[lorenzo95]

You are correct. Your traffic is routed peer to peer (There are relay nodes available in case your devices fail to find each other. You can disable these in the config if you wish to do so.). All tailscale provides is an api to let your nodes find each other. However, the concern of the community is that tailscale generates an knows all your wg keys. In theory they could look at your traffic. Personally, I use tailscale happily.

[cronos]

The tailscale client generates WireGuard key pairs, but only sends public keys to the control plane. The private keys remain on the device only. With only the public keys, tailscale control plane cannot snoop on your traffic.

[aborsy]

You mean Tailscale generates a hidden master key to which all traffic is encrypted?

This would be a joke back door!

Any link to discussions around this?