Looked at what actually replaces Tailscale on Linux when the issue is DNS/netfilter/CGNAT invasiveness, not WireGuard itself. Headscale, NetBird, Netmaker, Nebula, and Cloudflare Tunnel each solve a different slice. The real fix is separating private management access from public-facing APIs.
Two announcements from Cloudflare Agents Week 2026 on April 14: Mesh connects AI agents to private networks, and the Enterprise MCP Reference Architecture governs tool access at organizational scale.
The full picture of Operation Masquerade as disclosed by the FBI and NCSC. APT28 tampered with SOHO router DNS to intercept Outlook auth tokens — the techniques and countermeasures.
