[bakugo]

Normally I'd agree with the philosophy, but I don't really see how you can say this about vanilla Wireguard in particular considering how involved it is, especially if you have more than 2 devices that you want to connect together.

Not only do you need to manually manage the keys for each device and make sure they're present in every other device's configuration, but plain Wireguard also cannot punch through NATs and firewalls without any open ports like Tailscale can, as far as I know.

Combine that with the fact that networking issues can be some of the hardest to diagnose and fix, and something like Tailscale becomes a no-brainer. If you prefer using plain Wireguard instead, that's fine, and I still use it too for some more specific use cases, but trying to argue that Tailscale is entirely unnecessary is just wrong.

[Capricorn2481]

> but plain Wireguard also cannot punch through NATs and firewalls without any open ports like Tailscale can, as far as I know

I could be wrong, but I think Tailscale just does what you can do on Wireguard, which is `PersistentKeepAlive`. It lets a wireguard client periodically ping another to keep the NAT mapping open.

[bakugo]

What that does is allow existing outgoing connections through a NAT to remain open long-term, it doesn't actually help with establishing an initial connection if both sides are behind a NAT or closed firewall.

Tailscale handles this, and can establish a direct connection between two machines without either of them needing an open port listening for new connections.

There's an article on their website that explains how they do it: https://tailscale.com/blog/how-nat-traversal-works

[lucideer]

> trying to argue that Tailscale is entirely unnecessary is just wrong

Tailscale is great if it meets your requirements, & it probably does for most - I wasn't arguing that at all. Only that it won't be an option for everyone: in particular a non-tiny subset of home server hosters.