Overlay VPN networks establish encrypted peer-to-peer tunnels between devices using a coordination server that manages authentication and key exchange — but doesn't route traffic. Once devices authenticate, they connect directly. Most implementations use WireGuard for the actual encryption.
This article compares the five main options: Tailscale, Netbird, Netmaker, ZeroTier, and Twingate. The architecture differences between overlay networks and traditional VPNs are covered separately.
What you need to know:
- All major overlay networks are built on WireGuard (except ZeroTier, which uses a custom protocol). Encryption quality is similar across implementations.
- Tailscale and Netbird are the strongest general recommendations — WireGuard-based, well-documented, practical to run.
- Jurisdiction matters for managed services. Tailscale, ZeroTier, and Twingate are US-based and subject to the CLOUD Act. Netbird is self-hostable, which removes that dependency.
- Self-hosted coordination servers eliminate the third-party trust issue — Headscale (for Tailscale) and Netbird's self-hosted option both work.
- Twingate is closed-source and not self-hostable — least transparent option; enterprise-focused.
I've run Tailscale and Netbird in production environments across home lab and small-team deployments. The feature comparison below is from direct testing.
How Overlay Networks Work
A coordination server manages device identity and cryptographic keys. When two devices need to connect:
- Both devices authenticate with the coordination server
- The server provides each device with the other's public key and network information
- Devices establish a direct WireGuard (or equivalent) tunnel using UDP hole punching to traverse NAT
- Traffic flows peer-to-peer — the coordination server sees authentication events but not tunnel traffic
This architecture eliminates the central bottleneck and single point of failure of traditional VPN gateways. It also means no inbound ports need to be opened on internal networks — connections are outbound-initiated by both endpoints.
Platform Comparison
Tailscale
Encryption: WireGuard
Open source: Client only (server/control plane is proprietary, but Headscale provides open-source alternative)
Self-hosting: Via Headscale (third-party, well-maintained)
Jurisdiction: US (Tailscale Inc.), CLOUD Act applicable to managed service
Free tier: 100 devices, no credit card required
Pricing: $6/user/month (Starter), $18/user/month (Premium)
Platforms: Windows, macOS, Linux, iOS, Android
Notable features:
- Exit node support — route all traffic through a designated node (replaces commercial VPN for specific users)
- Tailscale SSH — manage servers directly without a separate SSH key setup
- MagicDNS — automatic DNS for all devices in the tailnet
- ACL-based access control (JSON policy files)
- pfSense/OPNsense integration built-in
- Subnet routing — expose entire subnets without agents on every device
Verdict: Best UX of any option, by a significant margin. Correct choice for most home labs and small teams who aren't concerned about US jurisdiction.
Netbird
Encryption: WireGuard
Open source: Fully open source (client and server)
Self-hosting: Yes — Docker Compose, documented and tested
Jurisdiction: EU-based (avoids US CLOUD Act on managed service)
Free tier: Up to 5 peers on managed service
Pricing: $5/user/month (Team)
Platforms: Windows, macOS, Linux, iOS (Android in progress)
Notable features:
- Fully open source including control plane — inspect and audit the whole stack
- Self-hosted option works out of the box with Docker Compose
- Network-based and user-based access policies
- Activity logging and audit trails
- Active development — regular releases
Verdict: Best option when self-hosting the coordination server is a requirement or when EU jurisdiction matters. Slightly more configuration work than Tailscale, but full control over the stack. Android support is in progress.
ZeroTier
Encryption: Custom protocol (AEAD with Curve25519 key exchange + AES)
Open source: Client only (server available but complex to run)
Self-hosting: Possible via ZeroNSD or moon/planet nodes, but significantly more complex than Tailscale/Netbird
Jurisdiction: US (ZeroTier Inc.)
Free tier: 25 nodes
Pricing: $5/month (Basic, 25 nodes), $25/month (Professional)
Platforms: Windows, macOS, Linux, BSD, iOS, Android
Notable features:
- 10+ year track record — the oldest major overlay network
- Wide third-party integration: Synology NAS, Ubiquiti UniFi, TrueNAS all have native ZeroTier support
- Layer 2 bridging (can simulate being on the same physical network)
- BSD support — useful for FreeBSD-based environments
Verdict: Strongest third-party ecosystem integration. Not built on WireGuard (uses a custom protocol), which makes the encryption harder to independently audit. Best choice when you specifically need NAS or router-native integration. The self-hosting story is messier than Tailscale or Netbird.
Netmaker
Encryption: WireGuard
Open source: Fully open source
Self-hosting: Yes — Kubernetes-based (more complex than Netbird)
Jurisdiction: US-based managed service
Free tier: Yes (limited)
Pricing: $5/month (Basic), $25/month (Pro)
Platforms: Windows, macOS, Linux (no mobile support)
Notable features:
- Fully open source
- Kubernetes-native for enterprise deployments
- Programmatic API for policy configuration
- More configuration control than Tailscale or Netbird
Verdict: Correct choice for Kubernetes-native environments or infrastructure teams that need programmatic control. No mobile client is a significant gap for typical use cases. Setup complexity is high; Netbird is a better choice for most teams that just want self-hosted overlay networking.
Twingate
Encryption: TLS (protocol details not publicly documented)
Open source: None
Self-hosting: Not available
Jurisdiction: US-based
Free tier: Yes (5 users)
Pricing: $5/user/month (Teams), $10/user/month (Business)
Platforms: Windows, macOS, Linux, iOS, Android
Notable features:
- Strong enterprise integrations (SSO, SCIM, identity providers)
- Zero-trust access control down to individual service level
- Extensive logging and audit capabilities
- Browser connector for web-based resources
Verdict: Enterprise-oriented product where the closed-source and non-self-hostable architecture is a deliberate trade-off for integration and compliance features. Not suitable if you need to inspect the stack or self-host. Weakest privacy properties of the five options.
Summary Table
| Platform | Protocol | Open Source | Self-Hostable | Jurisdiction | Free Tier |
|---|---|---|---|---|---|
| Tailscale | WireGuard | Client only | Via Headscale | US | 100 devices |
| Netbird | WireGuard | Full stack | Yes (Docker) | EU | 5 peers |
| ZeroTier | Custom | Client only | Complex | US | 25 nodes |
| Netmaker | WireGuard | Full stack | Yes (K8s) | US | Yes |
| Twingate | TLS | None | No | US | 5 users |
Recommendation: Start with Tailscale if you want the fastest path to a working overlay network. Switch to Netbird if you need full self-hosting or EU data residency. Use ZeroTier if your NAS or router has native integration and you need Layer 2 bridging. Avoid Twingate unless your environment specifically requires its enterprise integration features.
For the architecture difference between overlay networks and traditional VPNs, and when to use each, see Overlay Networks vs Traditional VPNs. For self-hosting a traditional WireGuard VPN instead, that guide covers the full setup.
