Hm — there’s a middle ground here that’s missing. I’d like to see a managed mesh allow for disabling its key distribution for certain nodes. They don’t create wireguard peers for any but a predefined shortlist of public keys, but still accept route updates from those peers.

The threat model is someone adding peers to the control plane, including as a result of control plane takeover or the identity provider failing. These special nodes can’t then be made to talk to anybody they can’t authenticate, no matter what you do on the control plane. It assumes private keys are safe. Obviously this is a client side setting, which shouldn’t have any control plane API, just like the current Tailscale options to eg accept no incoming traffic. This comes from my experience with ZeroTier, which I wrote about here: https://news.ycombinator.com/item?id=28426664

Then you can run your own Wireguard key distribution if you like, but ideally you just distribute manually for a few nodes and leave it at that.

Tiny usability improvement for small networks: “freeze” mode where the current set of peer public keys is frozen and no new peers can be added. Tie this to a (G)UI on each node to accept new peers anyway with user interaction using Signal style key visualisation, and you’re cooking with gas. Probably not worth it though, virtually nobody with three devices total and the time to do this manually really needs it.