As far as I’m aware, that works the same as things like tailscale is doing, where you need at least one node that is publicly reachable to facilitate.
As far as I’m aware, that works the same as things like tailscale is doing, where you need at least one node that is publicly reachable to facilitate.
Correct. This is not something Wireguard does, which was the original comparison.
tinc: One public node, thousands of private nodes, with NAT punching. That's fine and typical in my experience.
Which is a much smaller requirement than needing extra software on every NATed node.
So yes it is a differentiated thing between wireguard and tinc, as you phrased it in your other comment.