An unusuial post for Zerotier, but people will ask
I’ve been a paid user of Zerotier for some time. I like it, I continue to use it in various ways, but when Tailscale was reviewed on SecurityNow, I took a look at it. For the TLDRs…
- As easy to set up as Zerotier.
- Similar pricing model
- From what I can see in traces, does not require intermediate servers to pass traffic. All TailScale really does is serve as a rendevous point for Wireguard. If Wireguard works, Tailscale will work – it just does the key and policy management for you. This means you can get the same performance you get with native Wireguard.
- Reliable Linux clients. Haven’t tried IOS, Android yet.
- Plug-and-play Wireguard. If you don’t know what Wireguard is, or you can’t set it up easily on your hardware, TailScale is plug-and-play
- Slighly easier to set up gateways. They have “out of the box” with subnet routing in the control planel. If you have ip_forward on in your Linux box, that’s about it.
- Mac client needs a lot of work
- Very few backports (BSD, Qnap etc)
- Windows client is limited
- (IMPORTANT) Is not the same type of overlay network as Zerotier. You do not get a private address block. You just get a public address. That means you really need to put every node in your DNS because you don’t really have a unique subnet.
- More like Hamachi used to be compared to Zerotier.
- Younger than ZeroTier – we’ll see how long they last, but competition is good, it pushes everyone forward.
- The free plan is less flexible than ZeroTier IMHO.
- The paid plan for individuals ($40) is acceptable, but for $10 more, ZeroTier offers more.
When to use TailScale
- If you were a Hamachi user, this is a drop-in replacement in many ways. Your nodes get a new public IP but sadly, it can be anywhere – you can’t count on a specific subnet.
- Efficient Wiregaurd transport and encryption make it good for LAN parties etc.
When to use ZeroTier:
- If Hamachi wasn’t enough, Tailscale also will likley not suffice. It does not (yet) have things like ZeroTier’s tagging, or policy logic. Granted Zerotier’s interface to some advanced features really isn’t there yet, it’s more of an API, but Tailscale doesn’t have them at all so far as I can tell. I’ve contacted TailScale and we’ll see how they answer.
- If you need address space within your overlay that you can treat as a “private LAN”, that’s not Tailscale. By design, they don’t do that.
- Layer-2 magic. Tailscale is Layer-3 because of Wireguard. So all of the magic Layer-2 stuff in ZeroTier just isn’t in Tailscale and likely will never be. Layer-2 isn’t fun to set up on Linux, but I’ve done it. Sometimes you need to be layer-2.
UPDATE Spoke with TailScale support. There is one other BIG feature that ZeroTier has that TailScale does not. Tailscale talks about “subnet routers”. One might think that these are layer-3 routers that bridge between your LAN and Tailscale much as I can do with a Zerotier routed network. This is not the case. Tailscale, because you do not have your own subnet, can, at best, have your Linux box act as a NAT gateway. You can SNAT and DNAT from the Linux box to the TailScale IP, but you do not just route. So, if you want a gateway between your LAN and Tailscale – a gateway that bridges all hosts on your LAN, you really can’t do it. This is a big win for ZeroTier.