They are not only a wrapper for Wireguard even though people keep saying that.
Each of the tools gives different benefits and yes, you can roll all of that on your own, but let's take Tailscale as an example: You have custom ACLs to secure your network on a client/user/device basis with tagging of devices. You have your own tailscale SSH connection, the possibility to create private-public tunnels (just like Cloudflare tunnels). The hole punching using DERP servers and native IPv6/IPv4 interoperability means it really connects any device on any network type to all other devices. And of course the management pane and GUI you talked about.
This is not supposed to be a marketing ploy for Tailscale, but saying "they are just a wrapper for Wireguard" is plain wrong.
I had to use tailscale to bust through port forwarding on chained routers because, even with ports configured correctly, wireguard wasn't able to get through.
My use case was for remote access into a home-hosted Nextcloud instance, via an ISP supplied fibre router (IPv4, not CGNAT), then my own Gl iNet router, then to my Nextcloud instance.
Despite opening up port forwarding correctly, wireguard just couldn't get through that chain, whereas tailscale got through with no problems.
Downside of using tailscale is that it's messy to use at the same time as a VPN on your client device. Split tunnelling supposedly works, but I couldn't get it going.
As other have pointed out, Tailscale and Netbird are much more than wrappers around Wireguard. ZeroTier does not use Wireguard and they have their own lightweight tunnels, which in their recent multi-threaded implementations are more performant but not as fast as Wireguard in my testing.
I don't think there's a direct way to integrate any of them into existing mesh networks, but I could be wrong.
moontear|28 days ago
Each of the tools gives different benefits and yes, you can roll all of that on your own, but let's take Tailscale as an example: You have custom ACLs to secure your network on a client/user/device basis with tagging of devices. You have your own tailscale SSH connection, the possibility to create private-public tunnels (just like Cloudflare tunnels). The hole punching using DERP servers and native IPv6/IPv4 interoperability means it really connects any device on any network type to all other devices. And of course the management pane and GUI you talked about.
This is not supposed to be a marketing ploy for Tailscale, but saying "they are just a wrapper for Wireguard" is plain wrong.
kolp|28 days ago
My use case was for remote access into a home-hosted Nextcloud instance, via an ISP supplied fibre router (IPv4, not CGNAT), then my own Gl iNet router, then to my Nextcloud instance.
Despite opening up port forwarding correctly, wireguard just couldn't get through that chain, whereas tailscale got through with no problems.
Downside of using tailscale is that it's messy to use at the same time as a VPN on your client device. Split tunnelling supposedly works, but I couldn't get it going.
egberts1|27 days ago
Still requires your self-hosted VSP that is NOT behind a CGNAT.
pranaysy|27 days ago
I don't think there's a direct way to integrate any of them into existing mesh networks, but I could be wrong.