As I said above - how would you set up plain Wireguard in a place without the possibility of exposing a port, or even that does not have a public IP - and initiate the connection from outside that place? I would love to learn something. Without rebuilding tailscale (or whatever other solutions with STUN or whatnot).

▲

ffsm8 3 days ago | parent [-]

i think youre not hearing what - at least i - was saying.

I never said that running the same connectivity and NAT traversal via 2 nodes which are both inside of a NAT is possible. Neither did I ever claim you dont need a static public IP which _isnt_ behind a NAT / has an open port.

With Tailscale, these are being provided to you by them. Without them, you would have to maintain that yourself. This is a significant maintenance burder, which is why I - as in my very first comment you yourself responded to - pointed out that the service theyre providing is great and that i use it myself for that as well.

Nonetheless, _if wireguard was blocked, tailscaile wouldn't work either_

But its not blocked. Hence tailscale works. Just like wireguard would work, if you configured NAT traversal in some way. To get that working, you have multiple options, one of these being the STUN server. Another being an active participants in the VPN which facilitates the connection (not just the initiation, which the STUN server would be doing). easier to configure and maintain, but less performant.

Tailscale themselves actually have an incredibly indepth article on how they've implemented it on their end, its a little aged at this point, but I suspect they havent changed much (if any) since

https://tailscale.com/blog/how-nat-traversal-works

	▲	BrandoElFollito 2 days ago \| parent [-]
		> i think youre not hearing what - at least i - was saying. You said " it's nonsensical to say tailscale works in places where wireguard is blocked". If by "blocked" you mean "blocked at the firewall level through some kind of adaptive block that will recognize a wireguard connection based on its behaviour/nature of packets/whatever" → then yes, of course tailscale will not work either as it uses wg under the hood. If the OP message "tailscale has a much better chance to work when you need it most. WireGuard is blocked by too much stuff" means "I installed wireguard and it does not work (because whatever) but tailscale consistently delivers" → then it is not nonsensical at all. It is the right tool to start with. > Tailscale themselves actually have an incredibly indepth article on how they've implemented it on their end This is an excellent documentation to which I refer people as well.