Zerotier vs. Tailscale

An unusuial post for Zerotier, but people will ask :slight_smile:

I’ve been a paid user of Zerotier for some time. I like it, I continue to use it in various ways, but when Tailscale was reviewed on SecurityNow, I took a look at it. For the TLDRs…


  • As easy to set up as Zerotier.
  • Similar pricing model
  • From what I can see in traces, does not require intermediate servers to pass traffic. All TailScale really does is serve as a rendevous point for Wireguard. If Wireguard works, Tailscale will work – it just does the key and policy management for you. This means you can get the same performance you get with native Wireguard.
  • Reliable Linux clients. Haven’t tried IOS, Android yet.
  • Plug-and-play Wireguard. If you don’t know what Wireguard is, or you can’t set it up easily on your hardware, TailScale is plug-and-play
  • Slighly easier to set up gateways. They have “out of the box” with subnet routing in the control planel. If you have ip_forward on in your Linux box, that’s about it.


  • Mac client needs a lot of work
  • Very few backports (BSD, Qnap etc)
  • Windows client is limited
  • (IMPORTANT) Is not the same type of overlay network as Zerotier. You do not get a private address block. You just get a public address. That means you really need to put every node in your DNS because you don’t really have a unique subnet.
  • More like Hamachi used to be compared to Zerotier.
  • Younger than ZeroTier – we’ll see how long they last, but competition is good, it pushes everyone forward.
  • The free plan is less flexible than ZeroTier IMHO.
  • The paid plan for individuals ($40) is acceptable, but for $10 more, ZeroTier offers more.

When to use TailScale

  • If you were a Hamachi user, this is a drop-in replacement in many ways. Your nodes get a new public IP but sadly, it can be anywhere – you can’t count on a specific subnet.
  • Efficient Wiregaurd transport and encryption make it good for LAN parties etc.

When to use ZeroTier:

  • If Hamachi wasn’t enough, Tailscale also will likley not suffice. It does not (yet) have things like ZeroTier’s tagging, or policy logic. Granted Zerotier’s interface to some advanced features really isn’t there yet, it’s more of an API, but Tailscale doesn’t have them at all so far as I can tell. I’ve contacted TailScale and we’ll see how they answer.
  • If you need address space within your overlay that you can treat as a “private LAN”, that’s not Tailscale. By design, they don’t do that.
  • Layer-2 magic. Tailscale is Layer-3 because of Wireguard. So all of the magic Layer-2 stuff in ZeroTier just isn’t in Tailscale and likely will never be. Layer-2 isn’t fun to set up on Linux, but I’ve done it. Sometimes you need to be layer-2.

UPDATE Spoke with TailScale support. There is one other BIG feature that ZeroTier has that TailScale does not. Tailscale talks about “subnet routers”. One might think that these are layer-3 routers that bridge between your LAN and Tailscale much as I can do with a Zerotier routed network. This is not the case. Tailscale, because you do not have your own subnet, can, at best, have your Linux box act as a NAT gateway. You can SNAT and DNAT from the Linux box to the TailScale IP, but you do not just route. So, if you want a gateway between your LAN and Tailscale – a gateway that bridges all hosts on your LAN, you really can’t do it. This is a big win for ZeroTier.


Good comparison, thanks! I’m using both ZeroTier and Tailscale on daily basis so here is my two-penny worth.

Tailscale ACL vs ZeroTier network rules.
ZeroTier is more complicated, both the ‘language’ and stateless nature of rules engine. But it comes with flexibility and you can do a lot more in Zerotier than with Tailscale ACLs. If you have strict requirements or simply like to have control then it will make a huge difference, but doesn’t really matter if you can’t be bothered with firewalls.
ZeroTier wins that one.

Linux clients.
Tailscale client makes some changes in my system that I neither expected nor anticipated i.e. adds iptables rules and breaks DNS in some specific scenarios. Not a huge deal once I know about this, but it took a while to figure out and was not fun. On the other hand, ZeroTier client is more buggy in my experience.
It’s a draw here.

Free/community support.
I’m under impression that ZeroTier has bigger community, but Tailscale developers are more engaged and overall your issues are addressed quicker for Tailscale.
Tailscale wins that one.

Tailscale sharing.
Tailscale allows you to share your server with external network where you don’t have admin rights in a way that still lets you keep control over that server i.e. node settings, ACLs etc. Nothing like that in ZeroTier.
Killer feature for me, Tailscale wins that one.

Address space.
Unlike Tailscale, ZeroTier gives you full control and predictable addressing for your nodes. That may be invaluable when you manage a lot of separate networks.
Killer feature for me, ZeroTier wins that one.

Not sure about that. I was comparing ZeroTier and Tailscale on a site behind some carrier-grade-dodgy-NAT and one immediate difference was that ZT dealt a lot better with finding the quickest path. When using ZT, two hosts in the same LAN very quickly dropped relay host and started talking directly as expected. The same setup with TS and they kept using relay host somewhere on the internet, they didn’t discover the LAN path.

This topic was automatically closed after 30 days. New replies are no longer allowed.