Tailscale uses the Wireguard protocol (in userspace, not kernel) along with a user and IP management system, a STUN system and a relay so they can provide easy management and connectivity even behind NAT or CGNAT. The relay uses https headers to hide the traffic, which provides a slower connection but allows connectivity in networks that block UDP or VPN traffic.

Installing a Wireguard server would use a kernel implementation of the WG protocol, but you have to open a port on the server side for it, and manually create the peer configuration and public/private keys for them. It is slightly faster, but not as easy to deploy or as versatile when dealing with complicated networks, dual NAT or CGNAT. Also very easy to block on networks as it does not obfuscates the traffic.

I chose to deploy a Wireguard server because it works well for my needs, but if I was behind CGNAT or connected through restrictive networks I would move to Tailscale.