[randomblock1]

Yes, basically. How to create your own Tailscale-like WireGuard tunnel:

1. Put WireGuard on a Pi. Create a server config.

2. Open the WireGuard port to the Internet (don't worry, it's invisible)

3. Install WireGuard elsewhere, and generate a client config.

All devices can now talk to each other. Tailscale has a "magic DNS" feature, which is nice, but WireGuard also supports custom DNS in the config.

[lxgr]

All of these are assuming that at least one end of the tunnel has a (somewhat) static IP and the ability to open an IPv4 port for incoming UDP connections.

If that‘s you, you probably don‘t need Tailscale.

But if your scenario is e.g. SSHing from your phone to a Raspberry PI behind a carrier-grade NAT, it‘s definitely worth a look.

[cassianoleal]

> 2. Open the WireGuard port to the Internet (don't worry, it's invisible)

Not quite the same. Opening a Wireguard port to the Internet doesn't help if the port is unreachable due to weird NATting.

My home ISP puts me on CGNAT so I have no IPv4 access to my network. If I'm out and on a v4-only network, I can't connect to that Wireguard instance without going through other hoops (like a "bastion" Wireguard peer on a dual-stack host, for instance). With Tailscale, it Just Works.

[adamcstephens]

You're likely going through a Tailscale relay when you're out of your house too. It's still an extra hop through their servers, but yes it "just works".

[cassianoleal]

According to them, not necessarily [0]. They do have relay servers (they call them DERPs) [1] but they're only used in rare situations where UDP is blocked entirely.

I admit I wasn't able to understand most of those explanations so I could be wrong. :)

[0] https://tailscale.com/blog/how-nat-traversal-works/

[1] https://tailscale.com/blog/how-tailscale-works/#encrypted-re... under "Encrypted TCP relays (DERP)"

[livueta]

Yeah, definitely worth mentioning that Wireguard is actually super easy to manually configure, especially if you don't have a bazillion hosts or need to integrate with auth domains. I think a lot of the stuff individuals end up setting up Tailscale/Zerotier for (they obviously have a lot of other stuff going on, but the relevance to individual/small group users may be limited) would be equally well-served by plain old Wireguard.

[bogomipz]

>"Open the WireGuard port to the Internet (don't worry, it's invisible)"

Thanks. Can you elaborate on how it's invisible? I was looking at the docs and it looks like it defaults to UDP port 51820. Certainly that's visible no?

[detaro]

Wireguard does not reply to invalid connection attempts that don't have an authorized key, so it depends on what your system does for closed ports. If it (as often default) responds with an ICMP message, then the lack of such response will reveal that there is something there, whereas if your default is to silently drop packets to closed UDP ports it can't really be detected.

[MajesticHobo2]

Since a WireGuard peer only responds to cryptographically authenticated packets and UDP is connectionless — you don't get confirmation at the transport layer by way of a handshake or anything — WireGuard ports are invisible to you unless you own a private key whose corresponding public key is already approved by the peer.