I just set this up the other day, and I got my ping to drop from 16 to 10ms, and my bandwidth tripled, when connecting from a remote natted site to a matter desktop my house. Together with Moonlight/Sunshine I can now play Windows games on my Linux desktop from my MacBook, with 50mbps/10ms streaming. So far so good!
Not a single port forwarded, I just set my router up as peer node.
Neat use case. But in fairness, you've simply 'offloaded' NAT traversal/port forwarding to automagic helper protocols over which you have no control even if you wanted it.
May want to give Apollo a try: https://github.com/ClassicOldSong/Apollo (re Sunshine)
Why?
It handles virtual displays better in case you want your pc screen to be off while streaming. There might be other reasons.
Oh nice, virtual displays is a feature I've been wanting, thanks!
Agreed with OP. It's very handy. I made the switch after trying to tinker with running third party utilities to do this and running into issues. I found Apollo and it all just worked. Now I can stream in 4K HDR to my living room TV (which is not even what my physical PC display is). It's compatible with all the regular clients too which is nice.
That seems really exciting! If you wanted to share game streaming to a general public would they have to install tailscale on their device/login? How does that work? Am I right in assuming that tailscale is built mostly for sharing resources with people you trust instead of the general public?
I'm confused. I wanted to do this too with an OpenWRT router, but I was under the impression I still had to open a 40000 port so my NAT devices can see it. Wouldn't it still be on the exposed public Internet?
What hardware do you use on the networking side?
Nothing special, an edgerouter that allows installing tailscale
Ah, perfect. The Mikrotiks weren't as straightforward earlier but maybe it's easier now. Glad to know it works on EdgeOS. Did you just use this? https://github.com/jamesog/tailscale-edgeos
There are several ports open (you dont open them, Tailscale does), including for peer relay. Some are vpn ports, but the ports for relay servers are not for VPN so my guess is that the software that listens to those ports is a lot less secure (compared to Wireguard or OpenVPN).
Yes my router has open ports, but it does not do any port forwarding. So I can 'directly' connect any device behind my router without my router needing to know any specifics of which device that is. And I don't need to do any port forwarding of anything on my network and thus expose them to the whole internet; I just expose them to the users of my tailscale network (only me)
Does your router not support UPNP for dynamic port punching?
UPnP allows literally any random piece of software inside your network to open and forward arbitrary ports on your firewall. Bad idea!
Why are you running software that randomly opens firewall ports?
Within my risk appetite on trusted network segments. I have bigger issues if malware is operational within the trust boundary, it can do what it needs using outbound connections just fine (recon, lateral movement, etc). Your risk appetite might differ.