It is way, way faster than Zerotier. Headscale I am less familiar with, and they do make Tailscale self-hostable, but they're a community-driven project I'm not sure how reliable it'll be long term (can't speak for the author).
On the NAT side, we provide 3 layers of traversal options:
#1 (default) port forwarding: This actually works in a surprisingly well, for about 90% of environments, but does require an exposed port.
#2 UDP Hole Punching: The server acts similarly to a Nebula "lighthouse" and will tell clients where to reach each other. This covers that small situation of dualing NAT's, and doesn't require the exposed port.
#3 Relay: In situations where neither works such as CGNAT, you can set a public node as a relay to route traffic to the "hidden" node
> but they're a community-driven project I'm not sure how reliable it'll be long term
Don't take this the wrong way, but subtly/implictly implying that some software is not going to be reliable in the long run because it only has a community behind is low-key FUD.
Nahh you're right, that's not a fair criticism at all, and we rely on tons of community-driven stuff. I only meant that as a differentiator because to some companies, they need to know there's a company behind the project for support purposes or they're not gonna use it (whether or not that's fair of them).
Tailscale has some functionality to automatically determine what flavor of NAT traversal is necessary, this isn’t a big deal but do I have to configure the nodes to use these methods or will your client figure this out itself?
Right now you need to choose your own option. We're planning to automate this in the next couple of months. I will say, this isn't always a bad thing. We have a lot of users who switched from Tailscale because it was frequently falling back to relay, often via public relays that were hundreds of miles away from them, causing big increases in latency. We want to give people the automation, but also the choice.
On the NAT side, we provide 3 layers of traversal options:
#1 (default) port forwarding: This actually works in a surprisingly well, for about 90% of environments, but does require an exposed port.
#2 UDP Hole Punching: The server acts similarly to a Nebula "lighthouse" and will tell clients where to reach each other. This covers that small situation of dualing NAT's, and doesn't require the exposed port.
#3 Relay: In situations where neither works such as CGNAT, you can set a public node as a relay to route traffic to the "hidden" node