Tailscale seems like a great product however I do not want 3rd party to be able to add a key to my ACL. Running a custom control plane server is possible, but then there is little benefit for me compared to direct wireguard with a central peer on a VPS. If it would be possible to use just the NAT traversal without key management, that would be it!
Curretly I am running a tiny VPS as a wireguard server, but I do not trust it to be part of my network. Therfore I run one wireguard tunnel to be able to access my router (has no public ip) and second tunnel inside the first to connect through the router to my home network.
Theoretically, it should be possi le with single wireguard tunnel if I set a route to home router via wireguard gateway - but I never managed to make wireguard encrypt a packet if it came from the same wg interface. Can anybody help?
I think Tailscale have the right approach by knowing their customer — someone who is happy to have a trusted 3rd party administer parts of their VPN in return for time and cost saving. There are a few here who can't have that, so they instead invest their time into a custom setup with WireGuard which is fine, but for those of us who don't require that level of assurance (there are bigger attack vectors to worry about), Tailscale is fantastic. Quick, easy, and mostly works out of the box.
Curretly I am running a tiny VPS as a wireguard server, but I do not trust it to be part of my network. Therfore I run one wireguard tunnel to be able to access my router (has no public ip) and second tunnel inside the first to connect through the router to my home network.
Theoretically, it should be possi le with single wireguard tunnel if I set a route to home router via wireguard gateway - but I never managed to make wireguard encrypt a packet if it came from the same wg interface. Can anybody help?