Alex
Posted on August 1, 2023
Businesses have migrated towards a “remote first” and “cloud first” posture. In this world, traditional corporate firewalls with physical routers and switches are going away. Additionally, the rise of IoT and Edge Computing has made networking more complex, with corporate devices often deployed in public networks.
Companies have had to adapt. Traditional VPNs just don’t getting the job done, and new patterns like “zero trust” and SASE have taken their place. One alternative is the “mesh VPN” (Tailscale’s term) or “SD-WAN” (ZeroTier’s term), which bring the best of VPN’s and modern networking together to provide fast, point-to-point networks coupled with fine-grained access controls, giving businesses the best of both worlds.
In this article we’ll compare and contrast Tailscale and ZeroTier, and introduce Netmaker, another comparable platform. Or, scroll to the bottom and get a side-by-side comparison of all three.
Overview
Tailscale is a VPN service built on the WireGuard protocol. It provides secure networking for teams and individuals, allowing them to create a network amongst their devices across various platforms. Tailscale’s core advantage is its simplicity — A single user can hit the ground running in just minutes.
ZeroTier is a VPN platform that uses their own custom protocol to connect devices securely across the internet. ZeroTier’s advanced network virtualization capabilities allow you to “treat the entire planet like one data center.”
Similarities
At their core, ZeroTier and Tailscale are both very similar. Both are platforms that allow you to enroll and manage devices in a secure, peer-to-peer VPN network.
Endpoint Management
Both Tailscale and ZeroTier give every device in your network a private IPv4 address, which is reachable from anywhere, simplifying network management and remote access to devices. Both platforms also let you edit and make changes to each device in your network.
Peer-to-Peer Networks
Both platforms also give you a peer-to-peer network by default, meaning every device has a direct connection to every other device, which is great for speed.
Access Controls
Both Tailscale and ZeroTier allow you to define policies that control the reachability of devices and the flow of traffic across your network.
Differences
While ZeroTier and Tailscale are very similar, and can often be used to accomplish the same use cases, they do have some differences, both technical and non-technical, which could make the difference for some users.
Protocol
Tailscale uses a userspace WireGuard protocol for its clients, while ZeroTier uses their own in-house protocol. Both are secure and performant, but there are advantages to using an “industry standard” like WireGuard.
Self-Hosting
Tailscale is a pure SaaS and you cannot “self-host” their control plane. Additionally, data will pass through their relay (DERP) servers fairly regularly. As a workaround, some users use Headscale, a project that lets you use Tailscale clients with a self-hosted server. ZeroTier has some self-hosting options, but you cannot use their UI if you do this, making it somewhat inconvenient, but still possible, to self-host.
Pricing
Both offer substantial free tiers, but ZeroTier prices by “node pack”, meaning you are buying the ability to deploy 25 nodes at a time, which is pretty simple to calculate. Tailscale meanwhile offers several “tiers” with different features, and charges per-user, with each user getting 10 or 20 devices included. Trying to figure out what you will end up paying is much more difficult for a Tailscale setup.
Configurability and Ease-of-Use
ZeroTier allows you to manage multiple networks, CIDR’s, IP’s, multicasting, and more. As mentioned above, you can also self-host portions of their platform which you cannot with Tailscale.
Tailscale, meanwhile, is focused on a simple user experience. You don’t have as many options as ZeroTier, but it is much easier to use, especially for users with limited networking knowledge.
User Management
Tailscale has a much more well-defined user management schema, and is more suited to the standard “corporate VPN” use case of end-user devices.
Device Management
ZeroTier has more low-level configuration options, which make it better at integrating devices like servers and VM’s.
Netmaker
Netmaker is a third option which combines some of the more powerful features of ZeroTier with the ability to run kernel WireGuard.
Advantages
Protocol: Similar to Tailscale, Netmaker is based on WireGuard, which makes it cryptographically modern, standard, secure, and fast.
Speed: Netmaker has shown to be faster than ZeroTier and Tailscale, due to its use of kernel WireGuard (Tailscale uses userspace WireGuard, which is slower). You can view two different speed tests here and here.
Flexibility: Netmaker is highly configurable. You can create your own relays, egress gateways, WireGuard gateways, and set up access controls to create many different types of networks besides the standard “mesh VPN.” You can also fully self-host Netmaker, unlike both Tailscale and ZeroTier.
Price: Netmaker has a substantial free tier, and unlike both ZeroTier and Tailscale, who’s pricing can be confusing, the paid tier starts at just $1 per device, making it an easy usage-based calculation.
Drawbacks
User Auth and Management: Netmaker’s user authentication and authorization is simple, and does not currently offer many of the integrations that some businesses may be looking for, such as session expiration and LDAP integration. Netmaker’s access controls are also on the device level, rather than the user level.
Client Application: Netmaker’s client is available for Windows, Mac, Linux, and FreeBSD, but the Windows and Mac experience is less polished than many user-centric VPN’s. There is also currently no iOS or Android application, and users must use the standard WireGuard client to access a Netmaker network from their mobile devices.
The Verdict
Tailscale and ZeroTier are excellent solutions but cater to different needs. If you’re looking for a simple, secure, and easy-to-use VPN for smaller networks or teams, Tailscale is a fantastic choice. It removes much of the hassle associated with setting up and managing a VPN.
On the other hand, if you’re dealing with a more complex, device-centric network infrastructure, and WireGuard is not a priority, ZeroTier is your go-to option.
Netmaker can offer additional configurability over both Tailscale and ZeroTier, as well as faster speeds, while using WireGuard under the hood, making it a great choice for users with device-centric networks needing WireGuard integration, or for users who need to host their own control plane.
All of these options are secure, efficient, and modern VPN solutions. Your choice will depend on your specific requirements, technical expertise, and budget. By understanding the strengths and weaknesses of each, you can choose the right tool that aligns with your network needs.
Posted on August 1, 2023
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.