Tailscale has three main pieces of functionality over vanilla Wireguard: Automatic peer configuration, NAT holepunching, and network ACLs.
I won't talk much about ACLs since if you're the only user on your VPN, they don't matter. E.g. I use Tailscale but I don't use ACLs because who am I going to block from connecting to what? Am I concerned about my server trying to compromise my Raspberry Pi? (Maybe I should be, but life's too short so I don't bother.)
Automatic peer configuration is a pretty killer feature, though. If you're just running plain vanilla Wireguard, then you have to manually copy keys between every pair of devices that need to be able to talk to each other. That's fine if you only have a few devices, or if you have a large number of devices but you're happy to use a hub-and-spoke model where each "client" only talks to the hub, and the hub routes all traffic. But once your number of devices starts to grow, or you decide you want direct links instead of hub-and-spoke, it can start to get unpleasant.
NAT holepunching may seem unnecessary if you're used to having a VPN hub and just port-forwarding to it. But it opens up a whole set of possibilities that would just be non-starters without it. Just off the top of my head, here are some things that I would consider easy with Tailscale but cumbersome-to-impossible without:
1. Not having to worry about static IP assignments on my LAN. Admittedly, this is more of a convenience than a true barrier to anything, but with vanilla wireguard one of the devices needs to be able to initiate the connection, meaning that the other has to be able to receive unsolicted traffic on some port. Normally I'd do that with port forwarding, but all of the port forwarding I've ever done requires a fixed internal IP to which to forward the port. Instead, with Tailscale, you can just plug in your server/RPi/whatever and forget about it.
2. Similarly, you can take advantage of this to get a window into a network that you don't control. (It sounds bad when I put it that way.) Say you've got a relative a long ways away, and they're constantly calling you for help with their network and you're constantly walking them through how to fiddle with their router settings or something - with Tailscale, you could just preconfigure a Raspberry Pi, ship it over, and not have to worry about being able to connect to it once they plug it in. Voila, you have an entrypoint into Grandma's network or whatever.
3. Self-hosting afficionados like myself tend to turn to "can I put a thing on a server somewhere" as a solution to many problems involving cross-device communication: file synchronization is an obvious example. But what if all the devices could seamlessly talk to each other, anywhere and anytime? Then you could pop, say, Syncthing on each device and not have to worry about having a server up.
Tailscale also has some extra goodies like being able to share a device to someone else's Tailnet, so if you run (say) a Plex server and you want to let someone else talk to it without exposing it to the greater internet that's pretty easy.
Their "Magic DNS" feature is also quite convenient - I used to pride myself on being able to remember all the IPs I had assigned to all my network-connected stuff and therefore not needing DNS, but since I've started using Tailscale I've found myself defaulting to DNS names more and more without ever even consciously deciding on it. Words are just more memorable than numbers, there's no need to fight it.
All that said, if none of those use cases seem compelling to you then maybe Tailscale just isn't for you. Different strokes for different folks.
This is all great stuff, and reasons to respect Tailscale, but honestly the killer feature for their big-money customers, and the reason I have such strong feelings about it, is much simpler: Tailscale does SSO login, and does it extremely well. If you're running a security practice for a growing tech company, one of the most important early jobs you have is getting all your services migrated to SSO. VPNs are notoriously annoying to SSO (I have seen some janky Okta integrations for OpenVPN).
It’s atrocious. We are using OpenVPN with Okta LDAP and you have to type “password,totpcode” as your password. Alternatively you can type just your password and wait for it to send a push to your phone while OpenVPN is completely blocked waiting. You have a yubikey? That’s a damn shame.
Training and support for this for our entire company was a pain in the ass. I also felt embarrassed having my name on rolling out something so janky.
We are trialing Tailscale now and onboarding is two minutes and practically doesn’t need a guide (Download the app. Click login. Okta auth however you want). Our OpenVPN guide is like 8 pages.
I won't talk much about ACLs since if you're the only user on your VPN, they don't matter. E.g. I use Tailscale but I don't use ACLs because who am I going to block from connecting to what? Am I concerned about my server trying to compromise my Raspberry Pi? (Maybe I should be, but life's too short so I don't bother.)
Automatic peer configuration is a pretty killer feature, though. If you're just running plain vanilla Wireguard, then you have to manually copy keys between every pair of devices that need to be able to talk to each other. That's fine if you only have a few devices, or if you have a large number of devices but you're happy to use a hub-and-spoke model where each "client" only talks to the hub, and the hub routes all traffic. But once your number of devices starts to grow, or you decide you want direct links instead of hub-and-spoke, it can start to get unpleasant.
NAT holepunching may seem unnecessary if you're used to having a VPN hub and just port-forwarding to it. But it opens up a whole set of possibilities that would just be non-starters without it. Just off the top of my head, here are some things that I would consider easy with Tailscale but cumbersome-to-impossible without:
1. Not having to worry about static IP assignments on my LAN. Admittedly, this is more of a convenience than a true barrier to anything, but with vanilla wireguard one of the devices needs to be able to initiate the connection, meaning that the other has to be able to receive unsolicted traffic on some port. Normally I'd do that with port forwarding, but all of the port forwarding I've ever done requires a fixed internal IP to which to forward the port. Instead, with Tailscale, you can just plug in your server/RPi/whatever and forget about it.
2. Similarly, you can take advantage of this to get a window into a network that you don't control. (It sounds bad when I put it that way.) Say you've got a relative a long ways away, and they're constantly calling you for help with their network and you're constantly walking them through how to fiddle with their router settings or something - with Tailscale, you could just preconfigure a Raspberry Pi, ship it over, and not have to worry about being able to connect to it once they plug it in. Voila, you have an entrypoint into Grandma's network or whatever.
3. Self-hosting afficionados like myself tend to turn to "can I put a thing on a server somewhere" as a solution to many problems involving cross-device communication: file synchronization is an obvious example. But what if all the devices could seamlessly talk to each other, anywhere and anytime? Then you could pop, say, Syncthing on each device and not have to worry about having a server up.
Tailscale also has some extra goodies like being able to share a device to someone else's Tailnet, so if you run (say) a Plex server and you want to let someone else talk to it without exposing it to the greater internet that's pretty easy.
Their "Magic DNS" feature is also quite convenient - I used to pride myself on being able to remember all the IPs I had assigned to all my network-connected stuff and therefore not needing DNS, but since I've started using Tailscale I've found myself defaulting to DNS names more and more without ever even consciously deciding on it. Words are just more memorable than numbers, there's no need to fight it.
All that said, if none of those use cases seem compelling to you then maybe Tailscale just isn't for you. Different strokes for different folks.