If a home computer is running on a local network with no ports exposed, how are tools like tailscale
working to connect to said computer? How would the computer know that another device is trying to connect to it?
NAT traversal over UDP.
Firewalls allow packets from ip:port
s where it has observed packets sent to ip:port
. A coordination server provides a mapping of devices and ip:port
. To get through the Network Address Translation layer (NAT) which rewrites packets (e.g. a home router translating packets from local devices like your phone to come from one IP address on the internet), the STUN protocol informs each device what their ip:port
is so they can send packets to the peer device.
Altogether, by sending packets over UDP and being able to get replies to the correct ip:port
, no ports need to be open (though UDP egress is required).
See also: Why you still need an SSL certificate with tailscale