Wow! I just spent a good chunk of time last week setting up headscale and split horizon SSL behind my network, and I expected I was going to just expose a Wireguard UDP port, but discovered no, it’s DERP or nothing. DERP has been OK, but I think just exposing a UDP port on my local network is better.

If we’re really confident in the security of that UDP client, that is. I feel very comfortable exposing a Wireguard bastion, time will tell how secure whatever protocol tailscale is serving, here, will be.