Tailscale+IPv6
Complete guide for integrating Tailscale with IPv6 networks to bypass CGNAT and symmetric NAT restrictions, enabling direct P2P connections with low latency.
The Problem: CGNAT and Symmetric NAT Limitations
Traditional NAT traversal techniques (STUN/UDP hole punching) fail in CGNAT (Carrier-Grade NAT) and symmetric NAT environments:
- CGNAT (100.64.0.0/10): Operators add another NAT layer, users get "big internal network" addresses, unable to map public ports via UPnP/NAT-PMP
- Symmetric NAT: Each outbound connection maps to a different public port, STUN server returned public port invalid for third parties
- Double NAT: Home router (iKuai) + operator CGNAT stacking, UDP hole punching success rate drops to near 0
Result: Tailscale forced to use DERP relay forwarding, data flow becomes:
xiaoming-server β local NAT β CGNAT β DERP(San Francisco) β peer network β xiaoming-pcLatency increases from theoretical 20ms to 200ms+, consuming third-party relay bandwidth.
The Solution: IPv6 Direct Connection Architecture
Utilizing operator-provided native IPv6 dual-stack:
Operators allocate /60 or /64 prefixes (e.g., 240e:1:2:3::/60), each device gets publicly reachable independent address
IPv6 has no NAT (or only NPTv6), end-to-end connectivity, bypassing CGNAT restrictions
Both ends have global unicast IPv6 addresses, direct UDP communication, ignoring CGNAT limits
| Dimension | IPv4 + CGNAT | IPv6 Direct Connection |
|---|---|---|
| Address Type | 100.64.x.x (private network) | 240e:xxxx (public address) |
| NAT Layers | Double (home + operator) | 0 (native address) |
| Port Mapping | UPnP fails | Not needed |
| Tailscale Connection | relay via DERP | direct |
| Latency | 160-220ms | 20-40ms |