Apparently I'm ignorant about Tailscale, bacause your service description is exactly what I thought Tailscale was.

The main issue people have with Tailscale is that it's a centralised service that isn't self hostable. The Tailscale server manages authentication and keeping track of your devices IPs.

Your eventual connection is direct to your device, but all the management before that runs on Tailscales server.

Isn't this what headscale is for?

This is very cool!

But I also think it's worth a mention that for basic "I want to access my home LAN" use cases you don't need P2P, you just need a single public IP to your lan and perhaps dynamic dns.

Where will you host the wg endpoint to open up?

- Each device? This means setting up many peers on each of your devices

- Router/central server? That's a single point of failure, and often a performance bottleneck if you're on LAN. If that's a router, the router may be compromised and eavesdrop on your connections, which you probably didn't secure as hard because it's on a VPN.

Not to mention DDNS can create significant downtime.

Tailscale fails over basically instantly, and is E2EE, unlike the hub setup.

To establish a wg connection, only one node needs a public IP/port.

> Router/central server? That's a single point of failure

Your router is a SPOF regardless. If your router goes down you can't reach any nodes on your LAN, Tailscale or otherwise. So what is your point?

> If that's a router, the router may be compromised and eavesdrop on your connections, which you probably didn't secure as hard because it's on a VPN.

Secure your router. This is HN, not advice for your mom.

> Not to mention DDNS can create significant downtime.

Set your DNS ttl correctly and you should experience no more than a minute of downtime whenever your public IP changes.

> one node needs a public IP/port

A lot of people are behind CGNAT or behind a non-configurable router, which is an abomination.

> Secure your router

A typical router cannot be secured against physical access, unlike your servers which can have disk encryption.

> Your router is a SPOF regardless

Tailscale will keep your connection over a downstream switch, for example. It will not go through the router if it doesn't have to. If you use it for other usecases like kdeconnect synchronizing clipboard between phone and laptop, that will also stay up independent of your home router.

A public IP and DDNS can be impossible behind CGNAT. A VPN link to a VPS eliminates that problem.

The VPS (using wg-easy or similar solutions) will be able to decrypt traffic as it has all the keys. I think most people self-hosting are not fine with big cloud eavesdropping on their data.

Tailscale really is superior here if you use tailnet lock. Everything always stays encrypted, and fails over to their encrypted relays if direct connection is not possible for various reasons.

When I said "you just need a single public IP" I figured it was clear that I wasn't claiming this works for people who don't have a public IP.