In order for devices to communicate with each other, they need some sort of:
- Direct connectivity (being in the same L2 LAN),
- Routed network (a properly defined route between the different LANs), or
- VPN connectivity (different LANs connected using some sort of VPN technology).
Same LAN connectivity is easy enough, where different devices sit on a switched network, their traffic is switched between them, and the devices can talk to each other using their local address.
When devices are on a routed network, some sort of routing technology gets involved where traffic coming from one LAN is routed to the other one and vice versa, so a device on one LAN can talk to a device on another LAN with its local IP address.
But when devices are not on the same LAN and there is no route between their LANs, they cannot communicate with each other without the presence of some sort of VPN or overlay technology.
Current VPN Technologies
There are different VPN technologies out there such as IPsec, OpenVPN, WireGuard, etc. But setting up these VPNs requires some effort and also needs some kind of publicly addressable IP address. In addition, these traditional VPNs mostly operate in a hub-and-spoke architecture, where VPN clients connect to a VPN gateway, and all traffic passes through that VPN gateway.
Mesh VPN Technologies
Nowadays, there exist services that allow you to create a fully meshed VPN network for free without having access to a publicly addressable IP address or administrative access on your network. Through a series of posts, I will explore these services and write about them. In this post, I will go into the introduction of how these services work and will go on to comparing the two major players on the market (Tailscale and NetBird).
Both Tailscale and NetBird are zero trust, mesh VPNs that create a secure private network between your devices, often utilizing WireGuard as the underlying protocol. They address modern challenges of creating a secure connection between your devices like your homelab, cloud and on-prem infrastructure, or distributed teams working from remote locations.
When we say zero trust, it means every connection is authenticated and authorized based on its identity and policy, not just the network location. And with mesh VPNs, rather than routing traffic through a central hub, peers establish encrypted direct tunnels one to another.
High Level Working Procedure
- Devices install the client and authenticate
- The control plane keeps the status of online devices and their reachable addresses.
- When peers want to talk to one another, they ask the control plane for the current endpoint address and public key of the device they want to connect to.
- Clients attempt direct UDP hole-punching, and if successful, they establish a direct, fast, and low-latency WireGuard tunnel.
- If direct connectivity fails either because of symmetric NAT or firewalls, traffic is routed via relay servers on the control plane.
- The control plane enforces who can access which device through fine-grained access control policies.
Modern mesh VPN technologies provide much more than direct peer-to-peer VPN connectivity:
- Subnet Routing: a device acting as a router for other LAN networks.
- Exit Nodes: route all internet traffic through a device.
- Posture Check: a device will only be allowed on the network if it fulfills a certain requirement.
Comparison between Tailscale and Netbird
| Tailscale | Netbird | |
|---|---|---|
| Free Tier | 3 users and 100 device | 5 users and 100 device |
| Open Source Client | Yes | Yes |
| Open Source Server | No | Yes |
| Enterprise Support | Yes | Yes |
| Wireguard Protocol | Yes | Yes |
| Access Control | Yes | Yes |
| Activity Logging | Yes | Yes |
| Endpoints DNS | Yes | Yes |
| Network Architecture | peer-to-peer | peer-to-peer |
In the next posts, I’ll go into how to set up and use Tailscale and NetBird consecutively.