Haven't thought about that and this should certainly be addressed - especially if I'd use Tailscale for business.

This seems solvable. They talk about that here: https://tailscale.com/kb/1099/device-authorization/

But it still seems like they could flip that feature off if they got compromised. To remedy that, feels like they could support a preshared secret that they don't control / see being shared as a first step: https://tailscale.com/kb/1099/device-authorization/#generate...

I think the Tailscale part that actually knows what auth keys look like is proprietary, but at least for Headscale they seem to be just unguessable database row identifiers: https://github.com/juanfont/headscale/blob/ade4e23e149e7846b...

Nothing in the Tailscale design has ever pointed to features that would guard your infrastructure from them.

Yeah, they control this setting so they can just disable it, or override it.

Since Headscale exists, though, this problem is solved quite neatly.

You can't generate a secret with a webapp they control without them controlling the secret too.

I assume the notion was that the nodes will all know the secret but the control server won't.

Exactly. Pre-shared secret out of band.