Comment by pona-a

Yggdrasil is a more generic overlay. It can run over unconfigured Ethernet links, auto-discover other nodes on your local network, or punch through firewalls if you configure any public peers. You can setup a private network by only declaring your private peers. I think each device gets an entire subnet, so you might be able to expose multiple services on multiple IPs, though I'm not sure about that.

My use-case was sharing things like game servers and websites with friends—which we previously did by sharing each other's machines/servers via Tailscale—and accessing my homelab remotely. For the first case, the public Yggdrasil network was much better than a mesh VPN like Tailscale: I don't have to manage invites or accounts—everyone who knows the address can just connect.

For the second case, assuming addresses are discoverable (since 128 bits would make them quite hard to enumerate), I think a firewall gating by incoming IP will take care of that (since your IP is just a hash of your public key), though for now I've kept most sensitive ports unbound from it. I hadn't yet tried anything like Tailscale bridging (exposing a LAN address without configuring the client on the endpoint), but I'll try once I have a bit more free time.

Tailscale is a nice abstraction on Wireguard, but Yggdrasil feels less like a solution to your specific infra problems and more like a coherent vision of how the internet ought to be. You can just rely on IPs as identities, link-layer encryption with Noise Protocol, and out-of-box hole punching, with relatively low latency (though I haven't tested the speed). It's the same feeling of awe as when I first saw how easy it is to host Onion Services, only not hampered by the abysmal speeds.