VPNs (Virtual Private Networks) have long been the standard method for securely accessing private networks and infrastructure from untrusted networks. They create an encrypted tunnel between the client device and the VPN server, allowing remote access to internal resources.
However, a new type of network access technology called "overlay networks" has emerged as an alternative to traditional VPNs. Overlay networks, such as Tailscale, ZeroTier, and Nebula, take a different approach to secure remote access.
Architecture and How They Work
Traditional VPN Architecture
A traditional VPN setup consists of a VPN server with a public IP address residing either on the edge firewall/router or as a separate server inside the private network. Clients connect to this VPN server from untrusted networks to access resources inside the private network.
The VPN connection between the client and server encrypts all traffic in an encrypted tunnel. Once connected, the client gets an IP address on the private network and can access resources like servers, NAS devices, printers, etc.
No special software or agents need to be installed on the internal resources themselves - as long as they can communicate with the VPN server, remote clients can access them through the tunnel.
Overlay Network Architecture
Overlay networks take a fundamentally different approach. Rather than tunneling all traffic through a centralized VPN server, they create a secure peer-to-peer encrypted mesh network between devices.
Here's how it works:
Special client software agents are installed on both the client devices AND the internal resources that need to be accessed remotely. These agents connect out to a coordination server run by the overlay network provider.
The agents get assigned virtual overlay IP addresses and hostnames that remain static, regardless of what network they are connected to. The coordination server brokers direct peer-to-peer connections between devices through techniques like UDP hole punching rather than funneling traffic itself.
This allows any device running the agent to securely connect with any other device in the mesh network directly without the need for traditional VPN port forwarding or 1:1 public IP addresses. Traffic stays encrypted end-to-end.
The coordination server is not in the actual data path - it just handles authenticating devices, authorizing access controls, and helping establish peer-to-peer connections. Some overlay networks additionally support fallback relaying as a backup option if direct connectivity fails.
Accessing Local Resources
A key difference between traditional VPNs and overlay networks is how they access local resources on the network that don't have native support for their agents, like network printers and NAS devices.
With a VPN, this access comes built-in - once connected to the VPN server, clients can access any resource on the local network. However, overlay networks require a workaround.
Common options include:
- Installing the overlay agent directly on the local network gateway, like a firewall or router. Pfsense is usually a good option as it has native integration with Tailscale, One of the Best overlay network providers. This allows essentially using the device as a VPN server.
- Designating a specific device as an exit node or gateway for local traffic.
- Using cloud hosting providers that support overlay network agents natively to bridge access.
So traditional VPNs have simpler access to unsupported local resources while overlay networks require some additional configuration.
Here is a comparison table summarizing some of the key differences between traditional VPNs and overlay networks:
|Central VPN gateway/server, clients connect into internal network
|Distributed coordination server, client & connector agents
|Requires opening firewall ports, depends on static IPs/DNS
|No inbound firewall rules needed, identity-based access
|Full network access once authenticated
|Least privilege access model
|Protocol overhead can limit throughput
|Excellent throughput with modern protocols
|Traffic concentrated through VPN gateway
|Direct peer-to-peer tunnels between clients and connectors
|Bottlenecked by VPN gateway capacity
|Distributed model allows easy scaling
|All internal traffic exposed through tunnel
|Only traffic to authorized resources encrypted
|Simpler, aligns with legacy network trusts
|Challenging for large legacy environments, needs policy changes
Security of VPNs and Overlay Networks
VPNs are fundamentally quite secure. Encrypting all traffic in an encrypted tunnel between the client and the VPN server protects data in transit between untrusted and trusted networks. Modern VPN protocols like OpenVPN, WireGuard, and IKEv2 use extremely strong encryption.
However, once a client connects to the VPN server, they have access to the entire internal network. This violates the principle of least privilege, Common in the Zero Trust Network Architecture (ZTNA) - clients can access more than what they need. VPNs also introduce a single point of failure. If the VPN server is compromised, the entire network is exposed.
Overlay Network Security
Overlay networks improve upon VPN security in a few key ways:
- Encrypted peer-to-peer connections between devices reduce the attack surface and limit exposure if any one device is compromised.
- Finer-grained access controls on the coordination server allow device isolation and least privileged access, limiting clients to only the resources they need.
- Mnemonic device IDs make spoofing devices harder.
- Modern crypto like Curve25519 for encryption and Noise protocol frameworks provide forward secrecy and perfect forward secrecy.
The coordination server does introduce some centralization of trust as it handles device authentication and access controls. However, modern solutions allow for distributed deployment models and tiered administrative roles.
Overlay networks edge out VPNs when it comes to security - they align better to zero trust architectures with encrypted peer-to-peer communications and granular access controls.
Ease of Use
VPN Ease of Use
VPNs are reasonably straightforward to set up, especially consumer-grade solutions. For small networks, installing VPN server software like OpenVPN on a firewall, router, NAS, or dedicated server covers the most basic use cases. Configuration primarily involves port forwarding to allow remote access. Clients have universal native support across all operating systems and mobile devices or can use third-party VPN client apps.
From an end-user perspective, using a VPN client to connect to internal resources is very simple. But for larger or more complex environments, VPNs can become harder to set up and manage.
Overlay Network Ease of Use
Overlay networks generally involve a bit more initial effort compared to VPNs. Their coordination servers and agents abstract away networking complexities which simplifies remote access. However, installing and configuring the agents on internal resources takes some work, especially for less technical end users. Scaling out overlay networks also requires more planning.
However, overlay network admin UIs provide centralized access control management and resource visibility. Capabilities like automated dynamic DNS remove headaches around static IPs or DNS records.
Once set, the end user experience can be superior to clunky VPN clients. However, the initial setup hurdle is higher for overlay networks.
Flexibility and Features
VPN solutions range from highly configurable to more opinionated offerings. Open-source options like OpenVPN allow extensive customization around encryption, authentication methods, tunneling protocols, etc. But that power and flexibility come at the cost of complexity.
Commercial VPN providers optimize more for usability and have intuitive apps and programs for routing all traffic or per-app tunnels. VPN hardware ranges from purpose-built devices to server software or plugins for existing firewalls and routers. This diversity provides flexibility but fragmentation across vendor solutions.
Overlay Network Flexibility
Overlay networks take a platform approach with their software agents providing broad device support and normalized access methods across OSes. However, they lack the encryption and routing protocol flexibility allowed by OpenVPN for example.
The access control model centered around the control plane and programmable API does enable flexible policy configuration. Dynamic rather than static mappings allow elastic scaling and adaptation without reconfiguration. Overlay networks provide built-in robustness and redundancy with their mesh architecture.
However, mature overlay networks provide easier centralized management and more agility while meeting most use cases. But VPNs edge out in low-level protocol flexibility.
VPN performance depends largely on the encryption protocols used and server hardware capabilities. Solutions using AES-NI encryption see the least performance overhead - benchmarks show a less than 2% drop versus direct connections. OpenVPN can reach 70-80% of raw internet speeds.
However, consumer VPN services route many customers through shared infrastructure which tends to lower and throttle speeds significantly during periods of high demand.
Overlay Network Performance
Overlay networks optimize heavily for speed with their intelligent peer-to-peer mesh routing. This allows most traffic to bypass central servers altogether. Tailscale publishes regular speed test reports showing 85-98% parity versus direct connections. Real-world tests by users reflect similarly high speeds.
The coordination server introduces some potential latency but has minimal performance impact as data doesn't flow through it. Prioritizing direct peer-to-peer connections keeps overall throughput extremely fast.
Self-hosted open-source VPN software like OpenVPN is 100% free. But it requires provisioning and maintaining your infrastructure. Hosted VPN providers charge monthly recurring fees ranging from $3 to $15 per month for full-featured access.
Overlay Network Costs
Overlay networks use a freemium model with free tiers covering personal and small business use cases. For example, Tailscale is free for up to 100 devices while Netmaker and ZeroTier offer free plans with more limited device counts. They monetize via paid plans with added collaboration capabilities, priority support, etc. Servers and infrastructure are managed by the provider. Check out the full comparison in our Comparative Analysis of Top Overlay VPN Networks.
Overlay networks share similarities with traditional VPN solutions for secure remote access. However, they utilize a fundamentally different architecture and approach focused on encrypted peer-to-peer connectivity with centralized control.
This modern design along with strong encryption and granular access controls makes overlay networks more in line with zero-trust principles compared to legacy VPNs. Performance and ease of use are also big advantages.
However, VPNs allow greater low-level protocol flexibility and have broader device support built-in natively across operating systems. They remain simpler to set up for smaller networks.
The bottom line is - overlay networks are not going to replace VPNs yet as they don't fully obsolete all VPN use cases. However, their technical advantages make them a superior choice for most private network access needs compared to legacy VPN technology. With their rising popularity and steady maturation, they are well on their way to making VPNs obsolete for a majority of users.