> It’s also similar to running your own derp server (which works also in TCP), but without the hassle of doing so, and perhaps without having to open ports to the internet (needed in derp) so long as the relay is reachable by peers.
I think most folks will need to open a port to the internet, because otherwise you wouldn't need the tailscale to begin with. e.g. connecting your cloud network to your on premise network etc.
Of course exceptions apply, like both clients can reach the peer relay, but not each other directly.
I could open a port to the internet, but it would be Tailscale’s responsibility to secure the software that listens to the port (subject to an up-to-date software, that is my responsibility).
It’s not a standard Wireguard port. With Wireguard included in Linux, I would not be worried.