From bca4c2beded205e6cff2d622132aec97fe3e8c4b Mon Sep 17 00:00:00 2001
From: Erich Blume <blume.erich@gmail.com>
Date: Sat, 18 Apr 2026 09:17:03 -0700
Subject: [PATCH] Expose Tailscale WireGuard UDP port on Fly proxy

Enable direct peer-to-peer WireGuard connections by pinning tailscaled
to port 41641 and exposing it as a UDP service. Without this, all
traffic routes through Tailscale DERP relays causing 20+ second
latency. Requires dedicated IPv4 (allocated: 168.220.82.221).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 fly/fly.toml | 9 +++++++++
 fly/start.sh | 2 +-
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/fly/fly.toml b/fly/fly.toml
index 17e3de8..11aac9c 100644
--- a/fly/fly.toml
+++ b/fly/fly.toml
@@ -22,3 +22,12 @@ interval = "10s"
 method = "GET"
 path = "/healthz"
 timeout = "5s"
+
+# Expose Tailscale's WireGuard port so direct peer-to-peer connections can
+# establish instead of falling back to DERP relay. Requires a dedicated IPv4.
+[[services]]
+internal_port = 41641
+protocol = "udp"
+
+[[services.ports]]
+port = 41641
diff --git a/fly/start.sh b/fly/start.sh
index 8fd1fd4..1f2acaa 100644
--- a/fly/start.sh
+++ b/fly/start.sh
@@ -5,7 +5,7 @@ set -e
 # With bluegreen deploys, the old machine serves traffic until this one is
 # fully ready. Fly.io runs Firecracker microVMs that support TUN devices
 # natively — no need for --tun=userspace-networking.
-tailscaled --statedir=/var/lib/tailscale &
+tailscaled --statedir=/var/lib/tailscale --port=41641 &
 sleep 2
 tailscale up --authkey="${TS_AUTHKEY}" --hostname=flyio-proxy
 until tailscale status > /dev/null 2>&1; do sleep 1; done