managing twingate

Quick Start

Automated Deployment

Connectors

Resources

Remote Networks

Best Practices

JIT Access Requests

Usage-based Auto-lock

Ephemeral Access

Resource Tags

Aliases

Kubernetes

Route Traffic from Kubernetes

Manage Kubernetes using kubectl

Private Resources in Kubernetes

Publicly Exposed Resources in Kubernetes

Privileged Access for Kubernetes

Team

Users

Admins

How to Offboard Users

Social Logins

Groups

Identity Providers

Entra ID Configuration

Google Workspace Configuration

JumpCloud Configuration

Keycloak Configuration

Okta Configuration

OneLogin Configuration

SCIM Provisioning API

Security Policies

Location requirements via geoblocking

Security Policies: Migration Guide

Policy Guides

Authentication

Device-only Resource Policies

Trusted Devices

Two-Factor Authentication

Devices

Client Application

Endpoint Requirements

Using Twingate

Managed Devices

Windows Client Migration to .NET 8

macOS & iOS

macOS standalone Client

Windows Managed Devices

Device Administration

1Password XAM Configuration

CrowdStrike Configuration

Device Security Posture Checks

Device Security Guide

Intune Configuration

Jamf Configuration

Kandji Configuration

Linux device ID migration

Manually Verified Devices

SentinelOne Configuration

Services

Headless Clients

Linux Headless Mode

Windows Headless Mode

CI/CD Configuration

Analytics

Network Overview

Audit Logs

Admin Console Export

Audit Logs Schema

Network Traffic

Detailed Network Event Schemas

Network Events Admin Console Export

User Activity

Device Report

Syncing Data to AWS S3

Internet Security

Browser Security

NextDNS Integration

DNS Filtering

DNS-over-HTTPS (DoH)

Internet Security Client Configuration

Exit Networks

Administration

Admin Console Security

Subscription Management

Managed Service Providers

Customer Network

MSP Billing

Cancel Your Subscription

Notifications

Troubleshooting

Device Failures

DNS Failures

Connector Failures

Firewall Failures

Split Tunnel Failures

additional resources

Help Center ↗

Need help?

Troubleshooting

Changelog

FAQ

Twingate Trust Center

Twingate & Customer Data

DORA Compliance

GDPR Compliance

HIPAA Compliance

PCI Compliance

SOC 2 Report

Responsible Disclosure Policy

Firewall Failures

How to Troubleshoot Firewall Issues

Firewall, NAT, and Routing Issues

Twingate is designed to work without any inbound firewall rules - a major security advantage. However, it has specific outbound connectivity requirements, and its performance is highly dependent on the nature of the Network Address Translation (NAT) in front of both the Client and the Connector.

The difference between a faster, lower-latency connection and a slow one often comes down to one thing: whether the connection is Peer-to-Peer (P2P) or Relay-based. A P2P connection is a direct, encrypted tunnel between the Client and the Connector. A relayed connection means the traffic is being routed through Twingate’s public Relay infrastructure because a direct connection couldn’t be established. While secure and reliable, a relayed connection will sometimes have higher latency than a direct one. Diagnosing performance issues is therefore a process of diagnosing why a P2P connection is failing.

Common Symptoms:

Users report that accessing Resources over Twingate is “slow” or “laggy.”
In the Admin Console, the connection details for a Connector show that most or all connections are “Relayed.”
The Client or Connector fails to connect to the Twingate network entirely.

How to Identify and Troubleshoot:

Verify Outbound Firewall Rules: Both Clients and Connectors must be able to make outbound connections. Ensure that firewalls on both the user’s network and the Connector’s network allow outbound traffic to:
- *.twingate.com on TCP port 443 (for communication with the Controller and Relays).
- Twingate’s Relay infrastructure on TCP ports 30000-31000. This is the fallback for relayed connections.
- All destinations on UDP. This is the most critical requirement for P2P connections and NAT traversal. Overzealous firewalls that block outbound UDP are the #1 cause of relayed connections and performance issues.
Troubleshoot NAT Traversal Failures: If connections are being relayed, it’s because P2P failed.
- Check for Blocked UDP/QUIC: The first suspect is always a firewall blocking outbound UDP. You can test this from the Connector host using a tool like nmap against a public test port.
- Check for Incompatible NAT: NAT traversal requires a specific type of NAT known as “endpoint-independent NAT.” Most consumer routers use this, but some enterprise-grade firewalls or certain cloud NAT configurations can be incompatible (“symmetric NAT”). A “double NAT” scenario (where a device is behind two layers of routers) can also break P2P connections.
- AWS NAT Gateway: The standard AWS NAT Gateway product is known to be incompatible with the requirements for robust NAT traversal in some situations. For deployments in AWS where P2P performance is critical, Twingate recommends using an alternative, such as a self-hosted NAT instance on an EC2 virtual machine or a third-party NAT product from the AWS Marketplace.
- Confirm in the Admin Console: The Connector details page will indicate if STUN Discovery is “Available,” which is a prerequisite for P2P. If it shows an error or as unavailable then check outbound traffic rules and make sure UDP port 3478 is not blocked.

For more details on troubleshooting peer-to-peer issues, see our guide on How to troubleshoot peer-to-peer connections.

If the network path is clear and connections are performant, but users report strange conflicts with local devices, the issue is likely related to split tunneling.

Last updated 2 months ago

Home

Guides

Use Cases

VPN Replacement

Infrastructure Access

Device Security Controls

Application Gating

Homelab & Personal Use Cases

Internet Security

Compliance

Architecture

Introduction to DNS

How Twingate Works

How DNS Works with Twingate

Twingate vs. VPNs

Twingate vs. Mesh VPNs

Peer-to-peer Communication

How NAT Traversal Works

How to troubleshoot peer-to-peer connections

Encryption in Twingate

API

Getting Started with the API

Exploring the APIs

Introduction to tg CLI (JavaScript)

Introduction to the Python CLI

Schema

Twingate Labs ↗

managing twingate

Quick Start

Automated Deployment

Connectors

Understanding Connectors

Deploying Connectors

Connector Best Practices

Aptible

How to Deploy a Connector on AWS

How to Deploy a Connector on Azure

How to Deploy a Connector on Linux

How to Deploy a Connector on GCP

K8s Helm Chart

Managed Connectors

Updating Connectors

How to Upgrade Connectors Running in AWS/Azure/Docker Containers

K8s Helm Chart Upgrades

Systemd Service Upgrades

Advanced Connector Management

Connector Details

Connector Health Checks

Connector Metadata

Real-time Connection Logs

Deployment Automation

Supporting Unqualified Domain Names