TAILMON TAILMON v1.3.0 -Aug 24, 2025- WireGuard-based Tailscale Installer, Configurator and Monitor (Available in AMTM!)

[Joel_w]

Sorry @Joel_w I really can't follow what you're asking. You talk about NAT (full cone or symmetric), "direct connection", port forwarding, UPnP. None of this has anything to do with TAILMON (Tailscale). Tailscale is a VPN.

Tailscale tries to create a direct connection between two units on the Tailnet, but NAT and firewalls can make that difficult or impossible. If it fails the connection is sent via a third server, a DERP. That’s slow so I’m trying to avoid that.

I guess my question doesn’t have much to do with Tailmon but it was the way I installed Tailscale on the router.

 

[ColinTaylor]

Tailscale tries to create a direct connection between two units on the Tailnet, but NAT and firewalls can make that difficult or impossible. If it fails the connection is sent via a third server, a DERP. That’s slow so I’m trying to avoid that.

I guess my question doesn’t have much to do with Tailmon but it was the way I installed Tailscale on the router.

Does your router (with Tailscale installed on it) have a publicly accessible IP address? Or is it behind another, upstream router or have CGNAT?

What are your internet download and upload speeds normally? When you say using DERP is slow, how slow relative to your clients' normal speeds?

 

[Joel_w]

Does your router (with Tailscale installed on it) have a publicly accessible IP address? Or is it behind another, upstream router or have CGNAT?

What are your internet download and upload speeds normally? When you say using DERP is slow, how slow relative to your clients' normal speeds?

I’m not behind CGNAT so yes a publicly accessible IP address. And I do get direct connections to the other devices connected behind the same router, just not to the router itself. I’ve tried it with the ping function in the Tailscale app and with Iperf3 to both the internal IP address and the Tailscale address, same result.

I have a 1Gbit symmetrical connection, and usually get around 850 Mbit down and over 900 up. If I run Iperf3 to one of the devices that gets a direct connection the speed is around 120-150 Mbit which is perfectly fine for everything I want to do (I was testing over 5G so that might have limited the speed). But on the DERP connection to the router I sometimes get under 10 Mbit and sometimes around 25 Mbit, never more. And pings over 100 ms.

 

[ColinTaylor]

I’m not behind CGNAT so yes a publicly accessible IP address. And I do get direct connections to the other devices connected behind the same router, just not to the router itself. I’ve tried it with the ping function in the Tailscale app and with Iperf3 to both the internal IP address and the Tailscale address, same result.

I have a 1Gbit symmetrical connection, and usually get around 850 Mbit down and over 900 up. If I run Iperf3 to one of the devices that gets a direct connection the speed is around 120-150 Mbit which is perfectly fine for everything I want to do (I was testing over 5G so that might have limited the speed). But on the DERP connection to the router I sometimes get under 10 Mbit and sometimes around 25 Mbit, never more. And pings over 100 ms.

Does tailscale status on the router show that your clients have a direct connection or that they're using DERP?

You're currently using Userspace Mode. That will CPU limit your speeds, although not by the amount you report. I suggest you switch to Kernel Mode and see if that's any better.

 

[Joel_w]

Does tailscale status on the router show that your clients have a direct connection or that they're using DERP?

You're currently using Userspace Mode. That will CPU limit your speeds, although not by the amount you report. I suggest you switch to Kernel Mode and see if that's any better.

Yes, the status says relay.

I’ll try the kernel mode if I can get this working, but 100 Mbit+ is really more than I need. I’d be happy with maybe 30 Mbit+ if I could get that stable with decent latency.

 

[buis]

Hi. I installed Tailmon yesterday but no matter what I try I can't seem to get a direct connection to the router itself from outside the network. By switching to a full cone NAT instead of symmetric I seem to get a direct connection to my other devices on my network but never to the router. To troubleshoot I've tried to forward port 41641 to 192.168.0.1, and also temporarily enable UPnP, but it makes no difference when it comes to the router.

Maybe I'm wrong but I'm thinking I need a direct connection to the router since it gives access to the rest of the internal devices that don't run Tailscale, right? Now when I try to reach them I get slow speeds and ping so they must be relayed.

And by the way, is just enabling a full cone NAT the most secure way to get a direct connection on Asus Merlin? UPnP should be much worse, and I'm thinking forwarding a port would be too, right?

Access controls. From admin paneel Login and turn on,

 

[buis]

Hi. I installed Tailmon yesterday but no matter what I try I can't seem to get a direct connection to the router itself from outside the network. By switching to a full cone NAT instead of symmetric I seem to get a direct connection to my other devices on my network but never to the router. To troubleshoot I've tried to forward port 41641 to 192.168.0.1, and also temporarily enable UPnP, but it makes no difference when it comes to the router.

Maybe I'm wrong but I'm thinking I need a direct connection to the router since it gives access to the rest of the internal devices that don't run Tailscale, right? Now when I try to reach them I get slow speeds and ping so they must be relayed.

And by the way, is just enabling a full cone NAT the most secure way to get a direct connection on Asus Merlin? UPnP should be much worse, and I'm thinking forwarding a port would be too, right?

I had the same then go to admin Console and access below you can do the setting all access

 

[Joel_w]

Does tailscale status on the router show that your clients have a direct connection or that they're using DERP?

You're currently using Userspace Mode. That will CPU limit your speeds, although not by the amount you report. I suggest you switch to Kernel Mode and see if that's any better.

Hey! Changing to kernel mode seems to have fixed my problem! Now I get a direct connection even to the router, and the speed is up to over 350 Mbit/s. I can also reach my non Tailscale device on my local network at full speed from outside. Feels like a bug somewhere (probably not in Tailmon though). Thanks for helping me diagnose, @ColinTaylor . I was curious to see what speeds I could get and then it happened to fix my actual problem.

It might be interesting for someone else that kernel mode more than doubles the speed on a RT-AX86U with a fast connection. Still testing over 5G so it might not be super precise but at least I'm sitting at the exact same place as I did yesterday.

And thanks for your advice, @buis but I checked and it was already set to all access by default.