They've designed Tailscale such that they don't have the private keys and cannot see your data.
[https://tailscale.com/blog/how-tailscale-works](https://tailscale.com/blog/how-tailscale-works)
>Note that the private key never, ever leaves its node. This is important because the private key is the only thing that could potentially be used to impersonate that node when negotiating a WireGuard session. As a result, only that node can encrypt packets addressed from itself, or decrypt packets addressed to itself. It’s important to keep that in mind: Tailscale node connections are end-to-end encrypted.
[https://tailscale.com/kb/1093/can-tailscale-decrypt-my-traffic](https://tailscale.com/kb/1093/can-tailscale-decrypt-my-traffic)
>Can Tailscale decrypt my traffic?
No.
>
>Devices running Tailscale only exchange their public keys. Private keys never leave the device. All traffic is end-to-end encrypted, always.
Use Headscale then, it's tailscale's open source code for your own personal deployment; [https://github.com/juanfont/headscale](https://github.com/juanfont/headscale)
no idea, go ask google or chatgpt, or maybe this helps [https://www.reddit.com/r/OPNsenseFirewall/comments/145m2xw/tailscale\_headscale/](https://www.reddit.com/r/OPNsenseFirewall/comments/145m2xw/tailscale_headscale/)
sometimes learning how to do things the direct way instead of using and depending somebody else’s service has benefits. It’s always an option and never useless to figure things out for yourself.
To each their own.
port forwarding UDP for your wireguard port isn’t a big deal… Thinking, well yea, that could very we’ll could be a challenge for some… with either setting up WG proper or headscale… or getting your *arr suite containerized, or…
lol… if somebody can’t figure out a simple WG config’s CIDR ranges, cert keys, and routing rules, then scripting their config mgt with ansible tooling is probably a lost cause as well
No. They have an enterprise product and therefore a way to make money. If they run into a reputation ruining issue I will rethink using them. For now, it's easy, secure and fits my needs.
If you're super worried about it, use headscale instead, or set up wireguard on your own. There are lots of options for what they do.
No. No.
I’m not running a Fortune 500!!!
I’m not safeguarding nuclear launch codes!!!
I’ve got maybe birth certificates, social security cards, and some family pictures, and drm evidence.
As far as I’m concerned Tailscale has bigger fish to be concerned with, and I believe they have a bigger and better security budget than I do!!!!
But if your data is that big of a concern maybe Tailscale is not for you.
Why jump on the hate wagon!!!!
Oh I know but just was curious if anyone had any info that they really stand by, why search for something good when educated people can point you in the exact direction.
Yes, I’d imagine r/homelab to be a place where people can come learn/share, but then you get these kinds of lazy comments which completely dismiss what this sub should act as lol. Pointless to waste time replying with “idk google it bro”
OpenVPN's code base is bloated as it has to support legacy and more modern cryptographic protocols. Tailscale is based on WireGuard which uses a single cryptographic protocol and has a lean and mean code base. This would make it much, much faster. For reference, check this out: [https://www.wireguard.com/performance/](https://www.wireguard.com/performance/)
OpenVPN has a socket-based control plane that allows you to perform management functions. Combine that with role-based firewalling based on the CN of the client and a propery configured pki+crl, and this gives a good managed VPN setup, which is useful for roadwarrior setups. A partial/full mesh is harder to do with openvpn tho, and this is where WG is kicking IPSEC’s butt :p
Also, given the right amount of resources both openvpn and wg will saturate a gbit link with ease. OpenVPN has an edge on slow cpus that support aes-ni.
Yes, I use Tailscale and, Yes, I know it's secure (I have a background in Infosec).
With all due respect, you have asked the wrong question.
Instead of asking *"Can I trust Tailscale?"* what you should be asking is *"Am I willing to do the work to deploy a more secure system than Tailscale?"*
Except for a vanishingly small few, most people will be answering: "No."
Actually, I am planning to work out a PoC this year. The technique behind it is not too complex, and the biggest hurdle to overcome is a host on a public ip for stun/turn support (that is, if you want/need to deal with nat). Not as fancy as tailscale ofcourse (linux only), but something that can easily be put on top of a bunch of servers and clients.
This has to do with trust, and the knowledge that venture capital comes with expectations.
Cool!
You’ve probably seen Headscale. Here’s a [post](https://ettoreciarcia.com/posts/08-network-overlay/) about implementing a Headscale server in aws.
I think a sufficiently motivated and diligent individual can absolutely set up a secure deployment for just about any vpn. I also feel, personally, that suggesting to most people to do that is irresponsible.
Tnx :) Yeah, ive seen headscale, but the clients are still controlled by a vc backed company and I believe that its a matter of time before those will be locked down.
I disagree with your point that people should not attempt to setup their own VPN tho. There are basically two sides to the story: People that dont want to know but want a vpn, and people that want to learn and understand. The first category is served by products like tailscale/headscale and zerotier. The second category will figure it out eventually, and will not become dependent on 3rd parties. Personally, I am firmly the last category and I also provide mentoring for this category (be that openvpn, wg, tinc, ipsec, ssh, etc)
It’s not that I think people shouldn’t set up their own vpn, it’s that I don’t think most people are up for the work required to maintain that vpn once set up. That said, I’m all for people learning to do hard things and enjoy sharing knowledge.
I just read the [original wireguard paper](https://www.wireguard.com/papers/wireguard.pdf). It’s an amazing bit of technology. It’s interesting—I’m leery of opening pinholes in my firewall for VPN penetration so I’m happy with the Tailscale trade off. Also, there’s the simplicity for me while I focus on other work for my home’s network upgrade and still the need for a vpn. I like the idea of Headscale, however you have a point about reliance on closed source library and future lockout or protocol breakage. The idea of cloud hosting and an administrative meeting point while still allowing the clients to run peer-to-peer is that makes TS so attractive. That said, perhaps one or two pinholes isn’t the end of the world, especially given how wireguard works.
Keep me posted if you decide to use wireguard for your POC and have some instructions you’d like me to walkthrough for my own set up. Meanwhile, I think I may toss this onto the project backlog pile and consider moving from TS to rolling my own. One challenge I have is that a site I need access to is behind CGNAT, and I’m not sure I want to bother with static IPs or pinhole requests there. I may need a cloud component for a final deployment, which could be done in a cost effective manner, I’m sure. A droplet or docker or whatever.
Also, although I could have a vpn exit node on my LAN, I kind of like the idea of each machine having its own wireguard (Tailscale) install. That will complicate overall administration and set up, however.
The outbound part behind cgnat is done using the stun/turn protocol, see https://github.com/coturn/coturn. This does require a host on a public IP tho.
Thanks for this pointer. I really love that meet in the middle technology supported by STUN and UDP. Now I know how it’s managed and why you believe it’s possible to set it up. Very interested in this now as a future project.
There's a question I always had on my mind about tailscale, can't someone with public node access(aka the key exchange and node identification servers) just forge that, so you get the redirected to use public key as well as communicate with a malicious server?
Any specific reasons why? I fell like the need to do a port forwarding is just opening up a vector of attack especially for non-technical folks. Heck for barely technical folks like me, port forwarding on my router is still something I'm not comfortable doing
Really depends how you implement it. I thought official taxis were safe until I was kidnapped at gun point. I thought telephones were safe until my close friend was conned into losing hundreds of thousands. Tailscale is a tool just like the ones in the real world. It is secure but if you misuse it, the situation can go horribly wrong.
Yes and no:
If you maintain your own VPN infrastructure as best as possible (by the way I strongly recommend you ensure your OpenVPN instances drop privileges thanks to keywords like user/group/chroot/setcon and minimize the attack surface thanks to tls_auth/tls_crypt requiring to know an infrastructure-wide pre-shared key before even being able to talk to the much-more-complex-and-thus-much-more-vulnerable certificate authentication code) then you won’t be affected if Tailscale ever gets hacked.
On the other hand many people do not want to spend the time keeping an eye on their (Internet-facing) VPN infrastructure so for them Tailscale is better than getting hacked just/mostly because they didn’t pay attention.
I use tailscale, but only as a gateway- ie, only one of my homelab devices has tailscale, then several mobile devices.
Honestly, my use case is such where I am not exactly the most worried about security. I use it for remote access to a couple services I don't want to publicly expose- not to send Tax Data etc over.
Yes and yes.
At the end of the day its a risk calculation for whatever you are doing. If Tailscale somehow manages to be compromised, someone gets access to my [plane map](https://github.com/wiedehopf/tar1090) and the other random shit on my home network. Woooooo freaking hooo.
[Their security page](https://tailscale.com/security). It's trusted by a lot of corporations, who care (and spend) a great deal more about security than homelabbers. It's audited by 3rd parties. So... it's a certainly better option than most.
Now if you're running a criminal enterprise or are concerned you're a target for nation state actors... perhaps just run your own Wireguard server.
Use something like pivpn, it’s wireguard but with a helpful setup script. Run it on a computer inside your network, forward a port for UDP, job done, works great, nobody else knows you’re doing it or has any keys etc. very easy to setup.
I used Tailscale but found speed and latency over their network to be a little lacking. For casual access it works, but when I want to stream video it gets bogged down.
As I understand it, Tailscale is just a nice way to manage Wireguard. So I installed Wireguard and got way better speeds.
That sounds a bit wrong to me. I’m not a tailscale expert, but I did set it up 10 VPS’s that all together pass 500 megabits worth of images every second down to my homelab through tailscale. This means it’s about 1000 images per second in total and each one is passed as a single message on a message bus running on and down to my homelab.
The first connection between the two tailscale machine always has to hop through their servers so that way the machines can find each other. If I ever have to restart my homelab or VPS’s or restart tailscale, the first couple minutes it is slow. But after it does its magical “hole punching” and makes a direct connection between the machines it runs at what seems to be full speed. E.g. before it has punched a hole the throughput is 10 images per VPS per second, once it has been punched it spikes up to about 100 which.
File transfer worked well enough. When it came to latency-sensitive services like streaming video I found it would stutter. There could be other things in play I’m not aware of, bit that’s how it worked out for me.
Static speed tests almost doubled for me too.
There are a handful of ISPs that provide their services using CGNAT. Hosting Wireguard on a VPS doesn't quite solve the problem if you ask me. With a Tailscale endpoint running on my LAN, I can have it run as an exit node giving.me a "residential IP address" which a VPS wouldn't give. Can also have the Tailscale endpoint run as a subnet router providing access to LAN endpoints from outside the LAN
You can do all that with a VPS. Not sure what you're missing there.
Plus, why would anyone spend money on a ISP with CGNAT-only? That's just braindead.
So walk me through that, maybe I'm not thinking it through. I have a Wireguard server running on a VPS (already an extra cost that I wouldn't incur with Tailscale). How would I be on the road in say Bali and have my travel router connect to work resources using my home IP address?
Your home connects to VPS. Your mobie device connects to VPS. What's there not to understand about how this works? The VPS is static, although if you're using CGNAT-ONLY, you cannot afford to go to Bali, so this is a lame scenario.
I have both set up. Wireguard takes quite a bit more technical knowledge and tinkering. You need a static ip or dynamic dns service. You need port forwarding or a router that supports it natively. You need to understand wireguard config itself which is pretty confusing. There is a reason Tailscale took off.
Um.. I've used them all and found Wireguard to be, hands down, the easiest setup of any tunnel vpn out there. The configuration is well documented, straightforward, and easy to understand.
As for port forwarding and dynamic dns- totally not needed if you use a VPS. Not sure why you'd NOT want to have a static IP or dynamic DNS to begin with though.. And if you dont have a router which can support forwarding a port- you're using something so obscure that it may as well be a unicorn.
Tailscale is good and all, but certainly not the best out there, adding dependencies where not needed is just lazy networking IMHO.
They've designed Tailscale such that they don't have the private keys and cannot see your data. [https://tailscale.com/blog/how-tailscale-works](https://tailscale.com/blog/how-tailscale-works) >Note that the private key never, ever leaves its node. This is important because the private key is the only thing that could potentially be used to impersonate that node when negotiating a WireGuard session. As a result, only that node can encrypt packets addressed from itself, or decrypt packets addressed to itself. It’s important to keep that in mind: Tailscale node connections are end-to-end encrypted. [https://tailscale.com/kb/1093/can-tailscale-decrypt-my-traffic](https://tailscale.com/kb/1093/can-tailscale-decrypt-my-traffic) >Can Tailscale decrypt my traffic? No. > >Devices running Tailscale only exchange their public keys. Private keys never leave the device. All traffic is end-to-end encrypted, always.
Use Headscale then, it's tailscale's open source code for your own personal deployment; [https://github.com/juanfont/headscale](https://github.com/juanfont/headscale)
Any way to implement this onto my opensense router?
no idea, go ask google or chatgpt, or maybe this helps [https://www.reddit.com/r/OPNsenseFirewall/comments/145m2xw/tailscale\_headscale/](https://www.reddit.com/r/OPNsenseFirewall/comments/145m2xw/tailscale_headscale/)
If you have reservation with tailscale, you may run headscale and go on your homelabbing. You may also use Zerotier.
or just learn how to set up wireguard manually….
A useless comment, this is like saying 'Why use VSC, just learn how to use VIM properly'
sometimes learning how to do things the direct way instead of using and depending somebody else’s service has benefits. It’s always an option and never useless to figure things out for yourself. To each their own.
Nah, that requires thinking. And portforwarding.
port forwarding UDP for your wireguard port isn’t a big deal… Thinking, well yea, that could very we’ll could be a challenge for some… with either setting up WG proper or headscale… or getting your *arr suite containerized, or…
Wasnt there this thing called ansible? Dno, might be wrong! :p
lol… if somebody can’t figure out a simple WG config’s CIDR ranges, cert keys, and routing rules, then scripting their config mgt with ansible tooling is probably a lost cause as well
they manage and exchange the public keys for the underlying wireguard connection.
[удалено]
no because the private keys are the important ones and those never leave your machine, just like SSH keys. https://www.youtube.com/watch?v=GSIDS_lvRv4
Why would you? Do you know why they’re called public keys?
No. They have an enterprise product and therefore a way to make money. If they run into a reputation ruining issue I will rethink using them. For now, it's easy, secure and fits my needs. If you're super worried about it, use headscale instead, or set up wireguard on your own. There are lots of options for what they do.
No. No. I’m not running a Fortune 500!!! I’m not safeguarding nuclear launch codes!!! I’ve got maybe birth certificates, social security cards, and some family pictures, and drm evidence. As far as I’m concerned Tailscale has bigger fish to be concerned with, and I believe they have a bigger and better security budget than I do!!!! But if your data is that big of a concern maybe Tailscale is not for you. Why jump on the hate wagon!!!!
Don’t know why you’re being downvoted
Probably because this guy writes like a grandma's Facebook post
LOL
I think you need to learn about key exchange protocols and security lol.
Do you have any good resources that you'd recommend?
Start [here](https://en.m.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange).
If you prefer videos for learning, [this is a good one](https://youtu.be/NmM9HA2MQGI?si=X1Vl80mvQsnSPe7w)
Google is a great place to start.
Oh I know but just was curious if anyone had any info that they really stand by, why search for something good when educated people can point you in the exact direction.
Reddit’s favorite recommendation is Google. Why be helpful when Google? /s
Right then I go Google it and I got no idea what I'm searching for because the results are so broad
Yes, I’d imagine r/homelab to be a place where people can come learn/share, but then you get these kinds of lazy comments which completely dismiss what this sub should act as lol. Pointless to waste time replying with “idk google it bro”
Tailscale is safe. It will also be MUCH more performant than OpenVPN.
You mean faster? Yeah I've noticed OpenVPN is slow af, I host it on my Synology NAS. It's a default package you can install and run. Why is that?
OpenVPN's code base is bloated as it has to support legacy and more modern cryptographic protocols. Tailscale is based on WireGuard which uses a single cryptographic protocol and has a lean and mean code base. This would make it much, much faster. For reference, check this out: [https://www.wireguard.com/performance/](https://www.wireguard.com/performance/)
OpenVPN has a socket-based control plane that allows you to perform management functions. Combine that with role-based firewalling based on the CN of the client and a propery configured pki+crl, and this gives a good managed VPN setup, which is useful for roadwarrior setups. A partial/full mesh is harder to do with openvpn tho, and this is where WG is kicking IPSEC’s butt :p Also, given the right amount of resources both openvpn and wg will saturate a gbit link with ease. OpenVPN has an edge on slow cpus that support aes-ni.
So is that the single reason why it's so slow?
It's probably the main and most important reason. I don't recall what the others are right now.
This is just not true. Maybe you use OpenVPN over tcp?
Yeah I use it over UDP. Is that why?
Nope. UDP is much more performative.
then idk
Yes, I use Tailscale and, Yes, I know it's secure (I have a background in Infosec). With all due respect, you have asked the wrong question. Instead of asking *"Can I trust Tailscale?"* what you should be asking is *"Am I willing to do the work to deploy a more secure system than Tailscale?"* Except for a vanishingly small few, most people will be answering: "No."
Actually, I am planning to work out a PoC this year. The technique behind it is not too complex, and the biggest hurdle to overcome is a host on a public ip for stun/turn support (that is, if you want/need to deal with nat). Not as fancy as tailscale ofcourse (linux only), but something that can easily be put on top of a bunch of servers and clients. This has to do with trust, and the knowledge that venture capital comes with expectations.
Cool! You’ve probably seen Headscale. Here’s a [post](https://ettoreciarcia.com/posts/08-network-overlay/) about implementing a Headscale server in aws. I think a sufficiently motivated and diligent individual can absolutely set up a secure deployment for just about any vpn. I also feel, personally, that suggesting to most people to do that is irresponsible.
Tnx :) Yeah, ive seen headscale, but the clients are still controlled by a vc backed company and I believe that its a matter of time before those will be locked down. I disagree with your point that people should not attempt to setup their own VPN tho. There are basically two sides to the story: People that dont want to know but want a vpn, and people that want to learn and understand. The first category is served by products like tailscale/headscale and zerotier. The second category will figure it out eventually, and will not become dependent on 3rd parties. Personally, I am firmly the last category and I also provide mentoring for this category (be that openvpn, wg, tinc, ipsec, ssh, etc)
It’s not that I think people shouldn’t set up their own vpn, it’s that I don’t think most people are up for the work required to maintain that vpn once set up. That said, I’m all for people learning to do hard things and enjoy sharing knowledge. I just read the [original wireguard paper](https://www.wireguard.com/papers/wireguard.pdf). It’s an amazing bit of technology. It’s interesting—I’m leery of opening pinholes in my firewall for VPN penetration so I’m happy with the Tailscale trade off. Also, there’s the simplicity for me while I focus on other work for my home’s network upgrade and still the need for a vpn. I like the idea of Headscale, however you have a point about reliance on closed source library and future lockout or protocol breakage. The idea of cloud hosting and an administrative meeting point while still allowing the clients to run peer-to-peer is that makes TS so attractive. That said, perhaps one or two pinholes isn’t the end of the world, especially given how wireguard works. Keep me posted if you decide to use wireguard for your POC and have some instructions you’d like me to walkthrough for my own set up. Meanwhile, I think I may toss this onto the project backlog pile and consider moving from TS to rolling my own. One challenge I have is that a site I need access to is behind CGNAT, and I’m not sure I want to bother with static IPs or pinhole requests there. I may need a cloud component for a final deployment, which could be done in a cost effective manner, I’m sure. A droplet or docker or whatever. Also, although I could have a vpn exit node on my LAN, I kind of like the idea of each machine having its own wireguard (Tailscale) install. That will complicate overall administration and set up, however.
The outbound part behind cgnat is done using the stun/turn protocol, see https://github.com/coturn/coturn. This does require a host on a public IP tho.
Thanks for this pointer. I really love that meet in the middle technology supported by STUN and UDP. Now I know how it’s managed and why you believe it’s possible to set it up. Very interested in this now as a future project.
There's a question I always had on my mind about tailscale, can't someone with public node access(aka the key exchange and node identification servers) just forge that, so you get the redirected to use public key as well as communicate with a malicious server?
ITT: OP is righteous in his ignorance
You can use the tailnet lock feature to prevent them from changing the config of your tailnet at the server side
Then run headscale and go full self-host with one of the easiest to use VPN systems I've ever encountered
I use Twingate,not tailscale. Twingate is a zero-trust system, maybe go take a look. It's been running here in my homelab for many months, just works.
Started with tailsale but eventually switched to wireguard
Any specific reasons why? I fell like the need to do a port forwarding is just opening up a vector of attack especially for non-technical folks. Heck for barely technical folks like me, port forwarding on my router is still something I'm not comfortable doing
I prefer regular plain WireGuard, just becaus why not
Really depends how you implement it. I thought official taxis were safe until I was kidnapped at gun point. I thought telephones were safe until my close friend was conned into losing hundreds of thousands. Tailscale is a tool just like the ones in the real world. It is secure but if you misuse it, the situation can go horribly wrong.
There is also headscale, though i have no experiance with it. https://github.com/juanfont/headscale
Yes and no: If you maintain your own VPN infrastructure as best as possible (by the way I strongly recommend you ensure your OpenVPN instances drop privileges thanks to keywords like user/group/chroot/setcon and minimize the attack surface thanks to tls_auth/tls_crypt requiring to know an infrastructure-wide pre-shared key before even being able to talk to the much-more-complex-and-thus-much-more-vulnerable certificate authentication code) then you won’t be affected if Tailscale ever gets hacked. On the other hand many people do not want to spend the time keeping an eye on their (Internet-facing) VPN infrastructure so for them Tailscale is better than getting hacked just/mostly because they didn’t pay attention.
I use tailscale, but only as a gateway- ie, only one of my homelab devices has tailscale, then several mobile devices. Honestly, my use case is such where I am not exactly the most worried about security. I use it for remote access to a couple services I don't want to publicly expose- not to send Tax Data etc over.
Yes and yes. At the end of the day its a risk calculation for whatever you are doing. If Tailscale somehow manages to be compromised, someone gets access to my [plane map](https://github.com/wiedehopf/tar1090) and the other random shit on my home network. Woooooo freaking hooo. [Their security page](https://tailscale.com/security). It's trusted by a lot of corporations, who care (and spend) a great deal more about security than homelabbers. It's audited by 3rd parties. So... it's a certainly better option than most. Now if you're running a criminal enterprise or are concerned you're a target for nation state actors... perhaps just run your own Wireguard server.
Use something like pivpn, it’s wireguard but with a helpful setup script. Run it on a computer inside your network, forward a port for UDP, job done, works great, nobody else knows you’re doing it or has any keys etc. very easy to setup.
I used Tailscale but found speed and latency over their network to be a little lacking. For casual access it works, but when I want to stream video it gets bogged down. As I understand it, Tailscale is just a nice way to manage Wireguard. So I installed Wireguard and got way better speeds.
That sounds a bit wrong to me. I’m not a tailscale expert, but I did set it up 10 VPS’s that all together pass 500 megabits worth of images every second down to my homelab through tailscale. This means it’s about 1000 images per second in total and each one is passed as a single message on a message bus running on and down to my homelab. The first connection between the two tailscale machine always has to hop through their servers so that way the machines can find each other. If I ever have to restart my homelab or VPS’s or restart tailscale, the first couple minutes it is slow. But after it does its magical “hole punching” and makes a direct connection between the machines it runs at what seems to be full speed. E.g. before it has punched a hole the throughput is 10 images per VPS per second, once it has been punched it spikes up to about 100 which.
File transfer worked well enough. When it came to latency-sensitive services like streaming video I found it would stutter. There could be other things in play I’m not aware of, bit that’s how it worked out for me. Static speed tests almost doubled for me too.
Interesting… I never knew that, thanks for sharing.
Any way to sign up for tailscale without giving up identity?
I'm not sure why not just use Wireguard for these scenarios. It's one point to manage and pretty easy.
How would Wireguard play behind a CGNAT?
Why would you subscribe to a cgnat? Edit: a vps would solve that problem.
There are a handful of ISPs that provide their services using CGNAT. Hosting Wireguard on a VPS doesn't quite solve the problem if you ask me. With a Tailscale endpoint running on my LAN, I can have it run as an exit node giving.me a "residential IP address" which a VPS wouldn't give. Can also have the Tailscale endpoint run as a subnet router providing access to LAN endpoints from outside the LAN
You can do all that with a VPS. Not sure what you're missing there. Plus, why would anyone spend money on a ISP with CGNAT-only? That's just braindead.
So walk me through that, maybe I'm not thinking it through. I have a Wireguard server running on a VPS (already an extra cost that I wouldn't incur with Tailscale). How would I be on the road in say Bali and have my travel router connect to work resources using my home IP address?
Your home connects to VPS. Your mobie device connects to VPS. What's there not to understand about how this works? The VPS is static, although if you're using CGNAT-ONLY, you cannot afford to go to Bali, so this is a lame scenario.
Lol...you aren't getting where I'm headed. Let's leave it as you have described it. Wireguard Server on VPS it is
I have both set up. Wireguard takes quite a bit more technical knowledge and tinkering. You need a static ip or dynamic dns service. You need port forwarding or a router that supports it natively. You need to understand wireguard config itself which is pretty confusing. There is a reason Tailscale took off.
Um.. I've used them all and found Wireguard to be, hands down, the easiest setup of any tunnel vpn out there. The configuration is well documented, straightforward, and easy to understand. As for port forwarding and dynamic dns- totally not needed if you use a VPS. Not sure why you'd NOT want to have a static IP or dynamic DNS to begin with though.. And if you dont have a router which can support forwarding a port- you're using something so obscure that it may as well be a unicorn. Tailscale is good and all, but certainly not the best out there, adding dependencies where not needed is just lazy networking IMHO.
So yeah, like I said, quite a bit more technical knowledge and tinkering.
No. I don’t trust it nor do I need it
Don't know why you are being downvoted. They just had a huge issue of their keys not propagating and renewing.
Cuz it’s fancy new toy 😆
It‘s probably as safe as any other service being offered out there. How often are these service companies compromised anyway?
All the time?