[modernpacifist]

> What isn't easy about forwarding packets destined for port 80/443 of your public IP to the local service in question and being a part of the public Internet like things were from the start?

- Not every home internet service gets a publicly routable IPv4 address anymore (e.g. CGNAT)

- Not every home internet service gets a static IPv4 address so folks have to handle DynDNS

- Not everyone is comfortable exposing their home network IP address in DNS (Tailscale only shares the endpoint IP once the endpoint is auth'd onto the network)

- Not everyone is comfortable configuring heavy auth/fail2ban/app layer safeties (Tailscale makes the services uncontactable unless you are auth'd into the Tailscale network)

- Not everyone is comfortable/can be bothered configuring Wireguard in highly dynamic environments

> Using Tailscale is the opposite of self-hosting, you're bringing someone else's third party service in, and adding more complexity and another point of failure.

Self-hosting need not be a zealot position - rather one can pick and choose what makes sense for them. Tailscale allows you to build your own network where all the nodes are auth'd (and tailscale lock means you don't even need to trust their keys by default) and non-public internet routable but still globally reachable from known safe devices. This can actually make folks more comfortable with self-hosting their own stuff since it removes so many other considerations. There is also headscale if folks want to self-host the coordination server.

Some argue that a third party service adds complexity and a point of failure. I'll point out that configuring a self-hosted publicly exposed thing from scratch for the first time has a rabbit hole of unknown complexity to the uninitiated. A tool like Tailscale can remove some of those complexities allowing focus on others.

[Arnavion]

>- Not every home internet service gets a static IPv4 address so folks have to handle DynDNS

For anyone who has only this specific problem out of your list, one solution is to get an HE tunnel. It's what I do.

If my ISP ever gets off its ass and implements IPv6 like it promised three years ago, I'll consider using that directly, though its current indication is that the IPv6 addresses will be dynamic for non-business customers which defeats the purpose.

[xena]

I have gigabit fiber and it's IPv4 only. My ISP blocks incoming ICMP messages so I can't set up a HE tunnel. I used to use Route48, but they shuttered due to abuse, so I don't know what to do anymore.

[Arnavion]

A non-free solution would be to have a VPS or a cloud VM act as the public endpoint + wireguard server.

[aborsy]

Wireguard config is few lines (interface addresses, keys, AllowedIPs, post up and down). Simpler than SSH. You can run it on a cloud instance close to users.

Tailscale is still simpler and provides additional features. A small team or startup will appreciate Tailscale’s access controls.

[modernpacifist]

For a pure client/server VPN between two devices sure, but I think that’s where the equivalence between Tailscale and “some lines of config” end.