Upgrading My Network: From Hub-and-Spoke WireGuard to a Full-Mesh Tailscale Setup
For the past year, my network looked like one of those “draw the star without lifting your pencil” puzzles… except mine absolutely did lift the pencil. Everything passed through a central WireGuard hub: a hub-and-spoke setup. It worked, technically, but it also felt like driving across town just to talk to your neighbour – pretty slow and annoying.
Switching to Tailscale completely changed the vibe. Suddenly everything could talk to everything else, securely, easily and without the hub getting overwhelmed with switching.
Hub-and-Spoke Network (left) vs Full Mesh Network (right) | Joey Manani
The Old Setup: Hub-and-Spoke WireGuard
Hub-and-spoke basically means:
- Every network node establishes a WireGuard tunnel only to the central hub
- If two spokes want to talk, traffic must route through the hub
- The hub must handle all encryption + forwarding
- No peer-to-peer discovery; everything is statically configured
- Peers basically don't know of each other's existence
In practice, this meant:
- Devices on the same AP-Isolating LAN had to talk via the hub rather than directly on the LAN. AP-Isolation prevents LAN devices talking entirely (hello apartment Wi-Fi)
- Latency was… BAD
It works, but it’s very “manual oldschool energy.”
The Upgrade: Tailscale Full Mesh
Tailscale flips the entire model on its head. Instead of a rigid hub, you now get a full mesh overlay network:
- Every device is a WireGuard peer
- Peers discover each other automatically using DERP + magic DNS
- Connections become direct, peer-to-peer, and encrypted
- If NAT says “no :)“, Tailscale falls back to DERP relay without breaking anything
- No manual key management!
The coolest part?
It's still WireGuard under the hood – Tailscale just simplifies all of the annoying parts.
Why Full Mesh Is Better
1. Direct Peer-to-Peer Traffic
With Tailscale, remote servers are able to talk to the home server directly and not zigzag through a hub.
Result:
- Lower latency
- Lower CPU usage
- Faster file transfers
- Hub doesn't have to process the same thing twice
2. Automatic Key Management
WireGuard’s biggest pain point basically disappears.
Tailscale handles:
- Key distribution
- Key rotation
- Device onboarding
- Device removal
- Secure device signing
- Revocation
3. MagicDNS and Stable IPs
Every node gets a stable 100.x address plus a nice readable DNS name:
storage.tsxxxx.net
raspberrypi.tsxxxx.net
syncthing.tsxxxx.net
Even if I'm switching networks five times a day, nothing breaks and everything remains accessible.
4. DERP & NAT Traversal
If two nodes can't reach each other directly (i.e., via CGNAT or an aggressive firewall), Tailscale relays traffic via DERP.
Full mesh + fallback relay means the connection always exist and is very reliable.
5. No More Central Point of Failure
In hub-and-spoke, if the hub died, the entire VPN network died.
This happened once and the TFR network came to a standstill.
With Tailscale, one node disappearing affects only that node.
Huge stability upgrade.
How I Migrated
- Removed my WireGuard hub config from all nodes
Installed Tailscale everywhere:
- Home server
- Remote servers
- NAS
- Laptop
- Phone
- Whatever else I needed
- Home server
Enabled subnet routing for certain networks so local LANs are reachable
Turned on MagicDNS using my own internal DNS server including Ad and Tracker blocking
Sat back and enjoyed a network that Just Works™
Tailscale DNS | Joey Manani
Final Thoughts
Switching from a DIY hub-and-spoke WireGuard setup to Tailscale full mesh is gamechanging. Same fundamentals, wildly improved experience.
If you've got servers scattered across a few networks, this is the easiest quality-of-life network upgrade you can make.
Everything just works how I like it, and every device knows about each other.