Prologue — A market that started with "I just want to SSH to my home computer"

One of the quietest yet most widespread infrastructure replacements happening in 2026 is **the death of the corporate VPN**.

Ten years ago, the answer to "I need to reach the corporate intranet from home" was preordained: **connect to the company VPN server with an OpenVPN or IPsec client**. The user re-authenticated each time, traffic was forced through a corporate gateway and then back out to the internet, and the router processed packets with a "back in my day" expression.

Today it is different. Open your laptop and you automatically join a mesh network. Servers in the corporate data center, a coworker's laptop, a cloud VPC, a Raspberry Pi at home — all of them share the same private IP range. Who can reach whom is decided by **a single ACL file**. **No one routes through a "gateway."** The fastest path between two hosts is direct peer-to-peer, and when that's impossible, the nearest relay quietly steps in.

The epicenter of this shift is one company — **Tailscale**. Around it, self-hosted projects (Headscale, NetBird, Innernet), enterprise ZTNA platforms (Twingate, Cloudflare Zero Trust), and alternative trust models (Nebula, ZeroTier, Yggdrasil) have each found their niche.

This article maps that landscape: the WireGuard foundation everyone shares, the UX Tailscale defined, the alternatives around it, and the question that actually matters — "what should your organization pick?"

1 · The 2026 overlay VPN map — three camps

The big picture first. The 2026 overlay VPN / mesh market splits into three camps.

| Camp | Representative products | Who runs the control plane | Character |

| --- | --- | --- | --- |

| **Managed SaaS** | Tailscale, Twingate, Cloudflare Zero Trust, NetBird Cloud, ZeroTier Central, Defined Networking | The vendor | Fast adoption, free tier, enterprise gets SSO/SCIM/audit |

| **Self-hosted open source** | Headscale, NetBird (self-host), Innernet, Nebula | You | You own the control plane too — data sovereignty, supply-chain control |

| **DIY / foundational** | WireGuard, IPsec, OpenVPN, Yggdrasil | You (including routing) | Maximum freedom, maximum work |

Even though we say "camps," in practice **almost all of them ride on top of WireGuard**. The differences come down to "who owns key distribution, NAT traversal, policy, and user authentication."

One-line summary

- **Personal / homelab** → Tailscale free tier. End of discussion.

- **Self-hosting enthusiast** → Headscale + the Tailscale clients.

- **SMB / startup** → NetBird or Tailscale Teams.

- **Enterprise** → Cloudflare Zero Trust, Twingate, or Tailscale Enterprise.

- **Special needs (IPv6 mesh, routing itself is the game)** → Yggdrasil, Nebula.

That's the conclusion; the remaining fourteen chapters explain *why*.

2 · NAT traversal — STUN / TURN / DERP / hole punching basics

The real magic of an overlay VPN is not the encryption — it is **getting two computers behind NATs to talk directly**. WireGuard solves "how to send packets safely," but "where to send them, and how to reach them when they sit behind NAT" is a separate problem entirely.

Types of NAT and how friendly they are

| NAT type | Friendliness | Hole-punching feasible? |

| --- | --- | --- |

| Full Cone | Very friendly | Very easy |

| Restricted Cone | Friendly | Easy |

| Port-Restricted Cone | Average | Both sides must cooperate |

| Symmetric NAT | Uncooperative | Very hard, often needs a relay |

| CGNAT (carrier-grade) | Hostile | Almost always needs a relay |

Korean LTE/5G mobile is almost entirely CGNAT. Japan's OCN and US T-Mobile too. **A large fraction of the real-world internet is "places where P2P doesn't work."** Every overlay VPN therefore has **a relay fallback**.

STUN / TURN / DERP

In the traditional WebRTC world:

- **STUN** (Session Traversal Utilities for NAT): a server that answers "what is my public IP and port?" Once both sides know each other's public endpoint, hole punching can start.

- **TURN** (Traversal Using Relays around NAT): when STUN isn't enough, a TURN server relays both sides' traffic.

Tailscale built its own variant:

- **DERP** (Designated Encrypted Relay for Packets): a relay that runs over HTTPS on port 443. It adapts to the reality that 443 is the port firewalls let through most reliably. The traffic is always end-to-end encrypted with WireGuard keys, so DERP only sees **ciphertext** — the relay literally cannot "read" anything.

Why DERP is brilliant:

1. **HTTPS is open everywhere**. 5G CGNAT, hotel WiFi, corporate firewalls — all pass it through.

2. **Separated from the control plane**. DERP is a pure relay and has no notion of who you are sending to.

3. **Automatic fallback**. The moment P2P becomes possible, the path switches instantly. The user never notices.

How hole punching actually works

A (home, behind NAT) B (office, behind NAT)

| |

| --- STUN --> "my public EP"| --- STUN -->

| Coordinator |

| <--- B's public EP --- | <--- A's public EP ---

| |

| --- UDP packet (A->B) --> X (dropped by B's NAT)

| <--- UDP packet (B->A) --- X (dropped by A's NAT)

|

| -> when both send simultaneously, both NATs create mappings <-

|

| --- UDP packet --> OK direct P2P

**The core trick**: if both sides send packets *at the same time*, both NATs create mappings on the basis of "we have outbound traffic, let responses in." Once a mapping exists, the path is direct.

Tailscale's DERP is "the safety net for when this trick fails."

3 · WireGuard — the foundation of everything

Merged into Linux kernel 5.6 in 2020, WireGuard **rewrote the VPN landscape**. It was so clean and so small that it quickly displaced the previous generation of VPNs (OpenVPN, IPsec).

Why WireGuard is simple

/etc/wireguard/wg0.conf

[Interface]

PrivateKey = ...

Address = 10.0.0.1/24

ListenPort = 51820

[Peer]

PublicKey = ...

Endpoint = 203.0.113.42:51820

AllowedIPs = 10.0.0.2/32

That is the entire surface. Keys, IPs, endpoints. The negotiation protocol is a single round trip (1-RTT). The cipher suite is fixed — Curve25519, ChaCha20-Poly1305, BLAKE2s, HKDF. **No choices means no way to misconfigure.**

Compared to OpenVPN:

- OpenVPN: roughly 100,000 lines of code, hundreds of configuration options, TLS, varied cipher suites, complex routing modes.

- WireGuard: roughly 4,000 lines of code (kernel module), one fixed cipher suite.

What WireGuard does *not* solve

This is more important. WireGuard is **a data plane**, not **a control plane**.

What WireGuard does *not* provide:

- **Key distribution**. When a new node joins, you must update every other node's peer section. Manual.

- **NAT traversal**. If `Endpoint` sits behind NAT, it simply does not work.

- **DNS / name resolution**. It only knows IPs.

- **ACL / authorization policy**. Every peer can freely reach any IP listed in `AllowedIPs`.

- **User authentication**. The key is identity, and mapping users to keys is someone else's problem.

- **Rotation, revocation, membership management**.

Every product in the overlay VPN market is **"WireGuard plus a control plane that automates the six things above."** Tailscale, Headscale, NetBird, Innernet, Cloudflare WARP — all of them.

> WireGuard is not a "VPN protocol" — it is a "secure tunnel primitive." What you build on top of it is the real product.

When plain `wg-quick` is enough

- Node count is 5 or fewer

- One side has a public IP server

- Membership rarely changes

Under these conditions, `wg-quick` is perfect. A single-line config, a kernel data path, near-zero overhead. For a small home server and a couple of laptops, it may be the best option.

The moment the conditions break — you cross five nodes, both sides sit behind NAT, a new node joins every week — **you need a control plane**. That's the subject of the next chapter.

4 · Tailscale — the de-facto standard

Founded in 2019, Tailscale layered "everything users actually wanted" on top of WireGuard and defined the market. In 2026 it is **the de-facto standard**.

Tailscale = WireGuard + a coordination service

+--------------------------+

| Tailscale Control |

| (Coordination Server) |

| - node registration |

| - public key distrib. |

| - ACL evaluation |

| - which DERP to use |

+--------------------------+

^ ^

| control | control

| |

+-------+---+ +-----+-----+

| Node A | | Node B |

+-----+-----+ +-----+-----+

| |

| WireGuard P2P |

| <-----------> |

| |

| or |

| +------------+ |

+>| DERP relay |<+

+------------+

**The control plane sees only metadata.** The actual traffic flows directly between nodes (or through DERP), encrypted at both ends by WireGuard. Even Tailscale the company cannot read user traffic content.

Core features (in 2026)

| Feature | What it does |

| --- | --- |

| **MagicDNS** | Node names work like DNS — `ssh laptop` just works. Auto subdomain under `*.ts.net`. |

| **Subnet Router** | A node advertises "I will route the subnet behind me." Exposes corporate 192.168.x to the mesh. |

| **Exit Node** | Promote a node to internet gateway. All traffic exits through it. |

| **ACL (Tailnet Policy)** | A single HuJSON file expresses rules like `user:alice@example.com -> tag:server`. |

| **Tailscale SSH** | Delegates SSH keys themselves to the tailnet. No more key distribution. |

| **Tailscale Funnel** | Exposes a node inside the mesh to the public internet. Automatic HTTPS. |

| **Tailscale Serve** | Serves a service on a node only inside the mesh (auto TLS). |

| **Mullvad integration** | Use a Mullvad VPN exit as the exit node — real "internet VPN" mode. |

| **App Connector** | Proxies traffic to a SaaS (Slack, Notion) through a specific node, so only that node's IP needs to be allowlisted. |

| **ACME / TLS** | Real Let's Encrypt certificates auto-issued to mesh nodes. |

| **Auto-update** | Client auto-update so you do not miss security patches. |

Tailscale Funnel — "exposing localhost on the internet"

You want to demo something from your home server for an hour. The old answer was ngrok, and ngrok is still good, but if you already use Tailscale:

tailscale funnel 8080

https://my-laptop.tail1234.ts.net is created

Let's Encrypt cert auto-issued

Exactly the same category as Cloudflare Tunnel, except it exposes "a node already inside your tailnet" as-is.

The Mullvad partnership — a marriage of two VPNs

Since 2023, Tailscale paid users can use Mullvad's 38-country exits as Tailscale exit nodes, for little or no extra cost.

- "Mesh network for work" → Tailscale

- "Safe internet from a Starbucks WiFi" → Mullvad

- "Both with one client" → the 2026 standard setup

Pricing and the free tier

- **Free** (Personal): 3 users, 100 devices, all features. Effectively infinite for personal and small homelab use.

- **Starter / Premium / Enterprise**: per-user monthly billing. SSO/SCIM/audit/SLA at higher tiers.

As of 2026 the free tier is **one of the most generous SaaS free tiers in the world**. That is why "every developer has at least tried Tailscale."

Weak points

- **Control-plane dependency**. If Tailscale's control plane goes down, new connections and key rotations stall (existing sessions hold for a while).

- **Vendor lock-in**. The killer features are co-designed between client and control plane → next chapter, Headscale.

- **Data sovereignty**. Metadata lives on Tailscale's servers. A burden in regulated industries.

5 · Headscale — self-hosted Tailscale

Headscale is **an open-source reimplementation of Tailscale's control plane**. You keep using Tailscale's official open-source clients, and only run the server side yourself.

The creator is Juan Font (not a Tailscale employee, though Tailscale has welcomed it as "a healthy outside implementation").

What is the same, what is different

| Feature | Tailscale (SaaS) | Headscale |

| --- | --- | --- |

| WireGuard data plane | Identical | Identical |

| MagicDNS | Yes | Yes |

| ACL | Yes (HuJSON) | Yes (compatible format) |

| DERP | Tailscale-operated | You run your own, or use Tailscale's public DERP |

| Funnel / Serve | Yes | Partial (varies by version) |

| Mullvad | Yes | No (Mullvad's contract) |

| SSO/SAML/SCIM | Yes | Partial (OIDC works) |

| Operational burden | Zero | You |

Setup

docker run -d --name headscale \

-v ./config:/etc/headscale \

-v ./data:/var/lib/headscale \

-p 8080:8080 \

-p 9090:9090 \

headscale/headscale:0.25.0 \

serve

clients simply do

tailscale up --login-server=https://headscale.example.com

**After that the experience is virtually identical.** `tailscale status`, `tailscale ssh`, `tailscale ping` all work as before.

Who should pick Headscale

- Organizations with strong **data sovereignty** requirements (European regulators, finance, governments)

- People who **cannot stomach vendor lock-in** (infrastructure philosophy)

- **Air-gapped environments** that can't reach Tailscale's control plane

- **For fun** — many homelabbers run Headscale just because they can. The UI/UX is filled in by community web UIs (e.g. headscale-ui).

Weak points

- Whenever Tailscale ships a new feature, Headscale takes months to catch up.

- Operations are on you — running DERP, backing up the DB, upgrades.

- Enterprise features (advanced ACL UI, audit-log UI, automatic device posture checks) are thin.

6 · ZeroTier — champion of the pre-WireGuard era

ZeroTier started in 2011, **long before WireGuard existed**. Its own protocol, its own cipher suite, its own data plane. It was one of the first companies to popularize the "global virtual Ethernet switch" metaphor.

Model

Join a Network ID (16-char hex)

v

A global controller (root node) distributes IDs and keys

v

Every node gets a Layer 2 virtual NIC

v

L2 frames flow P2P (relayed through root when P2P fails)

Differences from WireGuard:

- **Layer 2 (Ethernet)**. WireGuard/Tailscale operate on top of Layer 3 (IP). ZeroTier can carry broadcast, multicast, and non-IP protocols. It behaves **"like one LAN."**

- **Custom protocol**. Not a kernel module like WireGuard — it is a userspace daemon.

- **The controller can be self-hosted**. You can use ZeroTier Central (SaaS) or self-host via ZTNCUI.

Where ZeroTier still makes sense in 2026

- **Legacy non-IP traffic** (older industrial protocols, NetBIOS, some games)

- **Environments already deployed on ZeroTier** — migration cost

- **Scenarios that require Layer 2 semantics** (e.g. VM cluster vMotion, certain clustering products)

- **Small networks of 25 people or fewer** on the single free network (free tier cap)

Weak points (in the Tailscale era)

- The UX is a generation behind Tailscale. There is no MagicDNS, SSH, or Funnel equivalent.

- It is slower than WireGuard (userspace = context switches).

- Carrying L2 over a mesh is often a security risk (broadcast storms).

For most use cases, "a fresh adoption in 2026" is hard to justify. That said, **for anyone seriously asking "do we need L2 semantics?" it is nearly the only answer**.

7 · Nebula (Slack open source) — a different trust model

Nebula came out of Slack running its own service mesh at millions of hosts. Open-sourced in 2019. On the surface it looks like another "WireGuard-style mesh" à la Tailscale, but **the model itself is different**.

Core idea — PKI

Nebula has **its own PKI**. The operator creates a CA and issues certificates to each node. The certificate contains:

- Node name

- Group membership (e.g. `web`, `db`, `staging`)

- Allowed IPs

- Expiration

**Authorization is baked into the certificate**. There is no need to ask a control server "who is this node?" every time — the certificate is the identity, and nodes verify it directly.

Tailscale vs Nebula

| Dimension | Tailscale | Nebula |

| --- | --- | --- |

| Key distribution | Dynamically by the control plane | PKI, certificates issued ahead of time |

| Identity | User-to-key mapping (SSO possible) | Group/name in the certificate |

| Policy evaluation | Control plane (central) | At the node (distributed) |

| Scalability | Tens of thousands of nodes OK, control-plane dependent | Hundreds of thousands of nodes in production (Slack) |

| Operations | SaaS or Headscale | You (run lighthouse nodes) |

| NAT traversal | DERP and friends | UDP hole punching plus lighthouse relay |

Lighthouse — discovery

In Nebula, the question of "what is a given node's public endpoint" is answered by a special node called the **lighthouse**. Nodes register themselves with the lighthouse and ask it when they need to find others. One or two small servers are enough.

Where it shines

- **Large infrastructure meshes** (thousands to tens of thousands of server-to-server links)

- **Organizations already running PKI internally** — Vault, Step-CA, etc. fit naturally

- **Environments where the mesh must keep working after the control plane dies** — as long as certificates are valid, nodes can keep talking

- **Server infrastructure** (rather than user laptops) as the center of gravity

Weak points

- **It is not a human-friendly tool**. Lots of CLI and config files. Far from Tailscale's "install and you're done" UX.

- **No MagicDNS-style conveniences**.

- **Weak SSO integration**. Not the right fit when the scenario is putting user workstations on the mesh.

8 · Defined Networking — commercial Nebula

Defined Networking is the company started by the original Nebula developers. It provides a "managed control plane plus UI plus automated certificate issuance" on top of open-source Nebula.

- You can call it "the Tailscale of Nebula."

- It focuses more on the **server infrastructure** market than on user laptops.

- SSO, policy UI, audit logs — all delivered from the control plane.

- Pricing is per device, monthly.

How to decide:

- We are "more servers than people" → Defined Networking is natural.

- We are "more people than servers" → Tailscale is natural.

9 · NetBird (open source) — Tailscale + SSO

NetBird emerged around 2022 as an "**open source plus SSO-first**" mesh VPN. WireGuard-based, MagicDNS-equivalent, ACLs, and **OIDC/SAML integration at the center from day one**.

Key differences

- **Self-hosting is genuinely first-class**. Headscale is "a Tailscale-compatible control plane," but NetBird was designed with "self-hosting as the main path." One Docker Compose and you are running.

- **SSO out of the box**. Keycloak, Auth0, Authentik, Google Workspace, Okta all work.

- **Policy UI**. Edit groups, tags, and policies visually in a web UI.

- **SaaS as well**. NetBird Cloud (managed) is also operated. Pricing is slightly cheaper than Tailscale.

NetBird vs Tailscale vs Headscale

| Dimension | Tailscale | Headscale | NetBird |

| --- | --- | --- | --- |

| License | Control plane closed | 100% open source | 100% open source |

| Managed option | Yes | Unofficial | Yes (NetBird Cloud) |

| SSO | In enterprise tier | OIDC only | Strong (all major IdPs) |

| MagicDNS | Yes | Yes | Yes |

| ACL UI | Yes | Limited | Strong |

| Self-host difficulty | Not possible | Moderate | Easy |

| Client breadth | Best (every OS) | Uses Tailscale clients | Every major OS |

Who should pick NetBird

- SMB / mid-market that requires **self-hosting** plus already has **corporate SSO**

- Teams for whom **Tailscale pricing is a burden** but who can carry the self-hosting load

- Organizations with strong **open-source principles**

Weak points

- Feature maturity trails Tailscale. There is no "wow feature" comparable to Funnel.

- The community is smaller than Tailscale's.

- You have to build out a sophisticated global relay network like DERP yourself.

10 · Twingate — Zero Trust enterprise

Twingate positions itself **not as an overlay VPN but in the "Zero Trust Network Access (ZTNA)" category**. What does that distinction mean?

Model difference

Traditional mesh VPN (Tailscale, NetBird):

- The user "joins the mesh"

- Once joined, every node the ACL permits is visible

- IP-based policy

Twingate (and Cloudflare Access, Google BeyondCorp — the same ZTNA category):

- The user "requests access to a resource"

- Each request is evaluated by identity, device posture, time, conditions

- Resource-level policy (e.g. "this user gets only this host's 443")

- Usually a **TCP proxy** model — name-based rather than mesh-IP-based

Twingate components

[User device + Twingate Client]

|

v (TLS, auth token)

[Twingate Controller (SaaS)] -- policy evaluation

|

v

[Twingate Connector (installed on-prem)]

|

v

[Protected resource (DB, internal web app, SSH)]

The key point: **the Connector only initiates outbound to the Controller**. You do not need to open any inbound port on-prem. Same pattern as Cloudflare Tunnel.

Strengths

- **No open ports**. You can reach internal resources without exposing them to the internet.

- **Resource-level ACLs**. "Alice gets only jenkins:8080 in staging," for example.

- **Device posture**. Is the Mac's disk encrypted? Is the OS up to date? If not, block.

- **A real replacement for site-to-site VPN**. The user-to-resource model removes the need to design inter-site routing.

Weak points

- **It is not a mesh**. Nodes cannot see each other. The model is strictly user-to-resource.

- **Strong vendor lock-in**. Both the controller and the connector are company-owned code.

- **SaaS-tier pricing**. Can be expensive for an SMB.

Who picks it

- Enterprises already running OpenVPN/Cisco AnyConnect for "site-to-site VPN" who want **to get rid of it**.

- When compliance (SOC 2, ISO 27001) demands "per-session auth, device posture, audit logs."

- Patterns like call centers / support orgs where employees "drop in briefly to see one resource."

11 · Cloudflare WARP / Zero Trust — consumer plus enterprise

Cloudflare bundles two distinct products under one umbrella.

WARP — the free consumer VPN-ish

It started as a mobile app: a free service that "sends DNS to 1.1.1.1 and routes all traffic through CF's global network." Unlike traditional VPNs:

- It is not primarily about hiding your IP (a different goal than Mullvad).

- "CF's faster backbone beats your slow ISP routing" is the selling point.

- It runs on a WireGuard variant (Cloudflare's BoringTun).

WARP+ (paid) adds priority routing and small extras.

Cloudflare Zero Trust — the enterprise ZTNA

The same client is, in reality, **the entry point to the enterprise Zero Trust platform**.

- **Cloudflare Access**: SSO and policy gate in front of SaaS and internal apps (the BeyondCorp pattern).

- **Cloudflare Tunnel** (formerly Argo Tunnel): a connector daemon initiates outbound to CF and exposes internal resources safely.

- **Gateway**: inspects user-to-internet traffic via DNS/HTTP/network filters (SWG).

- **Browser Isolation**: renders risky sites in a cloud browser and sends only pixels.

- **Cloudflare One**: bundles all of the above under the "SASE" umbrella.

Strengths

- **Global backbone**. 320+ city PoPs. Wherever the user connects, there is a nearby PoP.

- **DNS / CDN / DDoS / Workers all from the same company**. Tight integration.

- **A genuinely useful free tier** (Zero Trust is free up to 50 users).

- **DEX (Digital Experience Monitoring)** — actually measures the user experience itself.

Weak points

- **It is not a mesh VPN**. The model is not node-to-node — it is "everything routes through Cloudflare."

- **You put all your trust in Cloudflare**. Metadata, DNS, and traffic patterns are visible to CF.

- **The ultimate form of vendor lock-in**. Once you bring Workers, R2, KV in, leaving is hard.

Who picks it

- Companies already using Cloudflare as CDN/WAF — a natural extension.

- Distributed global workforces (offices across many time zones).

- Enterprises that want to "finish SASE in one vendor."

12 · Other options — Innernet, Yggdrasil, and more

Innernet (Tonari)

A **simple WireGuard mesh tool** built by Tonari, a company in Tokyo. Open source. It targets the middle between "Tailscale is too much" and "wg-quick is too little."

- **One server is the controller**. Adding a node is done with an invite token.

- **ACLs expressed as a CIDR tree** — networks/CIDRs as the unit of authorization.

- **No DERP**. NAT traversal is bare-bones.

- Often used by small distributed teams as "a lighter alternative to self-hosting Tailscale."

Yggdrasil

**A mesh IPv6 network where people around the world route for each other**. It feels like an academic experiment, but it actually works.

- Each node has an ed25519 keypair → the IPv6 address is deterministically derived from the key.

- Connect to any "peer" and you automatically join the global routing tree.

- No company runs it. A truly P2P mesh.

Use cases:

- "A backup network we can still route on if the internet breaks"

- Academic experimentation

- People with political convictions about IPv6 mesh

Not appropriate for the enterprise. The very concepts of control, SLA, and audit do not exist here.

Do not overlook these either

- **Tinc** — a P2P VPN that's been around since 1998. Pre-WireGuard generation, still used in places.

- **OpenZiti** — "application-embedded zero trust." An SDK you embed directly in the app.

- **Boundary** (HashiCorp) — a "user-to-DB/server" session broker. A different category than mesh VPN.

- **GoodAccess, Perimeter 81 (now Check Point)** — enterprise SaaS VPN, mostly non-US markets.

13 · ACL / MagicDNS / exit node / subnet router — operational patterns

You know the feature names. Now let us look at **how they are used in practice**, in patterns. The examples use Tailscale ACL syntax, but NetBird and Headscale carry the same concepts.

ACL — the real shape of zero trust

{

"groups": {

"group:eng": ["alice@example.com", "bob@example.com"],

"group:ops": ["carol@example.com"]

},

"tagOwners": {

"tag:prod-db": ["group:ops"],

"tag:staging": ["group:eng"]

},

"acls": [

{ "action": "accept", "src": ["group:eng"],

"dst": ["tag:staging:22,80,443"] },

{ "action": "accept", "src": ["group:ops"],

"dst": ["tag:prod-db:5432"] }

],

"ssh": [

{ "action": "check", "src": ["group:eng"],

"dst": ["tag:staging"], "users": ["root", "ubuntu"] }

]

}

Core principles:

- **Express things as groups and tags, not as individual users**. Onboarding and offboarding then only update group membership.

- **Narrow to the port**. "Only 80/443/22 in staging" and so on.

- **Default deny**. Anything not explicitly accepted is denied.

- **Machines are not people**. Machines get tags (e.g. `tag:prod-db`), humans get groups.

MagicDNS — names are IPs

After `tailscale up`, `ssh laptop` just works. The name a node receives on registration is automatically resolved to a `100.x.x.x` address. Short names resolve only within the same tailnet; the full name is `laptop.tail1234.ts.net`.

What matters operationally:

- **No more distributed `/etc/hosts` or DNS management**.

- **Headscale and NetBird offer the same feature** (under a different domain).

- **MagicDNS dramatically improves ACL readability** — you can write policy in names instead of IPs.

Exit Node — the "default gateway" inside the mesh

Declare a node as an exit node

sudo tailscale up --advertise-exit-node

Use that node as the exit from a client

tailscale set --exit-node=my-exit

Use cases:

1. **Bypass café WiFi filtering** — reach the internet through a company mesh node.

2. **Bypass geofencing** — appear to be in another country when there is a node there.

3. **Mullvad exit (Tailscale)** — 38 country exits.

4. **Simplify SaaS IP allowlists** — register only the exit node's single IP.

Subnet Router — reach what the mesh cannot

Expose corporate 192.168.10.0/24 to the mesh

sudo tailscale up --advertise-routes=192.168.10.0/24

Admin approves the route in the admin UI

Use cases:

- **Legacy devices** (NAS, printers, IPMI that cannot run a mesh client)

- **Cloud VPC** — make one EC2 a subnet router and the whole VPC is visible from the mesh

- **The de-facto replacement for site-to-site VPN**.

High Availability Subnet Router

If several nodes advertise the same subnet, Tailscale automatically fails over. The connection survives a router going down.

14 · Korea and Japan adoption — Toss, LINE, Mercari

Zero-trust and overlay VPN adoption in Korea and Japan has progressed quickly. A few publicly known cases.

Toss (Viva Republica)

Toss runs an internal zero-trust model under the name "inner network." Core elements:

- **Device certificates plus SSO are mandatory** for user-laptop access to internal resources.

- Reducing site-to-site VPN, moving toward **per-user ACL models**.

- Their tech talks (2024–2025) have repeatedly mentioned "retiring VPN gateways / migrating to a mesh model."

- A hybrid of in-house builds and commercial products.

Key lessons:

- The first decision is a policy decision — "cut VPN, go zero trust."

- After that, a staged migration (one resource at a time → one team at a time → company-wide).

- Typically a one-to-two year effort.

LINE

LINE's SRE and network teams have, thanks to their global distribution (Japan, Korea, Thailand, Indonesia, Taiwan), operated **their own mesh / zero-trust model** for a long time.

- Open-source components combined with their own control plane.

- For a scenario where a Tokyo HQ employee accesses a Jakarta data center, **the closest geographic PoP is selected automatically**.

- Their tech talks regularly discuss "cleaning up OpenVPN gateways and the zero-trust umbrella."

Mercari

Tokyo-based Mercari, with its "company-wide microservices plus global workforce" shape, is one of the companies most exposed to zero-trust transition costs.

- A combination of Cloudflare Access and an in-house policy engine gates internal tools.

- The directional message "reach internal tools without going through a VPN" is publicly shared in their engineering blog repeatedly.

- Often cited as a pioneer of zero trust among Japanese companies.

Common patterns across Korea and Japan

1. **Personal-laptop entry to the corporate mesh is typically SSO plus a device certificate**.

2. **Internal site-to-site VPN is shrinking**. Replaced by Tailscale subnet router or a ZTNA connector.

3. **Financial firms** prefer **self-hosting (Headscale, NetBird, in-house builds)** for data sovereignty.

4. **Mobile gaming and entertainment** show high adoption of **Cloudflare Zero Trust**.

5. **Startups** start from Tailscale's free or Starter tier.

15 · Who should pick what — a scenario-by-scenario decision tree

Finally, the catalog compressed into short "decisions."

Personal / homelab

**Tailscale Free**. End of story. Up to 3 users / 100 devices for free, all features. If you want a Mullvad exit, the cheapest paid tier plus the Mullvad add-on. If self-hosting itches, move to Headscale.

What to avoid: "First-time setting up OpenVPN for fun" in 2026.

1–10 person startups

**Tailscale Starter** or **NetBird Cloud**. The former if you need SSO. The latter if pricing matters.

SMB (10–200)

Three paths:

1. **Tailscale Premium / Enterprise** — fastest adoption.

2. **NetBird (self-host)** — when self-hosting is required or you want to cut the bill.

3. **Cloudflare Zero Trust** — if you are already a CF customer or want a single SASE umbrella.

Enterprise (200+)

Almost always **a combination of two products**:

- User → internal resource / SaaS: Cloudflare Zero Trust or Twingate.

- Server-to-server infrastructure mesh: Tailscale Enterprise, Headscale, or Nebula / Defined Networking.

- One client on the laptop is nice — that is one reason some teams consolidate on a single vendor.

Regulated industries (finance, government, healthcare)

**Self-hosted Headscale or NetBird** plus your own DERP. Both data and metadata stay in country. If the control plane is compromised, the blast radius is contained.

Large-scale server infrastructure mesh (tens of thousands of nodes)

**Nebula or Defined Networking**. A PKI-based, distributed trust model reduces control-plane dependency.

Globally distributed workforce (many PoPs)

**Cloudflare Zero Trust** or **Tailscale plus self-operated DERP**. PoP proximity is a large fraction of the user experience.

Disconnected environments (ships, mines, remote sites)

**Headscale plus your own DERP**, or **Nebula**. Zero dependency on an external control plane.

You really need Layer 2 semantics

**ZeroTier**. Almost the only reasonable choice.

Political or experimental mesh

**Yggdrasil**. Or a peer P2P network of the same flavor.

Closing — "VPN" may soon be a word we stop using

In 2026 we say "we are adopting a VPN" less and less. Instead we say "**zero-trust network**," "**overlay mesh**," "**device identity**."

Technically these are nearly the same thing — encrypted tunnels between nodes. What differs is **the model**:

- Before: "once you are inside the perimeter, you see everything."

- Now: "identity, device, and context are evaluated on every request, with permissions at the resource level."

The data plane for that model shift was largely captured by WireGuard. The control plane and UX were defined by Tailscale. The blanks in between — self-hosting, SSO integration, enterprise policy — are being filled by Headscale, NetBird, Twingate, Cloudflare Zero Trust, Nebula, and Defined Networking.

The next time someone asks you "how do I SSH to my company server from home?" — if your answer is OpenVPN, you are already late. Install Tailscale once and run one SSH command. Five minutes later, the moment of "the world can be this simple" arrives.

That is the promise of overlay VPNs in 2026.

References

- WireGuard: [https://www.wireguard.com/](https://www.wireguard.com/)

- Tailscale: [https://tailscale.com/](https://tailscale.com/)

- Tailscale Funnel: [https://tailscale.com/kb/1223/funnel](https://tailscale.com/kb/1223/funnel)

- Tailscale Mullvad: [https://tailscale.com/kb/1258/mullvad-exit-nodes](https://tailscale.com/kb/1258/mullvad-exit-nodes)

- DERP (Tailscale): [https://tailscale.com/kb/1232/derp-servers](https://tailscale.com/kb/1232/derp-servers)

- Headscale: [https://github.com/juanfont/headscale](https://github.com/juanfont/headscale)

- ZeroTier: [https://www.zerotier.com/](https://www.zerotier.com/)

- Nebula (Slack): [https://github.com/slackhq/nebula](https://github.com/slackhq/nebula)

- Defined Networking: [https://www.defined.net/](https://www.defined.net/)

- NetBird: [https://netbird.io/](https://netbird.io/)

- NetBird (GitHub): [https://github.com/netbirdio/netbird](https://github.com/netbirdio/netbird)

- Twingate: [https://www.twingate.com/](https://www.twingate.com/)

- Cloudflare Zero Trust: [https://www.cloudflare.com/zero-trust/](https://www.cloudflare.com/zero-trust/)

- Cloudflare WARP: [https://1.1.1.1/](https://1.1.1.1/)

- Cloudflare Tunnel: [https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/](https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/)

- Innernet (Tonari): [https://github.com/tonarino/innernet](https://github.com/tonarino/innernet)

- Yggdrasil Network: [https://yggdrasil-network.github.io/](https://yggdrasil-network.github.io/)

- BeyondCorp (Google): [https://cloud.google.com/beyondcorp](https://cloud.google.com/beyondcorp)

- NIST SP 800-207 Zero Trust Architecture: [https://csrc.nist.gov/publications/detail/sp/800-207/final](https://csrc.nist.gov/publications/detail/sp/800-207/final)

- LINE Engineering: [https://engineering.linecorp.com/en](https://engineering.linecorp.com/en)

- Mercari Engineering: [https://engineering.mercari.com/en/](https://engineering.mercari.com/en/)

- Toss Tech Blog: [https://toss.tech/](https://toss.tech/)