Recently I gave in to all the Tailscale ads in the podcasts I listen to and decided to try using it instead of my existing Wireguard config to access home network & remote servers from all of my devices.

What I found to be good so far:

  1. It’s really quick and easy to add new devices. Simply download the client, run a couple of commands (if on Linux) and clieck a few buttons in the admin web panel (if needed). In terms of usability, this definitely beats writing config files for each new client on both the new node and all the other nodes it needs to access.

  2. By default, Tailscale automatically manages DNS on your Tailscale “LAN” via it’s “MagicDNS” (you can also disable it set your own DNS servers), allowing you to easily assign custom hostnames. You can then talk to the machines on your Tailnet simply by referring to their hostname.

  3. Web panel allows to set up rules as to which node can talk to which, etc. This is heavily abstracted from the actual routes, which is both good and bad, but pretty functional, which is definitely good.

What I found to be less good so far:

  1. Tailscale completely relies on 3rd party OAuth for security, which is an L in my eyes. While I’m not inherently averse to using OAuth from big guys like Google or Microsoft and I understand the appeal, it still goes against the spirit of self-hosting, IMO.

  2. Network performance is not as good as bare Wireguard. It’s not a big difference, but sometimes a noticeable one. The reason for that is also obvious - in order to enable things like MagicDNS and automatic management of keys, routes, etc…

  3. …Tailscale needs to act as a middle man in many scenarios. Which in itself is not an issue for me, but it would be nice if you could self-host that part of infrastructure. I also seem to remember that ZeroTier, a competitor/alternative to Tailscale, allows just that.

  4. Tailscale assigns all your nodes a random IP in range that you can’t edit. The reason you can’t is that this address space is shared by all Tailscale clients and managed internally, allowing all the nice and abstracted functionality in the control panel. Unless you are trying to write your own routes/firewall rules on top of Tailscale, it also doesn’t matter. Still, I would enjoy a bit more control over this, say, a possibility to group my Tailscale nodes into different subnets and set firewall rules according to it. Again, this comes back to self-hosting the “backend” of Tailscale infrastructure.

In conclusion, functionally Tailscale does exactly what it sets out to do and is extremely user friendly. If you are routinely adding and removing devices from your personal VPN network, it would make your life A LOT easier compared to dealing with Wireguard directly. On the other hand, if you need more of a set-and-forget setup to allow a couple of devices to talk to each other, I think I would just do it directly with Wireguard - it’s not that complicated.

I might have a look at ZeroTier next, as I suspect I might like their model more.