Tailscale uses Wireguard, but offers so much more on top. I used to think the same, but I think I was mixing it up with Zerotier; had a play with it and now think it's pretty great.

For example, you can set ACL rules for which devices can access which others (or the internet, if you have explicit exit nodes) - it's using Wireguard for networking, but you can't do that with (just) Wireguard, it's not just 'make Wireguard easier to set up', as you said that doesn't really need doing.

I see. I use firewalls to control which devices can access which others. To each their own.

This is a chud "Dropbox is just rsync" attitude.

There's value to some to having networking config centralised like that. It allows things like auto adding certain clients to certain rules/groups automatically.

Not spending time cycling through each server to poke iptables.

My computers are behind firewalls and I need Tailscale to do the NAT punching. I don't see another tool that does the job as well as Tailscale.

The hub and spoke configuration bypasses firewalls and NAT, which WG can do natively.

Though doing this "well" is subjective, so I can understand someone preferring Tailscale because it's easier to use.

not familiar with wireguard per se, but afaik it's using udp-packets which get translated/mapped just fine by any NAT implementation. nothing in need of punching imho.

if your access concentrator (server) is behind a nat, you'll need a port-forwarding from the outside but that's rare.

Tailscale builds a mesh, where the participants can communicated directly, so it's common for all nodes to be behind a FW that does NAT. There is a very interesting blog post from tailscale about all the trickery they pull to reliably deal with NAT: https://tailscale.com/blog/how-nat-traversal-works/

i stand corrected. thanks!