Tailscale is a mesh overlay network that uses Wireguard under the hood. Traffic moves peer to peer as much as possible. DNS happens locally (the special 100.100.100.100 address actually points at the tailscale daemon running on each machine, which already holds the name -> address mapping that MagicDNS needs to work).
You login to Tailscale from each device in order for the central Tailscale control plane to authenticate the device and for it to distribute that device's public Wireguard key out to the rest of the mesh.
I haven't personally used this, but many folks on HN also like that there's an open-source, self-hosted implementation of the control server. https://github.com/juanfont/headscale
You login to Tailscale from each device in order for the central Tailscale control plane to authenticate the device and for it to distribute that device's public Wireguard key out to the rest of the mesh.