> It allows customers to make just one firewall exception for connections only coming from their tailnet.
You'll need to open a single UDP port on your firewall, so it's your public facing IP address. You don't need an entire VM somewhere, just a single port.
Regarding the speed question. You'd use the derp when it's not possible to make a peer to peer connection, which limits your speed to derp server's speed and load. Which the peer relay, you can practically use the entire bandwidth you have between your devices.
> for connections coming from their tailnet
So instead of whitelisting all ports from IP range 100.64.0.0/10 I would just whitelist e.g. UDP port 12345 coming from IP range 100.64.0.0/10 to my public IP? Or just open up UDP 12345 completely?
What I understood is similar to making any device accessible on the internet. You would need to open the UDP 12345 on your router and forward the traffic to your server.
It sounds like each peer would first access the peer relay to coordinate how they could establish a direct point-to-point connection with each other.
I think you need open UDP 12345 to public internet, where the Tailscale Disco protocol runs on that, which is the underlay port.
I would assume you only need to make sure that the other clients can access the UDP port, so not like public internet in the sense of 0.0.0.0/0 but just accessible by other peers, whatever their public facing IP addresses will be.