Did Tailscale introduce any security measures to their Coordination Server? Last I checked the coordination server is basically controlled by them and they could easily just insert any of their own pubkeys and infiltrate your network.
Even supporting WireGuard's Share Secret feature would be a start.
As long as that's not addressed, not a chance in hell I'm going to deploy this.
I have been looking for a more user-friendly setup for our company, we're currently using OpenVPN with Viscosity as a client.
Tailscale was on the list for services to check, but if what you say is true, then I will look elsewhere.
For a FOSS solution (now that ZeroTier no longer is one), there’s Nebula, but you’ll have to operate your own central node. That’s nothing compared to maintaining the hell that is IPsec or even OpenVPN, though.
Even bare Wireguard is a joy to set up, to my endless surprise, if you’re fine administering things as a traditional small-scale LAN, manual routing and all.