I’m probably a medium-techincal people :-) Wireguard won’t do the NAT traversal right? I can’t do the port forwarding thing because of the CGNAT for my connection.

That’s a good description, yes. The self-hosted aspect is that it makes serving things from home, rather than a VPS, trivial.

For example I replaced Dropbox with an app called Syncthing. Previously to do this I would run Syncthing on a VPS so it was accessible from anywhere, or I would have run it at home but used a VPS with a reverse proxy over OpenVPN back to my house.

With Tailscale running on the Syncthing server at home I have a Tailscale IP address for that, which I use on my laptop to access Syncthing. No need for the VPS (especially important for a high storage requirements app), no complicated VPN setup, reduced attack surface, and the benefit of fast access when I’m at home.

Tailscale is a very cool way of seamlessly creating a private network spread out geographically. Devices sign into the Tailnet from anywhere. It’s very big in the selfhosted community (it has a generous free tier). For example my home servers are signed in, so I’m able to stream from my media server to my phone over my private Tailnet tunneled through the internet. I also have an offsite backup location with another server connected to the Tailnet for accepting automated backups.

The underlying technology is Wireguard. It is very smart about figuring out the most effective route - If I’m on my laptop in my home wifi, trafffic from my servers is direct, if I’m away somewhere, it’s piped though the net securely. What Tailscale adds is ease of setup and native apps for each device.

The privacy angle is that I’m able to get rid of all the cloud services I used to rely on. For example I don’t want my CCTV system connected to a cloud provider, but with Tailnet I can connect to my cameras over the internet without having to expose the system to a data mining corporation.