So the general tailscale actually uses peer to peer wiregaurd connections. Headscale is the middle point to negotiate these wiregaurd connections.
So none of the traffic moves through the VPS.
As for a VPS itself, it’s noore unsafe than your local bare metal. It’s still an application publicly exposed and needs basic precautions like fail2ban or crowdsec
So the general tailscale actually uses peer to peer wiregaurd connections. Headscale is the middle point to negotiate these wiregaurd connections.
So none of the traffic moves through the VPS.
As for a VPS itself, it’s noore unsafe than your local bare metal. It’s still an application publicly exposed and needs basic precautions like fail2ban or crowdsec