{"slug": "how-myanmar-blocks-tailscale-and-how-to-beat-it", "title": "How Myanmar Blocks Tailscale — and How to Beat It", "summary": "Myanmar blocks Tailscale with a simple SNI filter targeting *.tailscale.com, disrupting connectivity for journalists and remote workers. A developer and an AI agent identified the block and built a countermeasure using a custom DERP relay on port 443 with a valid TLS certificate. Tailscale's lack of DERP configuration options in the admin console forces users to rely on this workaround.", "body_md": "A government blocks a VPN with a one-line SNI rule. The fix is a custom relay on port 443. Tailscale could make this trivial for millions — but they haven't.\n\nThere's a lot of confusion about how Myanmar actually blocks Tailscale. Some say it's DNS poisoning. Others claim the coordination server is blackholed. A few insist the WireGuard protocol itself is detected and dropped.\n\nNone of that is correct. The block is simpler and stupider than most people think — and because of that, the counter is simpler too. This matters because Tailscale is genuinely important networking middleware. It's used by journalists, remote workers, distributed teams, and anyone who needs secure machine-to-machine connectivity. Blocking it isn't just censorship theater — it disrupts legitimate infrastructure.\n\nThis time, I worked on the problem with the support of a capable agentic AI. I trained its substantial capacity for research and systematic debugging on the task, and together we burned through the misconceptions, tested the actual failure points, and built a working counter. What follows is what we found.\n\nMyanmar operates deep packet inspection (DPI) at the ISP level. But they're not doing anything sophisticated. They're running what amounts to a single SNI filter:\n\n```\nBlock TLS ClientHello where SNI matches *.tailscale.com\n```\n\nThat's it. One wildcard rule.\n\nThis hits Tailscale in three places:\n\n| Component | Blocked? | Why |\n|---|---|---|\nCoordination server (`controlplane.tailscale.com` ) |\nNo | Different SNI, survived past block waves |\nDefault DERP relays (`derpN.tailscale.com` ) |\nYes |\nAll match the wildcard |\n| Direct WireGuard (UDP 41641) | Sometimes | Symmetric NAT without relay = dead |\n\nWhen all DERP relays are unreachable, nodes behind carrier-grade NAT in Myanmar have no path to each other. The mesh collapses. Every node is an island.\n\nThe cruel part: the coordination server *still works*. The client can see its peers. It knows they exist. It just can't reach them. It's like being locked in a glass box — you can see everyone, but you can't touch them.\n\nThe agent and I verified this step by step: DNS resolution from inside Myanmar, successful — the IPs resolve fine. TCP handshake to the coordination server, successful — it's not IP-blocked. TLS ClientHello to `derpN.tailscale.com`\n\n, dropped at the SNI. TLS ClientHello to a custom domain on the same VPS, passed cleanly. The filter is exactly one rule deep.\n\n**Peer Relays (NAT-PMP/PCP).** Tailscale's own documentation suggests custom DERP isn't needed if you set up a peer relay. But peer relays use raw UDP on arbitrary ports. DPI boxes flag non-standard UDP instantly. Port 40000 looks nothing like web traffic.\n\n**Waiting for it to get better.** Myanmar's filtering isn't going away. It's getting more aggressive, not less.\n\n**Commercial VPNs.** Most are blocked at the same DPI layer. The ones that work today won't work tomorrow.\n\nThe insight is simple: **TLS on port 443 looks like HTTPS to a DPI box. Every website uses it. Blocking it would break the internet.**\n\nA custom DERP relay listening on TCP 443, with a valid Let's Encrypt certificate on a domain you control, is indistinguishable from a web server. The SNI matches your domain, not `*.tailscale.com`\n\n. The traffic is standard TLS. The DPI box shrugs and passes it through.\n\nYou can deploy this in 30 minutes:\n\n`cmd/derper`\n\non a VPS outside the censored countryBut here's where Tailscale's product decision bites you.\n\nYou can **add** custom DERPs to your tailnet. But you **cannot remove** the default ones.\n\nThis isn't a technical limitation. Tailscale's admin console simply doesn't expose DERP controls. The ACL syntax has some undocumented, CLI-only support for DERP filtering — but it's fragile, barely documented, and not something a normal user would discover. The product team made a choice: DERP is infrastructure, not configuration. You don't get to touch it.\n\nThe consequence: your client will try the blocked default DERPs first. Each attempt times out after 5-10 seconds. Only after cycling through every blocked relay does it fall back to your custom one.\n\nThe result: Tailscale *does* connect eventually. But every connection attempt has a 20-40 second penalty. Every reconnect. Every network change. Every time your phone switches from WiFi to cellular.\n\nIt's functional but miserable — like a car that stalls three times before starting.\n\n[Headscale](https://github.com/juanfont/headscale) is the open-source implementation of the Tailscale coordination server. Self-hosting it gives you one thing Tailscale's SaaS doesn't: **control over the DERP map.**\n\nWith Headscale, you can:\n\nNo timeouts. No cycling through blocked relays. Your custom DERP is the only option, so clients go there immediately.\n\nThe deployment takes an afternoon:\n\n```\nVPS in Singapore\n├── nginx :443 (SNI router)\n│   ├── derp.yourdomain.com → derper container\n│   └── hs.yourdomain.com → Caddy → Headscale\n├── Headscale (coordination server)\n├── Custom DERP relay (port 443, LE cert)\n└── Headplane (web UI for management)\n```\n\nOn the client side, joining is one command:\n\n```\ntailscale up --login-server=https://hs.yourdomain.com --authkey=YOUR_KEY\n```\n\nAdd a Tailscale node as an exit node on the Singapore VPS, and every device on the tailnet can route its internet traffic through Singapore — free of Myanmar's filtering.\n\nTotal cost: one $5/month VPS.\n\nIf you're reading this and planning to deploy Headscale, consider forking or mirroring the repository *before* you need it. The `*.tailscale.com`\n\nwildcard block works because it's easy. There's nothing stopping the same filter from being extended to `github.com/juanfont/headscale`\n\n— and after this article, that's a real possibility. Install from an alternate source. Host the binaries on your own domain. The pattern you use to beat the DERP block is the same pattern that keeps the tools themselves available.\n\nTailscale's engineering is excellent. The product decisions around DERP management are the problem.\n\nThree changes would make Tailscale censorship-resistant for millions of people:\n\nThis is the single highest-impact change. Right now the admin console has no DERP controls at all. Adding a \"DERP relays\" section where users can disable defaults and add customs would solve the timeout problem without self-hosting anything.\n\nThe ACL syntax already partially supports this — but it's undocumented, CLI-only, and fragile. Make it a first-class feature.\n\nOne toggle that:\n\nThis isn't hypothetical. Iran, China, Russia, Turkey, and Myanmar all block Tailscale infrastructure. That's hundreds of millions of people who can't use the product because of a single wildcard SNI rule.\n\nTailscale's documentation on censorship circumvention is scattered across forum posts and GitHub issues. A single page — \"Using Tailscale in Censored Networks\" — would tell users what they need before they spend hours debugging timeouts.\n\n`*.tailscale.com`\n\nis a convenient wildcard for DPI boxes. Custom domains break that pattern.`controlplane.tailscale.com`\n\nwas reachable from Myanmar when we tested. This can change. Self-hosting Headscale removes the last dependency on `tailscale.com`\n\n.*Written with Hermes Agent. Follow me on X: @MariaTanBoBo*", "url": "https://wpnews.pro/news/how-myanmar-blocks-tailscale-and-how-to-beat-it", "canonical_source": "https://dev.to/mariatanbobo/how-myanmar-blocks-tailscale-and-how-to-beat-it-13k6", "published_at": "2026-06-13 19:07:46+00:00", "updated_at": "2026-06-13 19:45:27.038375+00:00", "lang": "en", "topics": ["developer-tools", "ai-agents"], "entities": ["Tailscale", "Myanmar", "Let's Encrypt", "WireGuard"], "alternates": {"html": "https://wpnews.pro/news/how-myanmar-blocks-tailscale-and-how-to-beat-it", "markdown": "https://wpnews.pro/news/how-myanmar-blocks-tailscale-and-how-to-beat-it.md", "text": "https://wpnews.pro/news/how-myanmar-blocks-tailscale-and-how-to-beat-it.txt", "jsonld": "https://wpnews.pro/news/how-myanmar-blocks-tailscale-and-how-to-beat-it.jsonld"}}