Overlay Networks vs Traditional VPNs
Traditional VPNs and overlay networks solve the same problem — secure remote access — with fundamentally different architectures. Understanding the difference matters because they have opposite default security postures, different operational failure modes, and suit different use cases.
The short version: a traditional VPN grants access to a network once authenticated. An overlay network grants access to specific devices or services, not the network as a whole. That distinction determines which one you should run.
What you need to know:
- Traditional VPNs give authenticated users full network access — once you're in, you can reach everything on the private network. This is convenient but violates least-privilege principles.
- Overlay networks (Tailscale, ZeroTier, Netbird) use a mesh architecture — devices connect peer-to-peer with encrypted tunnels; a coordination server manages keys but doesn't route traffic.
- No inbound firewall rules required for overlay networks — connections are outbound-initiated with NAT traversal via UDP hole punching. Traditional VPNs need an open port facing the internet.
- Overlay networks align with zero-trust architecture — access policy is defined per device or per service, not per network.
- Traditional VPNs are simpler for most home setups and better suited to environments with network-level resources (printers, NAS devices) that can't run agent software.
I've run both WireGuard-based self-hosted setups and Tailscale mesh networks in production environments. The right choice depends more on access model than on performance or cost.
How Traditional VPN Architecture Works
A traditional VPN — whether commercial (NordVPN, ProtonVPN) or self-hosted (WireGuard on a VPS) — operates through a central server with a public IP:
- Client connects to the VPN gateway
- Gateway authenticates the client
- Client receives a private network IP
- All traffic routes through the gateway; the client can reach everything on the private network
Security posture: perimeter-based. Once through the gateway, the authenticated client is trusted. This is appropriate when you control who gets credentials and all internal resources should be reachable to authenticated users.
Single point of failure: the VPN gateway. If it's down, remote access stops. If it's compromised, the internal network is exposed.
Port requirement: the VPN server needs an inbound port open — typically UDP 51820 for WireGuard. This requires a static IP or dynamic DNS and appropriate firewall rules.
How Overlay Networks Work
Overlay networks (Tailscale, ZeroTier, Netbird, Nebula) use a coordination server that manages encryption keys and authenticates devices — but doesn't route actual traffic. Once devices are authenticated:
- The coordination server brokers a direct connection between devices
- Devices establish encrypted peer-to-peer tunnels via WireGuard (in most implementations)
- Traffic flows directly between devices, not through a central server
Security posture: zero-trust. Each device or service has its own access policy. A compromised device doesn't have implicit access to everything else on the network.
No inbound firewall rules required: connections are established outbound by both endpoints, using UDP hole punching to traverse NAT. The coordination server facilitates the introduction without seeing the traffic.
Scales easily: adding a new device means installing the agent and applying an access policy. No gateway reconfiguration, no certificate management for the new device.
Comparison: Key Differences
| Traditional VPN | Overlay Network | |
|---|---|---|
| Traffic routing | Through central gateway | Direct peer-to-peer |
| Network access post-auth | Full network | Per-device/service only |
| Inbound ports required | Yes (gateway port) | No |
| Internal resource support | Native (NAS, printers, etc.) | Requires agent or gateway |
| Zero-trust alignment | Low — perimeter model | High — per-device access |
| Performance | 70–80% of raw speed (OpenVPN), near-native (WireGuard) | 85–98% of direct connection (Tailscale benchmark) |
| Complexity to set up | Low for basic setups | Moderate — agent on each resource |
When to Use Each
Use a traditional VPN when:
- You have network-level resources (printers, NAS devices, CCTV systems) that can't run agent software
- You want the entire network available to remote users, not just specific devices
- You're in a legacy environment where changing the access model is impractical
- You're self-hosting and want full control without relying on a coordination service
A self-hosted WireGuard VPN on a $5/month VPS is the right solution for most individuals who want private remote access without trusting a commercial provider. The setup guide covers the full configuration.
Use an overlay network when:
- You want specific-device access without opening your full network
- You're managing access across multiple users with different permission levels
- You want zero-trust access control without building a separate identity management system
- You're on networks where opening an inbound port is restricted or impractical
The Main Overlay Network Options
Tailscale — built on WireGuard, coordination server managed by Tailscale Inc. (US-based, subject to CLOUD Act). Client is open-source; server is proprietary. Free tier: 100 devices. No credit card required to start. Best overall UX. Exit node feature available. Pfsense supports Tailscale natively.
Netbird — WireGuard, fully open-source including the server component. Self-hosting is documented and tested (Docker, 5 minutes to get running). Business tiers start at $5/month. Better option than Tailscale if US jurisdiction is a concern.
ZeroTier — custom encryption protocol (not WireGuard). 10+ year track record, wide third-party integration (Synology, UniFi). Client is open-source; self-hosting the controller is possible but complex. 25-device free tier.
Nebula (Slack/Defined Networking) — fully open-source, no managed coordination option. Requires running your own lighthouse node. Most configuration control; steepest setup curve.
For a full feature comparison of these platforms, see A Comparative Analysis of Overlay VPN Networks.
Privacy note on managed overlay services: Tailscale, ZeroTier, and most managed overlay networks route coordination traffic through US-based servers subject to the CLOUD Act, which allows law enforcement data access without a warrant in certain cases. If jurisdiction matters for your use case, self-hosting the coordination server (Headscale for Tailscale, Netbird self-hosted) removes that dependency.
Traditional VPNs are the right tool for full-network remote access in home and small-business environments. Overlay networks are better when you need granular per-device access control without opening your network perimeter. The architectures aren't competing — they solve the same problem at different complexity levels with different security assumptions.
