Introduction
WireGuard is a next-gen, open source VPN protocol. It is easy to implement, provides extremely fast speeds, and has modern cryptography.
Tailscale is a VPN service built on top of the WireGuard protocol. It provides secure networking for teams and individuals, allowing them to create a network amongst their devices across various platforms.
In this article we’ll compare and contrast Tailscale and WireGuard, and introduce Netmaker, another VPN service built on WireGuard. Or, scroll to the bottom and get a side-by-side comparison of all three.
Why WireGuard?
For decades, businesses have relied on old, slow, but reliable VPN implementations like OpenVPN, IPsec, SSTP, and others. VPNs have tended to be clunky, and as such, businesses have started to migrate to new patterns like zero trust and SASE, that eliminate the VPN altogether.
When WireGuard was released in 2020, it changed the value proposition of VPNs. It is so fast that it can be used for data-intensive workloads with minimal impact on performance. It is so efficient, it requires minimal processing power. It is so simple that a basic VPN between two machines can be set up in minutes. And it is an extremely secure implementation, using state-of-the art cryptography and symmetric key encryption. Not to mention, it is open source.
This is why, for most IT administrators implementing a low-level VPN from scratch, WireGuard is really the only choice.
Why Tailscale?
With all these advantages, WireGuard is still a low-level protocol. This is by design. Jason Donenfeld has stated that he wants to keep WireGuard small and simple, and prefers to let others build more complex tools and platforms on top of the protocol.
Because of this, WireGuard lacks many of the features that users of more “standard” VPNs have become accustomed to. Things like user authentication, access controls, and a central server to manage the VPN. Enter Tailscale.
Tailscale takes the WireGuard protocol and wraps it in their own client application. Users register with Tailscale, set up an account, and can enroll clients in a private network. Connections between devices are done using WireGuard, but Tailscale manages more advanced aspects like users and device discovery. Using Tailscale’s UI, users can set up advanced access controls for a whole organization, and shape their network accordingly.
Advantages of Tailscale over WireGuard
Device Discovery: With Tailscale, you simply use the Tailscale client to authenticate with your network, and then you are immediately given access to all the other devices in the network. With WireGuard, this would be a manual effort. You would need to modify all of the WireGuard clients in the network to account for the new machine.
Network Management: Tailscale gives you a nice UI to log into, which allows you to view all of the devices in your network, and make configurations as necessary, which are automatically applied to the network. With WireGuard alone, this is again a manual effort. Any change to the network must be applied to each device individually.
User Management: Tailscale allows you to match devices to users, and use SSO to join a network. With WireGuard alone, there is no concept of “users”, just devices.
Advanced Features: There are many standard things a VPN administrator might like to do, which again are a manual process with pure WireGuard. Things like routing to an external network, private DNS, and access controls. All of these are included in Tailscale.
Advantages of WireGuard over Tailscale
Cost: While Tailscale offers a substantial free tier for personal use, using Tailscale in a business setting will not be free. Based on the setup, it could cost you $18 per user per month.
Data Ownership: Tailscale is a SaaS platform, meaning your devices are registered to a 3rd party. While theoretically your data is fully encrypted and invisible to Tailscale, it can still be concerning to have your sensitive info on a 3rd party platform. Additionally, traffic will regularly route through Tailscale’s relay servers, rather than directly between your devices.
Low Level Configuration: While WireGuard is fully customizable, there is no simple way to integrate Tailscale with a regular WireGuard network, or to customize a Tailscale interface as if it were a WireGuard interface. If you would like to create your own WireGuard interfaces, or manage a Tailscale device as if it were WireGuard, you’re probably out of luck. This will be frustrating to some users who wish to do some low-level tweaking of their device settings.
Speed: Lastly, Tailscale is slower than a pure WireGuard approach. Tailscale defaults to a non-kernel implementation of WireGuard, which has security benefits, but the tradeoff is speed. Also, your traffic is often routed through Tailscale’s relay servers, and some users have found this adds significant latency to their setups.
Netmaker
Netmaker is a third option which combines some of the more powerful features of Tailscale with a more native WireGuard approach. Like Tailscale, Netmaker offers user management, device management, advanced features, and a central UI / control plane for administrators. But Netmaker also has some additional advantages, for those who prefer pure WireGuard.
Advantages of Netmaker over Tailscale
Cost: Netmaker has a completely free community version, and a paid SaaS version, which starts at just $1 per device per month.
Data Ownership: In addition to a SaaS offering, Netmaker allows you to “self host” the control plane and relay servers, giving you complete data ownership.
Low Level Configuration: Netmaker has a “Client Gateway” feature, which allows you to generate and “hook in” pure WireGuard config files, meaning you can customize a WireGuard interface however you want, and integrate it into your network.
Speed: Netmaker defaults to kernel WireGuard, taking full advantage of WireGuard’s native speed benefits. You can see some speed tests here and here.
Limitations
User Management: Netmaker’s user authentication and authorization is simple, and does not currently offer the level of control or integration that Tailscale offers.
Client Application: Netmaker’s client is available for Windows, Mac, Linux, and FreeBSD, but the Windows and Mac experience is much less polished than Tailscale. There is also currently no iOS or Android application, and users must use the standard WireGuard client to access a Netmaker network from their mobile devices.
The Verdict
Tailscale and WireGuard are both excellent solutions but cater to different needs. If you're looking for a simple, secure, and easy-to-use VPN for larger networks or teams, Tailscale is a fantastic choice. It removes much of the hassle associated with setting up and managing a VPN.
On the other hand, if you need to perform low-level customizations, want complete control of your implementation, and do not want to pay, WireGuard is the way to go. It is also probably the best approach if you only have a few devices in your network, which will remain relatively static.
Netmaker offers a healthy mix of both options, making it an excellent choice for users who want full WireGuard speed, data control, and a degree of customization, while still getting a management platform and client application to simplify their implementation.
All of these options are secure, efficient, and modern VPN solutions. Your choice will depend on your specific requirements, technical expertise, and budget. By understanding the strengths and weaknesses of each, you can choose the right tool that aligns with your network needs.
Top comments (3)
In your summary chart, you have an X for "Full WireGuard Speed" and "WireGuard". Is that an error? If not can you explain?
A dumb mistake on my part 🤦
It is fixed now.
Hello friend, I have some questions about reverse tunneling that I hope to get help with. Here's my scenario: