[pkulak]

If you're just doing hub-and-spoke anyway, yeah, you can do it yourself. I did for years. But holy smokes, is it a PITA to manually copy keys around to devices; especially when they might not even be yours. I have my Tailscale account hooked up to my self-hosted identity server and now it's just a matter of logging in on whatever device I want to be on the network.

Plus, I have the option of spinning up a random EC2 box whenever I want and instantly joining it to the network with basically no fuss.

[windexh8er]

I feel like articles like this do Tailscale a disservice to a certain degree. Most people know Tailscale helps with managing the mesh of connected devices. And as many people have said here you can do this manually with Wireguard, Netbird, Nebula, ZeroTier and many others. Why Tailscale is so helpful is the ACL system. I have about 40 devices connected to my Tailnet and depending on tags devices can or can't access direct communication and also certain exit node networks. Traditional VPNs generally suck because you dump out of a host and have flat access to everything. Tailscale allows you to segment access without disrupting general Internet access with minimal friction and ACLs allow segmentation to happen at the user / device level. Most people aren't using Tailscale ACLs, in fact I rarely hear it discussed. Also the article fails to mention Tailscale Peer Relays [0] which decreases the dependency on DERP relays significantly and are controlled by, you guessed it, ACLs.

[0] https://tailscale.com/blog/peer-relays-beta

[PhilippGille]

The article does list what Tailscale adds on top of WireGuard:

> WireGuard by itself is mostly the data plane. Tailscale adds the control plane on top: identity/SSO, peer discovery, NAT traversal coordination, ACL distribution, route distribution (including exit node default routes), MagicDNS, and fast device revocation.

[windexh8er]

I think you missed the point. There's nothing in the article going into any of why this would help differentiate Tailscale from plain-old-Wireguard. Simply saying this and moving on is not that.

[stonecharioteer]

Hey, OP here. Thanks for the feedback. I will dive deep into this too!

[mightyham]

I have a phone and laptop; those are my only two "mobile" devices that I might ever use to access my home network remotely. I set them up once, it took a few minutes, and I won't have to do it again unless I replace one of them.

I can completely understand using Tailscale for enterprise networks, but it seems very overengineered for my personal VPN needs.

[pkulak]

Yeah, sure, that seems simple enough.

I have a family of four. Plus a couple relatives who like having access to some of my self-hosted stuff. So, that's 6 people, each with at least one phone and one laptop, but probably an iPad too, or an extra work laptop, or something else random. Plus my youngest is addicted to buying old laptops on eBay and switching to them.

You made me curious, so I looked it up: I have 17 machines. Yeah... I'm not going back to plain WireGuard. :D

[ddxv]

How do you handle home network IP changes?

[genewitch]

i had this issue, with an even more wild set of restrictions, so i used Caddy to "output its own access log" and i had a cron job on any server at home that would hit that caddy server with a pre-defined key, so like `http://caddyserver.example.com/q?iamwebserver2j` for one server and "q?iamVOIP" for another.

https://github.com/genewitch/opensource/blob/master/caddy_ge...

https://github.com/genewitch/opensource/blob/master/show_own...

And now i have bi-directional IP exposure. it's cute because you can't tell if you just drive by, it doesn't look like it does anything. you have to refresh to see your IP, which is a little obfuscation.

if you care about security, not sure what to tell you. use port knocking.

Please note: this doesn't require installing anything on any remote, just a cron job to curl a specific URL (arbitrary URL). I used it to find the IP to ssh on remote radio servers (like allstar, d-star) for maintenance, for example.

[lostlogin]

Not OP, but a static IP was about US$10 as a one off payment.

It’s really nice.

[andreasha]

Dynamic DNS

[barelysapient]

Cloudflare tunnels