Tailscale employee here. Imagine wireguard being even less effort to set up. Imagine no more firewall rules required. Imagine it being so easy it takes 5 minutes to put 2 devices on your network. That's what tailscale brings at its core. Then we can talk about things like ACLs, SSH, Tailauth, and more built on top of it.
There is also the automatic NAT traversal. Sure for devices on a home network, one can often set up port forwarding (or be lucky enough to have working ipv6). Corporate networks though often have NAT that regular employees cannot reconfigure, and probably don’t want to set up port forwarding to your machine.
Now imagine your workstation is on corp 1 network behind a NAT, and you are out at a corporate client with your laptop, behind another NAT, and need to access your workstation. With traditional wireguard, this situation would require negotiating port forwarding with one of the corps, or require using some form publically available bastion host.
With tailscale these things are not even a consideration. You will be able to access your workstation by name, without having to do anything extra.
Even where the corporate client has a crazy restrictive outbound firewall allowing only port 80 and port 443 to the public internet, you will be able to access your machine without having to do anything special. (In this case you would definitely be using tailscale’s Relay servers, so would have limited bandwidth, but it will still work seamlessly from your perspective.
And assuming the tailnet you are using is your companies (rather than you adding you workstation to a personal tailnet), you could access not just your workstation, but any other machine that has tailscale installed connected to the same tailnet that the tailscale ACLs allow access to. So for example, the corporate documentation file share server, perhaps the reporting database server, etc.
I know that Xe previously had a rather nice manual Wireguard configuration that is either completely ripped out, or is at least seldom used, because tailscale is just simpler.
You don’t need any port forwarding, even in infinitely complex corporate networks: All users in the private network connect to a Wireguard access VPN that runs on a VPS, and talk to each other.
That VPN needs to listen to a port. But with mesh VPN, that’s exchanged with a coordination and/or relay server that listen to a port and facilitate the connection, at a minimum in the initial phase. There are open ports in mesh VPNs too.
The advantage of the old school access VPN is that, 1) fewer third parties are to be trusted, 2) your VPS is likely going to be in your geographical area area, so if you are in a restrictive corporate network (considering that you emphasized this example), you get fast connection speeds vs potentially slow relays.
You may say, the access VPN may be far from the users. If you have a global business, sure, you need several VPS, which you may replace with several DERP nodes around the world in Tailscale, but for home users and some businesses, users are often in the same region.
Don’t get me wrong. I like mesh VPNs. They are convenient and useful, especially for small businesses. I tried Tailscale, it was simple and clean. But sometimes people make incorrect statements; just pointing this out.
Sure you don't need it, but you may _want_ it. Consider that some people really don't want to set up a reflector server in the cloud (not to mention how that means your reflector server's bandwidth limit becomes your whole VPN's bandwidth limit). Having the nitty-gritty of the data plane be peer to peer as much as possible means that your network has practically unlimited data. If I am trying to SSH into one of the machines under my desk I shouldn't need to poke a server in a datacenter downtown to do it.
There's also a bunch of people that want the convenience of being able to access things like their Synology NAS remotely. I'm almost certain that none of them want to set up a server in the cloud, or even understand what that means. Not everyone is super technically apt, and as a matter of policy we shouldn't try and make things with the assumption that everyone using them is a computing god already. People have to start from somewhere and it's perfectly okay for some people to not want to deep dive into the unrestrained horror of managing linux servers.
Things you don't have to do are easier than things you have to do.
Using a wireguard vpn concentrator “works”, but it has limitations like having a higher chance of interfering with access to the the local network while connected. (Because the private addresses the remote network is using have a reasonable chance of clashing with the addresses on the local network.)
Also, you absolutely need either port forwarding (or other forms of static NAT mapping) for the concentrator, or to run the concentrator outside of the NAT. (Which might be by running the software on the router that does NAT, or a seperate device with a routable address).
Setting up vpn concentration solutions that limit your network access to only specific devices depending on who you sign in as is often quite complicated, to the point where I rarely see it done well. Often if you are you are connected, you get full access to several corporate subnets, and you are mostly limited by things like router acls not allowing VPN connections direct access to the some production subnets.
I ripped it out completely. My wireguard network was a "plan b" to get back into my servers, but I have another contingency plan now that I've removed manually managed WireGuard from the equation. Tailscale is just so damn convenient, it hurts lol.
If it was _only_ for my use, I might consider that option. However, my wife would laugh at me if I asked her to set up wireguard on any of her devices. Yes, it's documented. Yes, she could probably figure it out. But why should she have to when there's an even easier option? And why should I have to administer a Wireguard server somewhere when I could just not do that?
Not everybody needs/wants to do things manually. It's literally the reason for the existence of paid services.
I get your point - most people just don't like using computers and networking is scary (but are non-technical people part of the customer base here?). I'm just not convinced that the amount of work to set up wireguard is more than the amount of work to install and set up tailscale. Copy-paste IP and public key vs. download and login.
I don't see much value-add when I'm already going to be running servers anyway - wireguard is basically free as it's in-kernel everywhere. What's the argument for increasing my attack surface and introducing a centralized failure point and new recurring payment?
> most people just don't like using computers and networking is scary
Yes and also I don't want another thing to maintain.
> but are non-technical people part of the customer base here?
Yes. I'm 100% sure that there are companies that use Tailscale that employ nontechnical people who need access to resources only available on the VPN.
> I'm just not convinced that the amount of work to set up wireguard is more than the amount of work to install and set up tailscale. Copy-paste IP and public key vs. download and login.
For you, maybe it's so simple it's not worth thinking about different options. For me, it doesn't make much sense. I've made a concerted effort to remove publicly accessible, self-managed infrastructure from my network. I just don't want to deal with it. I do not have a VPS to install a Wireguard server on, I'm not interested in setting one up, and I really don't need it in the first place (especially if Tailscale gets me into my home network).
> wireguard is basically free as it's in-kernel everywhere
Not everyone runs Linux. There is a time cost for user set up as well - even if I wanted to run my own wireguard server, I'm probably not going to hand out access to people to SSH in and do a self-service type signup. Therefore, it falls on me. With Tailscale, I (or somebody else) can just add a Github user to an org and the rest can be done by an end user. The majority of the people who I'd want on my Tailscale network are already in a Github org that I control, so I usually don't even need to do that.
> What's the argument for increasing my attack surface and introducing a centralized failure point and new recurring payment?
The same as it is for any other paid service: running this myself requires more time and effort than it's worth (not just setup -- end user support, maintenance, upgrades, etc factor in too) + I'm willing to let somebody else take care of it for me. For my uses, Tailscale is actually free but I'm thinking about switching away from the Github Community Plan to a paid plan specifically because the product is good enough that I want to pay for it.
