Tailscale Peer Relays is now generally available

Original Article ↗ Hacker News Discussion ↗

Real-world performance & use cases

  • Multiple reports of big latency and throughput wins, especially for game streaming (e.g., Moonlight/Sunshine), remote desktop, home media, and IoT/warehouse devices behind CGNAT.
  • Used both as a “classic VPN” for personal remote access and as an overlay for industrial/AI workloads (e.g., Cloud Run ingesting RTSP from cameras behind ISP blocks).
  • Some users see unexplained slowdowns or MTU-ish issues even on supposed direct links.

Peer Relays vs DERP & NAT traversal

  • Peer Relays let any node in a tailnet act as a relay, reducing dependence on centralized DERP servers and improving performance behind restrictive NATs/CGNAT.
  • They build on the existing DERP coordination layer: DERP handles discovery and setup, then connections are “upgraded” to direct or peer-relay paths.
  • Key differences from custom DERP: less configuration, horizontal scaling, no requirement that every node reach every relay, and UDP support (DERP is TCP-only).
  • Some confusion remains about deployment topologies (e.g., where to place relays under CGNAT, relay-selection logic with multiple relays).

Security, logging & privacy

  • Debate over whether using Tailscale is “more secure” than exposing a single VPN port: one side emphasizes Tailscale’s zero-trust-style ACLs and ease of getting security right; the other stresses dependency on a third-party SaaS.
  • Heated discussion about logging: clients send detailed connection metadata to log.tailscale.com by default. Opt-out is possible via TS_NO_LOGS_NO_SUPPORT on many platforms, but not yet on iOS/Android.
  • Some see this as invasive telemetry or even a behavioral-data business model; others argue it’s strictly for support/observability and that payloads remain end‑to‑end encrypted.

Business model, free tier & rug-pull risk

  • Revenue comes from per-user business plans and premium features (SSH management, application networking, etc.); personal free tier is framed as a customer-acquisition channel.
  • Users worry about future acquisition, pricing changes, or free-tier removal; others note the P2P architecture and Peer Relays reduce operating costs and support a durable free tier.
  • Several people consider Tailscale too central to trust for critical infra and prefer owning the coordination layer (WireGuard directly, Headscale, Netbird, Nebula, etc.).

Open source, clients & alternatives

  • Core client code is open source; some GUIs (notably on Apple platforms) are closed, which bothers users who prioritize full auditability and control.
  • Alternatives mentioned: Headscale (self-hosted control plane), Netbird, Netmaker, ZeroTier, Nebula, OpenZiti, or plain WireGuard with manual management.
  • Trade-off framed as convenience, UX, and features vs. sovereignty, simplicity, and avoiding “enshittification” risks.