Zerconf ≠ zero trust. The difference could not be more material in this context.

If both sides of your ssh tunnel (pub,private keys) are under your control, in theory, that's "zero trust".

Unless one considers the meta data such as src/dest IP are visible to Tailscale sw.

Right?

	▲	nickburns 3 hours ago \| parent [-]
		'Zero trust' has a technical definition that's not really relevant here. See: https://en.wikipedia.org/wiki/Zero_trust. The concept is separate from 'zero config' (https://en.wikipedia.org/wiki/Zero-configuration_networking), which Tailscale's low technical barrier to entry evokes.