How to Get the Best Throughput - Both Upload and Download - From Remote Servers When Connected via Tailscale and Using Pfsense Firewall

If you’ve had a VPS with Hetzner in Europe (very competitive hosting rates) and you’re a Tailscale aficionado you’ve probably used Tailscale and been unhappy with upload/download speeds in kilobytes when connected via Tailscale over SSH. It turns out one reason for the low throughput is that you use pfSense as your firewall, and it can be difficult for Tailscale to punch a hole through pfSense. As a result, it falls back to its DERP servers, which are shared resources for all Tailscale users and often have poor throughput. With that said, here’s a quick change to apply on pfSense to alleviate the problem.

Diagnosis

1. Let’s find out whether your ssh connection to the remote servers is using DERP. Run this from your local machine:

tailscale ping <remote-server>

2. If the results show via DERP, then its confirmed, you’re not going through a direct connection. So proceed to the fix.

The Fix ¹

3. Open your pfSense portal and go to Firewall → NAT → Outbound.
4. Under Outbound NAT mode, select Hybrid Outbound NAT, then click Save.
5. On the same page, under Mappings, click the first Add button so the new rule is above the Automatic Rules.
6. Configure the rule and enable it:
   • Protocol: UDP
   • Static Port: enable it
   • Click Save, then Apply Changes.
7. On the local machine, open a new terminal and run step 1 again. This time, you should see pong from ... in the output. That confirms you have a direct connection.
8. Check throughput by copying a few files with scp, you should see the throughput is much better than before.
9. Consider rebooting pfSense after step 7.
10. Tailscale suggests logging in to the Tailscale admin console and going to Access Controls. Find the nodeAttrs section and add randomize-client-port inside the curly brackets, like this:

"attr": ["funnel", "randomize-client-port"],

🤯