WireGuard is an outstanding mechanism for building secure virtual private networks.
You can run WireGuard on a bunch of different machines (or virtual machines) spread all over the world and give them the ability to talk to each other as if they were on the same LAN, with every packet fully encrypted.
TailScale has productized this. They wrote software for a bunch of platforms that makes it trivial to connect those machines to your "tailnet" - effectively a WireGuard network which their software manages for you.
They tie this to SSO - so you can install their software on your phone and your home server, sign them both in using Google SSO or similar, and now they're able to talk to each other on a secure virtual network.
I suggest trying the TailScale setup process to really understand how good it is.
Its utility is as an "overlay network", but using traditional VPN technology. Yes, it is a virtual network, and it's private, but it's not intended to be used to exit to the internet in a controlled manner, as VPNs are often advertised as.
Well, the original purpose of a VPN was more as a private LAN (as Tailscale seems to advertise itself as) than as a way to exit to the Internet somewhere else. And it does both still.
Seems like Tailscale is a very souped up VPN, though. You can add more nodes to the network easily, and even have multiple gateways to the Internet.
> Well, the original purpose of a VPN was more as a private LAN
You're conflating two concepts.
An "oldschool" VPN connection (using e.g. IPSec) is something that allows your computer to remotely "join" a real, physical LAN. It's basically equivalent to running PPP over IP: your computer "dials up" a daemon running on a server somewhere; that daemon accepts a stream of raw packets from your computer's network stack; and then that daemon dumps those packets out through one of the server's NICs onto a local network segment — where those packets are then handled by the switch they run into as if your computer was directly plugged into that switch. So your computer can acquire an IP address for its VPN "bridge" interface via DHCP from the switch; can talk to other devices on that private network through the switch; can talk to the Internet via NAT through that switch; etc.
Tailscale, meanwhile, creates a software-defined virtual LAN on top of p2p mesh networking of the nodes. There's no actual network segment anywhere that your packets are being dumped out onto; the "switch" handling your packets is a shared distributed abstract-machine that's partly running on your Tailscale client, and partly running on the other nodes' Tailscale clients. That virtual LAN doesn't have a routing table + NAT on it to translate packets into Internet-bound packets. Nor does the LAN have the ability to host L2 services like DHCP. It's just a functional L3 simulation of an L1 network segment, not a faithful emulation of an L1 network segment.
WireGuard is an outstanding mechanism for building secure virtual private networks.
You can run WireGuard on a bunch of different machines (or virtual machines) spread all over the world and give them the ability to talk to each other as if they were on the same LAN, with every packet fully encrypted.
TailScale has productized this. They wrote software for a bunch of platforms that makes it trivial to connect those machines to your "tailnet" - effectively a WireGuard network which their software manages for you.
They tie this to SSO - so you can install their software on your phone and your home server, sign them both in using Google SSO or similar, and now they're able to talk to each other on a secure virtual network.
I suggest trying the TailScale setup process to really understand how good it is.