> Yeah, I don't understand how it is so prevalent in the self-hosted community.
Not just CGNAT but not having _any_ external ports open can be a beautiful thing. I used to have an ssh port (not on the standard 22) and the amount of auth attempts back then was insane. I now have a full firewall zero open ports but, thanks to tailscale, I can still safely access my machines while not being at home with zero unauthorized attempts.
And since I am a security person, I use the tailscale lock feature so not even tailscale themselves can add nodes to my network. Even if they had a breach.
If you're a security person, can you explain why a centralized key exchange server is needed at all? If you care about security you have to verify every nodes key anyway...
Also, it seems their infrastructure runs on AWS, not exactly confidence inspiring from a censorship/privacy risk standpoint.
I think tailscale also doesn't provide transient quantum resistance. Wireguard traffic can be made quantum resistant with a PSK. I fail to see why one would use Tailscale over just wireguard other than for "convenience" reasons which are almost never good reasons if security and privacy also matter. Please correct me if I'm wrong with anything, I'm happy to learn.
> If you're a security person, can you explain why a centralized key exchange server is needed at all? If you care about security you have to verify every nodes key anyway...
I do verify every node’s key. That’s kind of the point of tailscale lock unless I am missing something.
> Also, it seems their infrastructure runs on AWS, not exactly confidence inspiring from a censorship/privacy risk standpoint.
I don’t understand what censorship has to do with a personal home network?
Privacy on the other hand, is fair. For my usecase this is a home network I am not that concerned that they know what devices talk to what devices. Yes they know my ip address but that’s not valuable since it’s all defended by the tailnet lock.
> I fail to see why one would use Tailscale over just wireguard other than for "convenience" reasons which are almost never good reasons if security and privacy also matter. Please correct me if I'm wrong with anything, I'm happy to learn.
Direct access to my network being limited behind tailscale with a requirement to be part of my tailscale network signature satisfies my requirements for no one else’s access to my network at all. And only if I am away from home does any of my traffic pass through a relay.
Tailscale has more device support than any wireguard apps than I know of. I don’t believe wireguard has Apple TV support, but tailscale does.
I am not the only member of my family either, including them in this network with the simplicity of tailscale’s apps is also important.
Wireguard, unlike SSH, behaves like a closed port unless the client successfully authenticates. As far as an unauthenticated client is concerned, you don't have a listening service ("opened port") at all.
I mean, yeah, if you unfortunately have to deal with CGNAT, then you gotta do what you gotta do. But other than that, what's the issue with self-hosting Wireguard?
> But other than that, what's the issue with self-hosting Wireguard?
User simplicity. I am not the only one on my home network which I want to be able to access some parts of the things I build.
Device support. I appreciate that tailscale has gone out of their way to bring tailscale to even more devices than even wireguard supports. Namely apple tv, wireguard does support iOS but doesn't seem to currently support apple tv or maybe just my version of apple tv.
edit: okay, CGNAT