eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions

Expose Tailscale WireGuard UDP port on Fly proxy
Some checks failed
Deploy Fly.io Proxy / deploy (push) Failing after 1m33s
Details

Browse source 
Enable direct peer-to-peer WireGuard connections by pinning tailscaled
to port 41641 and exposing it as a UDP service. Without this, all
traffic routes through Tailscale DERP relays causing 20+ second
latency. Requires dedicated IPv4 (allocated: 168.220.82.221).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Erich Blume 2026-04-18 09:17:03 -07:00
commit bca4c2bede
2 changed files with 10 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

9
fly/fly.toml
View file

@ -22,3 +22,12 @@ interval = "10s"
method = "GET" method = "GET"
path = "/healthz" path = "/healthz"
timeout = "5s" timeout = "5s"
# Expose Tailscale's WireGuard port so direct peer-to-peer connections can
# establish instead of falling back to DERP relay. Requires a dedicated IPv4.
[[services]]
internal_port = 41641
protocol = "udp"
[[services.ports]]
port = 41641

2
fly/start.sh
View file

@ -5,7 +5,7 @@ set -e
# With bluegreen deploys, the old machine serves traffic until this one is # With bluegreen deploys, the old machine serves traffic until this one is
# fully ready. Fly.io runs Firecracker microVMs that support TUN devices # fully ready. Fly.io runs Firecracker microVMs that support TUN devices
# natively — no need for --tun=userspace-networking. # natively — no need for --tun=userspace-networking.
tailscaled --statedir=/var/lib/tailscale & tailscaled --statedir=/var/lib/tailscale --port=41641 &
sleep 2 sleep 2
tailscale up --authkey="${TS_AUTHKEY}" --hostname=flyio-proxy tailscale up --authkey="${TS_AUTHKEY}" --hostname=flyio-proxy
until tailscale status > /dev/null 2>&1; do sleep 1; done until tailscale status > /dev/null 2>&1; do sleep 1; done