@vesto Glad it was helpful! I don't use iOS much, so that #Tailscale battery drain sounds aallying. It sounds like you're having #ZeroTier firewall out things that aren't coming from ZeroTier? That's interesting. I use firehol to do such things. Another option is to have your servers bind to a specific interface, in which case they won't even listen on the other interfaces in the first place. I didn't go as deep with that part of ZeroTier.

I wrote a deep dive about #mesh #VPN solutions, with #NAT traversal and such. Featured: #Yggdrasil, #tinc, #Tailscale, #Zerotier, #Nebula, #Netmaker. "Easily Accessing All Your Stuff with a Zero-Trust Mesh VPN" at https://changelog.complete.org/archives/10478-easily-accessing-all-your-stuff-with-a-zero-trust-mesh-vpn

Thanks to those that participated in the previous thread, and particularly @tailscale .

There are some interesting options these days and I hope to see them continue to gain traction!

@bogosian Hi @tailscale folks! I have a question about the threat model for #Tailscale. If somebody compromises either your control plane, or my account/identity provider, what is the potential damage? I gather an intruder would not be able to sniff my traffic, but they might be able to add additional machines to my network and thus penetrate the network that way, correct? Are there best practices to mitigate that risk? Thanks!

Update: Looks like some candidantes include: #Tinc (sort of the OG mesh network VPN, which I didn't realize can do NAT traversal), #Tailscale (fully Open Source if the #Headscale frontend is used), #Nebula, #Netmaker (not entirely clear but I THINK this is also open source). Thanks for the suggestions everyone!

@tc Thank you - yeah, that Open Source #Tailscale implementation sounds interesting! Has anyone compared #Tailscale, #Nebula, #Zerotier, and/or #Netmaker?

There are few #Internet options where I live. Fiber is 2 years out. I may need to use an ISP that uses #CGNAT, which means no open ports at all. I see that #Tailscale and #Zerotier both use #STUN (or something like it) to solve this problem. Are there any pure Open Source tools that can do this? #Yggdrasil is great, but is TCP based, so can't do direct P2P with blocked ports (it can communicate, but via a public or private intermediary.) Perhaps #Debian packages? #askfedi