Interesting article; do you have any details on the performance differences?

Tailscale has another interesting feature that I figured out entirely by accident: while the SSO planes (at least using Apple as SSO, rather than your own) may be blocked, the data planes and actual control planes usually are not. If your device is connected to your tailnet before joining a given WiFi, it will stay connected afterward.

The guest WiFi at work blocks OpenVPN connections, but established Tailscale slips by. I haven't tried straight Wireguard because I don't consider Tailscale having timing and volume data on me to be all that valuable to them, and they do mitigate the double-NAT situation. I do run a private peer relay for my tailnet but not a full DERP server, nor do I run Headscale.

Obviously, your personal security concerns play a role here, but I'm not doing anything I wouldn't do straight from my home network, so I see no reason to make my life harder. If you need that level of security, you need a different solution.

Tailscale is interesting. It's built on top of wiregaurd but is different in that it creates a mesh of vpn connections between your devices, rather than just a connection from client to server.

I haven't used it because I use witeguard the traditional way and haven't needed a mesh of devices. Also I haven't taken time to investigate the private company offering it and what sorts of my information is vulnerable if I use it.