Tailscale uses DERP relaying as a fallback when a direct connection can’t be established. You could disable DERP for your tailnet via policy, but I suspect that you would then just get no connection at all.

What you’re seeing in the logs might be the relayed handshakes, not necessarily direct connections.

I saw the successful handshake and keepalive logs in the code of wireguard-go, so it should be that the handshake and keepalive of wireguard itself are successful. My understanding is, since wireguard can establish a successful connection, why do we still need to use DERP relay?

More importantly, what needs to be true to avoid DERP? It's killing my connection speeds, and I don't know how to avoid it.

Direct connection is not always maintained if not used.
As soon as you try sending some data again, it will try to establish it again, so first data will be relayed and after a few you'll get the direct connection again.

How does Tailscale handle this logic internally? When should it go through DERP?

Is it possible to force the use of a tunnel without going through DERP?