I really like it for my use case but just assume it's not secure at all. I change the default Ubuntu install to not run the daemon as root (a major flaw in my view) and then just assume that network is as insecure as any other. It's really useful to have all my personal machines always connected between each other at the same IP independently of network config. Security comes from SSH/TLS on top of it.
Considering that the wireguard mesh solutions seem to require static IPs, I'm now wondering whether it might be a good idea to run a wireguard mesh on top of tinc, basically just using tinc as a way to get static IPs and routing connectivity between nodes. That still leaves the issue of updating the wireguard configuration, though.
It seems that the value-add magic sauce of TailScale is the work they've put into NAT traversal etc. There are some interesting blog posts from the team regarding work in this area.
I wonder if the work they put in can be extracted to some kind of tool the other projects can use as well. NAT traversal always seems like the limiting factor in projects like this.
NAT traversal is an impossible problem in practice in the general case (boo symmetric NATs), and the best-effort version is a solved problem since at least 2003 with the STUN protocol[1] which is part of WebRTC, and there are STUN implementations available in many languages[2].