Overlay VPNs have become an increasingly popular way to create secure connections between devices and networks over the internet. Unlike traditional VPNs which route all traffic through a central VPN server, overlay VPNs use a decentralized "mesh" approach allowing devices to communicate directly and securely with each other.
How Do Overlay VPNs Work?
Overlay VPNs require a central coordination server to manage encryptions keys and coordinate connections between devices. This server does not actually handle any VPN traffic directly - it simply facilitates direct peer-to-peer connections between devices on the network.
Once two devices have been authenticated with the coordination server, they can establish a secure direct connection over the open internet. All data sent is encrypted end-to-end using protocols like WireGuard.
The key benefit of this decentralized approach is that even if one VPN server goes down, connections between devices still continue to work. Overlay VPNs also avoid bottlenecks and bandwidth issues associated with routing all traffic through a central VPN gateway.
Some overlay VPN solutions offer plugins that can integrate with firewalls and routers. However firewall integration is not required - overlay VPNs work by encrypting traffic at the client level, not the network gateway level.
Here is a table summarising the Overlay VPNs we are going to talk about.
|3rd party options - Headscale
|Windows, macOS, Linux, iOS, Android
|Commercial coordination service, exit node option
|Client & server
|5 minute setup
|Windows, macOS, Linux, iOS
|Business tiers available, upcoming UI overhaul
|Missing mobile apps currently
|Possible but complex
|Windows, macOS, Linux, BSD, iOS, Android
|Mature & widely integrated platform
|Windows, macOS, iOS, Android
|Closed source service focused on integrations over transparency
Tailscale is one of the leading choices for overlay VPNs right now. Here are some of the reasons it has become so popular:
WireGuard for Transport Encryption
Tailscale utilizes WireGuard for its encrypted transport between devices. WireGuard is fast, efficient and considered very secure. Keys are exchanged using industry standards like Curve25519, ChaCha20, Poly1305, BLAKE2s, etc. This places Tailscale among the most secure options for overlay VPN transport encryption.
Open Source Clients
The Tailscale clients across Windows, Mac, Linux, iOS and Android are completely open source. This allows transparency into how the coordination service interacts with client devices. Sources are available for review and community contributions.
While Tailscale does not allow self-hosting of their commercial coordination service, they fully support open source alternatives like Headscale. This brings the possibility of self-hosted infrastructure and control to Tailscale-based overlay networks.
Client Device Support
Tailscale offers native apps for all major platforms - Windows, macOS, Linux, iOS, iPadOS and Android. Browser extensions are also available. This combined with the open source nature makes Tailscale very versatile for end user devices.
Some additional benefits of Tailscale include:
- Free tier allows 100 devices
- No credit card required to sign up. You however need to sign up using an identity provider such as google, Facebook or Microsoft. No direct email signup is allowed.
- Simple and easy to use interface
- ACL management system to manage access
- Exit node feature for full tunneling back to home network
- Integrates with PFsense open source firewall
Netbird is a newer overlay VPN solution also making waves in the space. As a WireGuard-based option focused on delivering a polished and simple user experience, it has quickly built up a reputation as a leading contender. Some of its biggest highlights:
Open Source Client and Server
Similar to Tailscale, Netbird provides fully open source clients across Windows, Mac, Linux, iOS and iPadOS. But they go a step further by also open sourcing their coordination server. This complete transparency plus options for self-hosting gives Netbird a standout advantage.
5 Minute Self-Hosted Setup
Speaking of self-hosting, Netbird makes it incredibly simple to spin up your own infrastructure. With just a single Docker command, you can launch their management interface and coordination service on your own servers or VPS instances. For homelabbers and tinkerers who value control, this delivers an awesome overlay VPN option.
Simplified ACL Rules
Managing access controls is made very easy with Netbird's simplified interface. Groups can be defined and basic allow/deny rules created through their web UI without complex rule syntax. While not quite as extensive as Tailscale's ACL system, it helps simplify security management.
Business Class Options
For companies wanting to eliminate infrastructure management, Netbird does offer a paid business-class coordination service handling large enterprise deployments. But the fact they allow self-hosting means you're not locked in. Plans start at $5/month allowing up to 100 peer devices, similar to Tailscale's free tier.
Upcoming UI Improvements
Netbird has continued improving their platform rapidly, with a new user interface overhaul scheduled to launch in early 2024. This brings a polished dark mode option more in line with Tailscale's professional look.
Netmaker is another promising open source overlay networking platform, focused on delivering a simple self-hosted option. As a Kubernetes-centric system, it does involve more moving parts to set up. But for infrastructure teams interested in DIY overlay VPNs, it brings nice capabilities.
Self Hosting with Kubernetes
Since Netmaker is meant for self-hosted environments, the entire coordination sequencer is open source and deployable on your own Kubernetes infrastructure. Control plane components like REST APIs, a gRPC server and database are bundled together into easyYAML definitions and Helm charts.
Like Tailscale and Netbird, Netmaker also utilizes WireGuard for its fast and secure encrypted transport between peer devices. The WireGuard kernel module must be installed on end clients.
User Management & Access Controls
Centralized user and device management is provided to authenticate and manage overlay network access. Groups can be defined with allowed IP ranges. And automated enrollment options are available, providing breadth and depth for larger deployments.
Missing Mobile Apps
One major disadvantage currently is Netmaker's lack of mobile apps for Android and iOS. This limits remote access from phones. However the open source nature means contributed clients could add this functionality down the road.
For Linux and Kubernetes shops interested in self-organizing overlay Virtual Networks, Netmaker is definitely worth a look. It brings more customization and control at the expense of setup complexity.
Complex Set-up Process
The downside is that the setup process is more complex compared to some other overlay VPNs discussed here. There is also no mobile support at the moment. But for linux and self-hosting enthusiasts, Netmaker is a compelling platform.
ZeroTier has been a long standing stalwart in the overlay VPN and SDN space. Their unique encryption protocol provides a viable open source alternative.
Unlike Tailscale and Netbird which leverage WireGuard, ZeroTier uses their own custom end-to-end encryption. Their protocol is based on techniques like self-healing key rotation, algorithm agility and perfect forward secrecy. While less reviewed than WireGuard, ZeroTier's cryptography is still regarded well.
Open Source Client
ZeroTier does make their client completely open source across a multitude of platforms - Windows, macOS, Linux, BSD, Android and iOS. Enthusiasts can inspect the client code including their custom peer-to-peer encryption implementation.
Self Hosting & Management
Hosting your own management and coordination infrastructure is possible with ZeroTier, but does require more work than Netbird's 5 minute setup. Open source components are provided, but no pre-packaged solutions exist yet beyond third party efforts still in Alpha stages. Their hosted public cloud service remains the easiest deployment option.
Mature Platform & Integrations
With their origins going back over 10 years, ZeroTier can be considered one of the most mature overlay SDN/VPN solutions. Their commercial platform provides robust globally distributed infrastructure for enterprise scale. And their technology is integrated across NAS vendors like Synology, network equipment like Ubiquiti UniFi and many other solutions for automated connectivity.
ZeroTier still holds strong advantages in the overlay networking arena thanks to their maturity, commercial backing and ubiquity across other ecosystems. For many, their proprietary acyclic graph cryptography scheme remains trusted and proven at scale.
Twingate has exploded in popularity over 2022 and 2023, fueled by an aggressive influencer sponsorship campaign. However practically all details about their overlay architecture remain shrouded as a closed source commercial service.
Completely Closed Source
Unlike all the other solutions discussed above, Twingate reveals zero details about their client, coordination infrastructure or encryption schemes used to secure device connectivity. Their website and promotional materials stay vague about technical implementation specifics. This means potential customers have no visibility into their security model or architecture.
Limited Technical Disclosures
The only clear facts extracted from Twingate's website and documentation is that end-to-end "TLS Encryption" is used to wrap data flows between client devices. How session keys are derived or rotated is unspecified. Authentication methods are unspecified. The role and implementation of their coordination service is unspecified. This leaves much uncertainty requiring blind trust from customers.
Integrations Over Transparency
The core emphasis around Twingate seems centered more on delivering integrations with common device management and authentication platforms, rather than focusing on technical excellence or transparency. As they target larger enterprises accustomed to closed appliances, this allows their sales pitch to highlight replacing VPNs without changing corporate standards.
While Twingate touts many claims around their ease of use and management, practically zero details are shared about their underlying software, network architecture or cryptography implementations. With so many open source alternatives available, trusting any closed source service inherently requires a larger leap of faith. Only rigorous third party security audits could help establish such trust long term.
Conclusion & Recommendations
Overlay VPN solutions have transformed approaches for securely connecting devices across untrusted networks. After reviewing some of the top contenders in this space and comparing their technical merits and implementations, a few key pieces of advice emerge:
- Transparency Matters - Being able to inspect open source coordination services and client software establishes trust and confidence long term in any overlay VPN provider. Solutions like Tailscale and Netbird that open source critical components excel here.
- Proven Encryption Counts - The transport layer carrying sensitive data should utilize established, peer-reviewed encryption protocols like WireGuard that provide perfect forward secrecy along with high speed and low overhead.
- Simpler is Better - Ease of use for both end users and especially self-hosted management ends up critical for overlay VPN adoption. Solutions with simple deployment of coordination infrastructure and minimal device client friction will prove most versatile.
Based on these criteria for what defines excellence in an overlay VPN or SDN platform, two solutions clearly rise to the top as current recommendations:
- Tailscale - As a polished commercial service with optional open source self hosting built on WireGuard, Tailscale hits all the high points for capability, security and usability.
- Netbird - With incredibly simple self hosting deployment powered by WireGuard encryption and open source code, Netbird captures our attention as having massive potential to disrupt the overlay VPN space.
Special recognition goes to long-time pioneering solutions like ZeroTier who helped establish the entire overlay networking model, along with community efforts like Netmaker pushing the self-hosted DIY ethos.
When evaluating VPN providers, an important consideration is the hosting location of servers and potential jurisdiction. Many overlay VPN solutions highlighted here are operated by US companies and subject to laws like the US CLOUD Act. This allows US law enforcement agencies to access data without a warrant.
Solutions like Netbird that offer the ability to easily self-host coordination servers on your own infrastructure provide the highest degree of legal protection and privacy. On the other end, closed source services hosted exclusively in the US provide the lowest assurances around government data access.
As always we welcome your feedback and suggestions to improve future discussions around these pivotal technologies!