[Capricorn2481]

> but plain Wireguard also cannot punch through NATs and firewalls without any open ports like Tailscale can, as far as I know

I could be wrong, but I think Tailscale just does what you can do on Wireguard, which is `PersistentKeepAlive`. It lets a wireguard client periodically ping another to keep the NAT mapping open.

[bakugo]

What that does is allow existing outgoing connections through a NAT to remain open long-term, it doesn't actually help with establishing an initial connection if both sides are behind a NAT or closed firewall.

Tailscale handles this, and can establish a direct connection between two machines without either of them needing an open port listening for new connections.

There's an article on their website that explains how they do it: https://tailscale.com/blog/how-nat-traversal-works