[xoa]

>What does it give you that Wireguard doesn't (or OpenVPN)? Just easier to configure + setup + a nice UI? Just making sure I'm not missing something, not trying to knock Tailscale.

I personally haven't deployed it though I've toyed with it, but I think as well as UI and integrations a core topology differentiator is that, like Nebula, Tailscale does/can do meshing. Plain vanilla Wireguard is pure classic hub-and-spoke, which is 100% fine for a basic VPN use case like "I'm out somewhere on the WAN and want to talk to this LAN stuff" or "I want to tunnel some/all my traffic through some specific alternate exit".

But say you've got main site A which has a public static IP and is where support is for administrating others, site B which has a full backup server but no public IP, and then sites C/D/E/etc where people are doing work and having significant on-site storage and comms needs, all of which are behind typical ISP NAT from multiple different ISPs with no static IPs. Everyone wants to be able to do high bandwidth things like video chat directly together, or back up/restore to site B. Plain WG could do that, but would funnel it all through site A's link which isn't very scalable and likely to become a choke point in a hurry. A meshing VPN can let two private sites talk directly with a public address only serving to facilitate hole punching and setting up the connection each time. It's definitely of real value. Another thing would be not bandwidth but latency. If you're within a few hundred miles on land that probably is irrelevant. But if different sites/people are across continents adding an unnecessary extra hop may become a very big deal even for simple web apps. Resiliency also enters the equation, what if site A goes down? A mesh can help with those too.

Then Tailscale adds a lot of cool QoL on top. Meshing does raise new challenges in terms of access control vs when everything is funneled through a single convenient point. But regardless, other topologies can be of basic interest too even without extra sugar.

[megous]

> Wireguard is pure classic hub-and-spoke

No it's not. You can do any to any just fine (and any topology in between these extremes).

[xoa]

Nice job skipping the explicit qualifier of "plain vanilla"? Being able to build your own version on top isn't the same as an existing tested product.

[megous]

Not sure what you mean by "on top". All you need is to configure not just a single endpoint in each node's wireguard config, but all of them. That's still as vanilla and as "tested product" as it gets. It's just a regular wireguard configuration.

[ElectricalUnion]

You can do any to any just fine [open NAT ports, run your own distributed fallback network of TURN/STUN relays, add the adequate routing entries to your routing tables on both sides, exchange certificates, all of this for every extra N connections], you just probably don't want to do (and then fix if it doesn't work or stops working) that if N is too big.

[megous]

Yes. I may also run it on top of IPv6 and not care about all that, except for public key distribution.

[ElectricalUnion]

IPv6 when it works is awesome.

However, outside some well-connected datacenters with multiple peering exchanges, I have no clue where in the world you can run everything in IPv6 with even a single nine in availability.

On my home I would say assuming single nine availability of IPv6 traffic is too much availability - it's very common that IPv6 is borked for several months in a row.