alt Hacker News> Otherwise Plan 9 can do it's own VPN-like over tls or ssh tunnels and bind remote network stacks to a local namespace
Note that one of Tailscale's main party tricks is NAT traversal, when both machines are behind different NATs and can't otherwise get a connection open to each other. (And then Tailscale ultimately falls back to a relay server on the internet if it can't get a direct connection for IP packets)
For situations where you have no control over the NAT then this is indeed the case.
Though, 9front lets you run your own NAT giving you an Internet facing 9 machine you can serve a TLS tunnel from directly. So the server side is solved making the client side NAT a non issue.