I think you answered the question. Sugar. It's easier than managing your own Wireguard connections. Adding a device just means logging into the Tailscale client, no need to distribute information to or from other devices. Get a new phone while traveling because yours was stolen? You can set up Tailscale and be back on your private network in a couple minutes.

Why did people use Dropbox instead of setting up their own FTP servers? Because it was easier.

If you're confident that you know how to securely configure and use Wireguard across multiple devices then great, you probably don't need Tailscale for a home lab.

Tailscale gives me an app I can install on my iPhone and my Mac and a service I can install on pretty much any Linux device imaginable. I sign into each of those apps once and I'm done.

The first time I set it up that took less than five minutes from idea to now-my-devices-are-securely-networked.

It’s a bit more than sugar.

1. 1-command (or step) to have a new device join your network. Wireguard configs and interfaces managed on your behalf.

2. ACLs that allow you to have fine grained control over connectivity. For example, server A should never be able to talk to server B.

3. NAT is handled completely transparently.

4. SSO and other niceties.

For me, (1) and (2) in particular make it a huge value add over managing Wireguard setup, configs, and firewall rules manually.

> Plex is just sugar on top of file sharing.

right, like browsers are just sugar on top of curl

Tailscale is Wireguard but it automatically sets everything up for you, handles DDNS, can punch through NAT and CGNAT, etc. It's also running a Wireguard server on every device so rather than having a hub server in the LAN, it directly connects to every device. Particularly helpful if it's not just one LAN you are trying to connect to, but you have lots of devices in different areas.

Tailscale is able to punch holes in CGNAT which a vanilla wireguard cannot

I always assumed it was because a lot of ISPs use CGNAT and using tailscale servers for hole punching is (slightly) easier than renting and configuring a VPS.

> Kind of like how "pi-hole" is just sugar on top of dnsmasq, and Plex is just sugar on top of file sharing.

Speaking of that, I have always preferred a plain Unbound instance and a Samba server over fancier alternatives. I guess I like my setups extremely barebone.

You don’t have to run the control plane and you don’t have to manage DNS & SSL keys for the DNS entries. Additionally the RBAC is pretty easy.

All these are manageable through other tools, but it’s more complicated stack to keep up.

It's plug and play.

Yes, that is really all it is.

If Plex is "just file sharing" then I guarantee you'd find Tailscale "just WireGuard".

I enjoy that relative "normies" can depend on it/integrate it without me having to go through annoying bits. I like that it "just works" without requiring loads of annoying networking.

For example, my aging mother just got a replacement computer and I am able to make it easy to access and remotely administer by just putting Tailscale on it, and have that work seamlessly with my other devices and connections. If one day I want to fully self-host, then I can run Headscale.