Tailscale vs NetBird vs Headscale: Mesh VPN Comparison 2026
·PkgPulse Team
Tailscale vs NetBird vs Headscale: Mesh VPN Comparison 2026
TL;DR
Modern mesh VPNs use WireGuard under the hood but add a control plane for key distribution, peer discovery, and access control. Tailscale is the easiest — sign in with Google/GitHub, and your devices form a private network in minutes. No server configuration needed. NetBird is the open-source self-hosted alternative — same mesh networking concepts as Tailscale but you control the management server and your data stays entirely on-premises. Headscale is the Tailscale control-server reimplementation — run your own Tailscale coordination server while still using the official Tailscale clients. For developers and small teams: Tailscale. For enterprise data sovereignty: NetBird. For Tailscale client compatibility with self-hosted control: Headscale.
Key Takeaways
- Tailscale GitHub stars: ~20k — the dominant mesh VPN for developers
- NetBird is 100% open-source (Apache 2.0) — client and management server both open
- Headscale reimplements only the control server — Tailscale clients connect to it, keeping client UX intact
- All three use WireGuard — the actual data plane is the same high-performance protocol
- Tailscale's free tier: 100 devices — generous for personal and small team use
- NetBird supports POSTURE checks — deny access based on device OS version, running processes, etc.
- Headscale requires running your own server — but Tailscale clients (iOS, Android, macOS, Linux) work unchanged
Why Mesh VPN Instead of Traditional VPN?
Traditional VPNs (OpenVPN, IPsec) route all traffic through a central server — creating a bottleneck and single point of failure. Mesh VPNs create direct peer-to-peer connections:
Traditional VPN:
Device A → Central Server → Device B
(Central server = bottleneck, failure point, 2x latency)
Mesh VPN:
Device A ↔ Device B (direct WireGuard tunnel)
Control Server only handles key exchange — not data traffic
Benefits:
- Lower latency — direct connections, no data backhauling
- No central bottleneck — each pair of devices communicates directly
- Better performance — WireGuard is faster than OpenVPN/IPsec
- Works through NAT — no need to open ports or configure firewall rules
Tailscale: The Developer's Default
Tailscale wraps WireGuard with a coordination server (on Tailscale's infrastructure) that handles NAT traversal, key exchange, and ACLs. Setup takes 5 minutes.
Installation
# macOS
brew install tailscale
# Linux
curl -fsSL https://tailscale.com/install.sh | sh
# Windows
# Download from tailscale.com
# Start and authenticate
sudo tailscale up
# Opens browser for auth (Google, GitHub, Microsoft, or email)
Tailscale ACL (Policy File)
// Access Control Lists defined in the Tailscale admin console (HuJSON format)
{
"groups": {
"group:admin": ["alice@company.com", "bob@company.com"],
"group:dev": ["charlie@company.com", "dave@company.com"],
"group:staging-server": ["tagged-devices:staging"]
},
"tagOwners": {
"tag:staging": ["group:admin"],
"tag:production": ["group:admin"],
"tag:database": ["group:admin"]
},
"acls": [
// Admins can access everything
{
"action": "accept",
"src": ["group:admin"],
"dst": ["*:*"]
},
// Developers can SSH to staging servers
{
"action": "accept",
"src": ["group:dev"],
"dst": ["tag:staging:22"]
},
// Staging servers can connect to databases
{
"action": "accept",
"src": ["tag:staging"],
"dst": ["tag:database:5432", "tag:database:6379"]
}
],
"ssh": [
// Tailscale SSH — browser-based SSH without managing authorized_keys
{
"action": "accept",
"src": ["group:admin"],
"dst": ["tag:staging"],
"users": ["ubuntu", "root"]
}
]
}
Exit Nodes (Route All Traffic Through Server)
# On the exit node (e.g., your VPS in another country)
sudo tailscale up --advertise-exit-node
# On client — route all traffic through exit node
tailscale up --exit-node=your-vps-name
tailscale up --exit-node=100.64.x.x # By IP
# List available exit nodes
tailscale status | grep "exit node"
Subnet Routing (Access Private Networks)
# Advertise a private subnet (e.g., your office/home LAN)
sudo tailscale up --advertise-routes=192.168.1.0/24
# Enable IP forwarding first
echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.conf
sudo sysctl -p
# On client — access the entire 192.168.1.0/24 subnet via Tailscale
# Enable subnet routes in the admin console, then:
sudo tailscale up --accept-routes
NetBird: Open-Source Self-Hosted Mesh VPN
NetBird is fully open-source — both the client and management server. You deploy the management server on your own infrastructure; no data ever leaves your control.
Self-Hosted Server Setup
# Install NetBird management server (Docker Compose)
curl -fsSL https://github.com/netbirdio/netbird/releases/latest/download/docker-compose.yml -o docker-compose.yml
curl -fsSL https://github.com/netbirdio/netbird/releases/latest/download/management.json -o management.json
# Configure management.json
cat management.json
// management.json — NetBird management server config
{
"Stuns": [
{
"Proto": "udp",
"URI": "stun:stun.l.google.com:19302",
"Username": "",
"Password": ""
}
],
"Turns": [
{
"Turns": [
{
"Proto": "udp",
"URI": "turn:yourserver.com:3478",
"Username": "netbird",
"Password": "netbird-turn-password"
}
],
"CredentialsTTL": "12h",
"Secret": "your-secret",
"TimeBasedCredentials": true
}
],
"Signal": {
"Proto": "https",
"URI": "https://signal.yourserver.com:443",
"Username": "",
"Password": ""
},
"Datadir": "/var/lib/netbird/",
"HttpConfig": {
"Address": "0.0.0.0:80",
"AuthIssuer": "https://yourserver.com",
"AuthAudience": "netbird-client",
"OIDCConfigEndpoint": "https://yourserver.com/.well-known/openid-configuration"
}
}
# docker-compose.yml
version: "3"
services:
# Management server
management:
image: netbirdio/management:latest
ports:
- "443:443"
- "80:80"
volumes:
- ./management.json:/etc/netbird/management.json
- netbird_management:/var/lib/netbird
command: [
"--port", "443",
"--log-file", "console",
"--disable-anonymous-metrics=true",
"--management-config", "/etc/netbird/management.json"
]
# Signal server (WebRTC signaling)
signal:
image: netbirdio/signal:latest
ports:
- "10000:10000"
# Relay/TURN server
coturn:
image: coturn/coturn:latest
ports:
- "3478:3478/udp"
- "3478:3478/tcp"
command: [
"-n", "--log-file=stdout",
"--lt-cred-mech", "--fingerprint",
"--no-multicast-peers", "--no-cli",
"--static-auth-secret=your-secret"
]
# Dashboard
dashboard:
image: netbirdio/dashboard:latest
ports:
- "8080:80"
environment:
AUTH_AUDIENCE: "netbird-client"
NETBIRD_MGMT_API_ENDPOINT: "https://management:443"
NETBIRD_MGMT_GRPC_API_ENDPOINT: "https://management:443"
volumes:
netbird_management:
NetBird Client Connection
# Install client
curl -fsSL https://pkgs.netbird.io/install.sh | sh
# Connect to your self-hosted management server
netbird up --management-url https://management.yourserver.com \
--admin-url https://dashboard.yourserver.com
# Generate setup key (from dashboard) and use it
netbird up --management-url https://management.yourserver.com \
--setup-key "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
NetBird Access Control (Network Policies)
# NetBird policies defined in the dashboard UI or API
# Example policy via API: Allow engineering team to access databases
curl -X POST https://api.netbird.io/api/v1/policies \
-H "Authorization: Token $NETBIRD_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"name": "Engineering DB Access",
"description": "Allow engineering group to access database servers",
"enabled": true,
"rules": [{
"name": "DB Rule",
"enabled": true,
"action": "accept",
"bidirectional": false,
"protocol": "tcp",
"ports": ["5432", "3306", "27017"],
"sources": [{"type": "group", "id": "engineering-group-id"}],
"destinations": [{"type": "group", "id": "database-group-id"}]
}]
}'
Headscale: Self-Hosted Tailscale Control Server
Headscale reimplements only the Tailscale coordination server — you run your own control plane while users continue to use official Tailscale clients (the ones they already have on their phones/laptops).
Server Setup
# Docker
docker run -d \
--name headscale \
-p 8080:8080 \
-v ./headscale:/etc/headscale \
-v headscale_data:/var/lib/headscale \
headscale/headscale:latest \
headscale serve
# Or via package manager
# https://github.com/juanfont/headscale/releases
# /etc/headscale/config.yaml
server_url: https://headscale.yourserver.com:8080
listen_addr: 0.0.0.0:8080
metrics_listen_addr: 127.0.0.1:9090
private_key_path: /var/lib/headscale/private.key
noise:
private_key_path: /var/lib/headscale/noise_private.key
ip_prefixes:
- fd7a:115c:a1e0::/48 # IPv6 (Tailscale range)
- 100.64.0.0/10 # IPv4 (Tailscale range)
dns_config:
nameservers:
- 1.1.1.1
magic_dns: true
base_domain: example.ts.net
db_type: sqlite3
db_path: /var/lib/headscale/db.sqlite
acl_policy_path: /etc/headscale/acls.hujson
# OIDC auth (optional)
oidc:
issuer: https://your-auth-server.com
client_id: headscale
client_secret: your-oidc-secret
scope: ["openid", "profile", "email"]
Creating Users and Generating Auth Keys
# Create a "namespace" (equivalent to Tailscale tailnet)
docker exec -it headscale headscale users create myuser
# Generate a reusable auth key
docker exec -it headscale headscale preauthkeys create \
--user myuser \
--reusable \
--expiration 24h
# Output: mkey:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Connecting Tailscale Client to Headscale
# macOS / Linux — point Tailscale client to your Headscale server
sudo tailscale up \
--login-server https://headscale.yourserver.com \
--authkey mkey:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
# iOS/Android — configure in Tailscale app:
# Settings → Change server → Enter your Headscale URL
Feature Comparison
| Feature | Tailscale | NetBird | Headscale |
|---|---|---|---|
| Data residency | Tailscale's servers | ✅ Self-hosted | ✅ Self-hosted |
| Client apps | iOS, Android, macOS, Win, Linux | iOS, Android, macOS, Win, Linux | Use Tailscale clients |
| Open source (server) | ❌ | ✅ Apache 2.0 | ✅ BSD 3-Clause |
| Open source (client) | ✅ | ✅ | Uses Tailscale client |
| ACL complexity | High (HuJSON) | Medium (dashboard) | Same as Tailscale |
| Exit nodes | ✅ | ✅ | ✅ |
| Subnet routing | ✅ | ✅ | ✅ |
| Posture checks | ✅ (paid) | ✅ | ❌ |
| MagicDNS | ✅ | ✅ | ✅ |
| iOS MDM | ✅ | ✅ | Limited |
| Free tier | 100 devices | Unlimited (self-hosted) | Unlimited (self-hosted) |
| GitHub stars | 20k | 11k | 25k |
| Management complexity | ❌ (managed) | High | Medium |
When to Use Each
Choose Tailscale if:
- You want zero server management — Tailscale handles everything
- Your team is small to medium (<100 devices on free tier)
- Ease of onboarding (QR code to join) is important for non-technical users
- You want the most polished client apps across all platforms
Choose NetBird if:
- Data sovereignty is a hard requirement — all traffic metadata stays on-premises
- You need posture checks (only allow access from patched devices)
- Your organization's security policy prohibits cloud-hosted coordination servers
- You want both client and server to be fully open-source
Choose Headscale if:
- Your users already have Tailscale installed and you don't want to change their client
- You want self-hosted control but prefer Tailscale's polished clients
- You're comfortable running a Headscale server and willing to manage it
- Cost at scale (Tailscale charges per seat on paid plans) is a concern
Methodology
Data sourced from GitHub repositories (star counts as of February 2026), official documentation, pricing pages, and community reports from r/selfhosted, r/homelab, and the Tailscale community blog. Feature comparison verified against official documentation.
Related: Zitadel vs Casdoor vs Authentik for identity management behind your VPN, or Caddy vs Traefik vs Nginx Proxy Manager for routing traffic once your VPN is set up.