Blocked UDP packets force fallback to relayed connections

Network firewall or provider is blocking UDP packets, preventing direct connections between Tailscale devices. Direct connections require bidirectional UDP traffic, and when blocked, devices fall back to DERP or peer relay connections.

Work with network or service provider to allow outbound and return UDP traffic. Verify UDP port 41641 is not blocked. Use 'tailscale ping' to confirm if direct connection is being established - if output shows 'via DERP' or 'via peer-relay' exclusively with 'direct connection not established', UDP is likely blocked.