
 # With bluegreen deploys, the old machine serves traffic until this one is
 # fully ready. Fly.io runs Firecracker microVMs that support TUN devices
 # natively — no need for --tun=userspace-networking.
-tailscaled --statedir=/var/lib/tailscale &
+tailscaled --statedir=/var/lib/tailscale --port=41641 &
 sleep 2
 tailscale up --authkey="${TS_AUTHKEY}" --hostname=flyio-proxy
 until tailscale status > /dev/null 2>&1; do sleep 1; done