Skip to content

Instantly share code, notes, and snippets.

@FlorianHeigl

FlorianHeigl/setscript.txt

Last active August 31, 2025 22:36
Show Gist options
  • Save FlorianHeigl/1acf29b138ec5f56fc075ed933172228 to your computer and use it in GitHub Desktop.
Save FlorianHeigl/1acf29b138ec5f56fc075ed933172228 to your computer and use it in GitHub Desktop.
Download ZIP
tailscale stun servers for junos
Raw
gistfile1.sh
i=1 ; while [ $i -lt 29 ]; do
echo "\
set security zones security-zone untrust address-book address tsderp${i} derp${i}-all.tailscale.com
set security zones security-zone untrust address-book address-set ts-stun address tsderp${i}"
i=$(( $i + 1 ))
done
Raw
gistfile2.txt
set security policies from-zone DMZ to-zone untrust policy stun_traffic match source-address subnet-addr-book-name
set security policies from-zone DMZ to-zone untrust policy stun_traffic match destination-address ts-stun
set security policies from-zone DMZ to-zone untrust policy stun_traffic match application junos-stun
set security policies from-zone DMZ to-zone untrust policy stun_traffic then permit
set security nat source rule-set dmz-to-untrust from zone DMZ
set security nat source rule-set dmz-to-untrust to zone untrust
set security nat source rule-set dmz-to-untrust rule source-nat-dmz match source-address 0.0.0.0/0
set security nat source rule-set dmz-to-untrust rule source-nat-dmz then source-nat interface
set security nat source rule-set dmz-to-untrust rule source-nat-dmz-tsrouter match source-address subnet-router-ip/32
set security nat source rule-set dmz-to-untrust rule source-nat-dmz-tsrouter then source-nat interface persistent-nat permit any-remote-host
Raw
setscript.txt
set security zones security-zone untrust address-book address tsderp1 derp1-all.tailscale.com
set security zones security-zone untrust address-book address-set ts-stun address tsderp1
set security zones security-zone untrust address-book address tsderp2 derp2-all.tailscale.com
set security zones security-zone untrust address-book address-set ts-stun address tsderp2
set security zones security-zone untrust address-book address tsderp3 derp3-all.tailscale.com
set security zones security-zone untrust address-book address-set ts-stun address tsderp3
set security zones security-zone untrust address-book address tsderp4 derp4-all.tailscale.com
set security zones security-zone untrust address-book address-set ts-stun address tsderp4
set security zones security-zone untrust address-book address tsderp5 derp5-all.tailscale.com
set security zones security-zone untrust address-book address-set ts-stun address tsderp5
set security zones security-zone untrust address-book address tsderp6 derp6-all.tailscale.com
set security zones security-zone untrust address-book address-set ts-stun address tsderp6
set security zones security-zone untrust address-book address tsderp7 derp7-all.tailscale.com
set security zones security-zone untrust address-book address-set ts-stun address tsderp7
set security zones security-zone untrust address-book address tsderp8 derp8-all.tailscale.com
set security zones security-zone untrust address-book address-set ts-stun address tsderp8
set security zones security-zone untrust address-book address tsderp9 derp9-all.tailscale.com
set security zones security-zone untrust address-book address-set ts-stun address tsderp9
set security zones security-zone untrust address-book address tsderp10 derp10-all.tailscale.com
set security zones security-zone untrust address-book address-set ts-stun address tsderp10
set security zones security-zone untrust address-book address tsderp11 derp11-all.tailscale.com
set security zones security-zone untrust address-book address-set ts-stun address tsderp11
set security zones security-zone untrust address-book address tsderp12 derp12-all.tailscale.com
set security zones security-zone untrust address-book address-set ts-stun address tsderp12
set security zones security-zone untrust address-book address tsderp13 derp13-all.tailscale.com
set security zones security-zone untrust address-book address-set ts-stun address tsderp13
set security zones security-zone untrust address-book address tsderp14 derp14-all.tailscale.com
set security zones security-zone untrust address-book address-set ts-stun address tsderp14
set security zones security-zone untrust address-book address tsderp15 derp15-all.tailscale.com
set security zones security-zone untrust address-book address-set ts-stun address tsderp15
set security zones security-zone untrust address-book address tsderp16 derp16-all.tailscale.com
set security zones security-zone untrust address-book address-set ts-stun address tsderp16
set security zones security-zone untrust address-book address tsderp17 derp17-all.tailscale.com
set security zones security-zone untrust address-book address-set ts-stun address tsderp17
set security zones security-zone untrust address-book address tsderp18 derp18-all.tailscale.com
set security zones security-zone untrust address-book address-set ts-stun address tsderp18
set security zones security-zone untrust address-book address tsderp19 derp19-all.tailscale.com
set security zones security-zone untrust address-book address-set ts-stun address tsderp19
set security zones security-zone untrust address-book address tsderp20 derp20-all.tailscale.com
set security zones security-zone untrust address-book address-set ts-stun address tsderp20
set security zones security-zone untrust address-book address tsderp21 derp21-all.tailscale.com
set security zones security-zone untrust address-book address-set ts-stun address tsderp21
set security zones security-zone untrust address-book address tsderp22 derp22-all.tailscale.com
set security zones security-zone untrust address-book address-set ts-stun address tsderp22
set security zones security-zone untrust address-book address tsderp23 derp23-all.tailscale.com
set security zones security-zone untrust address-book address-set ts-stun address tsderp23
set security zones security-zone untrust address-book address tsderp24 derp24-all.tailscale.com
set security zones security-zone untrust address-book address-set ts-stun address tsderp24
set security zones security-zone untrust address-book address tsderp25 derp25-all.tailscale.com
set security zones security-zone untrust address-book address-set ts-stun address tsderp25
set security zones security-zone untrust address-book address tsderp26 derp26-all.tailscale.com
set security zones security-zone untrust address-book address-set ts-stun address tsderp26
set security zones security-zone untrust address-book address tsderp27 derp27-all.tailscale.com
set security zones security-zone untrust address-book address-set ts-stun address tsderp27
set security zones security-zone untrust address-book address tsderp28 derp28-all.tailscale.com
set security zones security-zone untrust address-book address-set ts-stun address tsderp28
@FlorianHeigl
Copy link
Author

FlorianHeigl commented Aug 31, 2025
edited
Loading

i went by the examples at https://www.juniper.net/documentation/us/en/software/junos/nat/topics/topic-map/security-persistent-nat-and-nat64.html
some of the stun examples miss the thenclause. no idea what happened there.
I threw this together at night and am not sure if it will already be enough to speed things up. It's possible that it's just one step on the way.

hints, if you need this more prod-ready...

  • you could make an op script to get the derp server list (resolved) from curl https://login.tailscale.com/derpmap/default | jq
    would need to run every 15 min
  • be careful with the suggestions from tailscale you absolutely don't want to turn off nat port randomization for everything. this is ugly and bad
  • see their note about derp server region limits
  • don't forget the rule order (i knew but my head is broken, so I forget anyway. use insert rule newrule before rule oldrule to reorder.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment