Honestly, I hate the idea of having a middle man, but having tried and researched extensively how to make something like a direct tunnel between two clients over the internet it just doesn't always work.
NAT is a godsend for IPv4 exhaustion, but it's also fundamentally crippled the ability for people to host things or make things available directly from their homes.
Hole-punching is an inexact process due to the variety of different NAT types, some of which (e.g. Carrier-grade) simply do not allow that sort of connection. So there must be a middle man that accepts packets on their publicly available port and passes it on to another established connection. TURN/STUN (et. al.) exist but are archaic and do the same thing but with less accountability.
I hate it too but until we have IPv6 by default with user controlled firewalls hosting something in your garage without a business line is not feasible. Hell I have a 5$ a month VPS purely so it can act as the middle man to the servers in my home. At least then I only need to trust myself as the middle man.
Their middle man in the data plane handles encrypted packets so that's not the problem here.
The problem is their control plane that controls the encryption keys. A malicious admin inside TS (or a hack) could grant itself membership in any of their customer's networks. (Or at least this is the worry I read from GP)
That's definitely a concern, but I feel this can be mitigated by running your own network on top of theirs. Anyone in my home is part of my network, doesn't mean they're in the wg network too.
Aside from that, it's definitely a problem that they could include themselves in any customer network, but the accountability still stands. If someone got in without your screw-up, at least you know who to point the finger at once the dust settles.
I'd argue it should be treated as a base to overlay your network on top of. Although admittedly I say that as someone that doesn't use their services for similar reasons.
> If someone got in without your screw-up, at least you know who to point the finger at once the dust settles.
How do you know you didn't screw up? There are so many vulnerabilities in the gazillion or random stuff you run every day on your laptop. I'd argue it's more likely that something like that was breached than Tailscaled was breached or rogue.
NAT is a godsend for IPv4 exhaustion, but it's also fundamentally crippled the ability for people to host things or make things available directly from their homes.
Hole-punching is an inexact process due to the variety of different NAT types, some of which (e.g. Carrier-grade) simply do not allow that sort of connection. So there must be a middle man that accepts packets on their publicly available port and passes it on to another established connection. TURN/STUN (et. al.) exist but are archaic and do the same thing but with less accountability.
I hate it too but until we have IPv6 by default with user controlled firewalls hosting something in your garage without a business line is not feasible. Hell I have a 5$ a month VPS purely so it can act as the middle man to the servers in my home. At least then I only need to trust myself as the middle man.