aborsy

As soon as Tailscale provides option for Wireguard preshared keys, I will use it. I need Tailscale out of my network.

Any plan?

Self hosting Tailscale will then not be needed, since users don’t need to trust Tailscale anymore.

rollcat
What do you mean by "trust", what's your threat model? Tailscale does way, way more than just facilitate key exchange. If tailscale.com goes down or rogue, you're still in a pickle even with PSKs; just because there's a Wireguard under the hood, doesn't mean you can swap an API endpoint and continue as if nothing happened.

Even with self-provided PSKs, you're going for an (IMHO) pretty poor trade-off; keys, certificates, etc should be regularly rotated, that's a chore that's best left automated. At that point, why not just set up Wireguard yourself?

If you have legitimate concerns, you should be using Headscale[1] (or even plain Wireguard) from day 1. Otherwise - personally I find the current threat model very reasonable, it's in no way worse than trusting any other VPN provider, and they're keeping a pretty big chunk of their code base open for auditing.

[1]: https://github.com/juanfont/headscale