Same applies to Tailscale. A Tailscale client, coordination plane vulnerability, or incomplete understanding of their trust model is also all it takes. You are adding attack surface, not removing it.

If your threat model includes "OpenSSH might have an RCE" then "Tailscale might have an RCE" belongs there too.

If you are exposing a handful of hardened services on infrastructure you control, Tailscale adds complexity for no gain. If you are connecting machines across networks you do not control, or want zero-config access to internal services, then I can see its appeal.

Someone would need your 256-bit key to do anything to an exposed Wireguard port.

Using a BigCorp service also has risks. You are exposed to many of their vulnerabilities, that’s why our information ends up in data leaks.

Even if you understand what you are doing, you are still exposed to every single security bug in all of the services you host. Most of these self hosted tools have not been through 1% of the security testing big tech services have.

This felt like it didn’t do your aim justice, “$X and an incomplete understanding of what you’re doing is all it takes to be compromised” applies to many $X, including Tailscale.