Comment by rainsford
6 hours ago
It's not really "basically wireguard" and you don't have to pay for it for personal use. Wireguard is indeed pretty easy to set up, but basic Wireguard doesn't get you the two most significant features of Tailscale, mesh connections and access controls.
Tailscale does use Wireguard, but it establishes connections between each of your devices, in many cases these will be direct connections even if the devices in question are behind NAT or firewalls. Not every use-case benefits from this over a more traditional hub and spoke VPN model, but for those that do, it would be much more complicated to roll your own version of this. The built-in access controls are also something you could roll your own version of on top of Wireguard, but certainly not as easily as Tailscale makes it.
There's also a third major "feature" that is really just an amalgamation of everything Tailscale builds in and how it's intended to be used, which is that your network works and looks the same even as devices move around if you fully set up your environment to be Tailscale based. Again not everyone needs this, but it can be useful for those that do, and it's not something you get from vanilla Wireguard without additional effort.
I guess I'm still not following. Is there an example thing that you can do with Tailscale that you can't do with Wireguard? "Establishes connections between each of your devices" is pretty vague. The Internet can already do that.
You can run two nodes both behind restrictive full cone NATs and have them establish an encrypted connection between each other. You can configure your devices to act as exit nodes, allowing other devices on your "tailnet" to use them to reach the internet. You can set up ACLs and share access to specific devices and ports with other users. If you pay a bit more, you can also use any Mullvad VPN node as an exit point.
Tailscale is "just" managed Wireguard, with some very smart network people doing everything they can to make it go point-to-point even with bad NATs, and offering a free fallback trustless relay layer (called DERP) that will act as a transit provider of last resort.
I install tailscale on my laptop. I then install tailscale on a desktop PC I have stashed in a closet at my parents. If they are both logged in to the same tailnet, I can access that desktop PC from my home without any addition network config (no port forwarding on my parents router, UPNP, etc. etc).
I like to think of it as a software defined LAN.
Wireguard is just the transport protocol but all the device management and clever firewall/NAT traversal stuff is the real special sauce.