[fransje26]

> Tailscale connections are almost entirely peer to peer after an initial NAT busting operation.

Ah, interesting, thanks. That would indeed make it a lot less costly. I would need to dive into it to get a better understanding how their service works.

Would you happen to have some good resources you found useful?

[nixgeek]

They have tons of great documentation — https://tailscale.com/blog/how-tailscale-works

[fransje26]

Well, this addresses the sniffing concern. From the link:

    Note that the private key never, ever leaves its node. This is important because the private key is the only thing that could potentially be used to impersonate that node when negotiating a WireGuard session. As a result, only that node can encrypt packets addressed from itself, or decrypt packets addressed to itself. It’s important to keep that in mind: Tailscale node connections are end-to-end encrypted (a concept called “zero trust networking”).

Thanks!