Switching to Tailscale completely changed the vibe. Suddenly everything could talk to everything else, securely, easily and without the hub getting overwhelmed with switching.

Hub-and-Spoke Network (left) vs Full Mesh Network (right) | Joey Manani

The Old Setup: Hub-and-Spoke WireGuard

Hub-and-spoke basically means:

• Every network node establishes a WireGuard tunnel only to the central hub
• If two spokes want to talk, traffic must route through the hub
• The hub must handle all encryption + forwarding
• No peer-to-peer discovery; everything is statically configured
• Peers basically don't know of each other's existence

In practice, this meant:

• Devices on the same AP-Isolating LAN had to talk via the hub rather than directly on the LAN. AP-Isolation prevents LAN devices talking entirely (hello apartment Wi-Fi)
• Latency was… BAD

It works, but it’s very “manual oldschool energy.”

The Upgrade: Tailscale Full Mesh

Tailscale flips the entire model on its head. Instead of a rigid hub, you now get a full mesh overlay network:

• Every device is a WireGuard peer
  
• Peers discover each other automatically using DERP + magic DNS
  
• Connections become direct, peer-to-peer, and encrypted
  
• If NAT says “no :)“, Tailscale falls back to DERP relay without breaking anything
  
• No manual key management!

The coolest part?
It's still WireGuard under the hood – Tailscale just simplifies all of the annoying parts.

Why Full Mesh Is Better

1. Direct Peer-to-Peer Traffic

With Tailscale, remote servers are able to talk to the home server directly and not zigzag through a hub.

Result:

• Lower latency
• Lower CPU usage
• Faster file transfers
• Hub doesn't have to process the same thing twice

2. Automatic Key Management

WireGuard’s biggest pain point basically disappears.

Tailscale handles:

• Key distribution
  
• Key rotation
• Device onboarding
• Device removal
  
• Secure device signing
• Revocation

3. MagicDNS and Stable IPs

Every node gets a stable 100.x address plus a nice readable DNS name:

storage.tsxxxx.net
raspberrypi.tsxxxx.net
syncthing.tsxxxx.net

Even if I'm switching networks five times a day, nothing breaks and everything remains accessible.

4. DERP & NAT Traversal

If two nodes can't reach each other directly (i.e., via CGNAT or an aggressive firewall), Tailscale relays traffic via DERP.

Full mesh + fallback relay means the connection always exist and is very reliable.

5. No More Central Point of Failure

In hub-and-spoke, if the hub died, the entire VPN network died.

This happened once and the TFR network came to a standstill.

With Tailscale, one node disappearing affects only that node.

Huge stability upgrade.

How I Migrated

1. Removed my WireGuard hub config from all nodes

2. Installed Tailscale everywhere:

   • Home server
     
   • Remote servers
   • NAS
     
   • Laptop
     
   • Phone
     
   • Whatever else I needed

3. Enabled subnet routing for certain networks so local LANs are reachable

4. Turned on MagicDNS using my own internal DNS server including Ad and Tracker blocking

5. Sat back and enjoyed a network that Just Works™

Tailscale DNS | Joey Manani

Final Thoughts

Switching from a DIY hub-and-spoke WireGuard setup to Tailscale full mesh is gamechanging. Same fundamentals, wildly improved experience.

If you've got servers scattered across a few networks, this is the easiest quality-of-life network upgrade you can make.

Everything just works how I like it, and every device knows about each other.

#sysadmin #tailscale #networking #wireguard