Comparing Top Overlay VPN Networks: Tailscale, Netbird, Netmaker, Zerotier
HTML-код
- Опубликовано: 22 май 2024
- lawrence.video/networking
Forum post with all the details
forums.lawrencesystems.com/t/...
Connecting With Us
---------------------------------------------------
+ Hire Us For A Project: lawrencesystems.com/hire-us/
+ Tom Twitter 🐦 / tomlawrencetech
+ Our Web Site www.lawrencesystems.com/
+ Our Forums forums.lawrencesystems.com/
+ Instagram / lawrencesystems
+ Facebook / lawrencesystems
+ GitHub github.com/lawrencesystems/
+ Discord / discord
Lawrence Systems Shirts and Swag
---------------------------------------------------
►👕 lawrence.video/swag/
AFFILIATES & REFERRAL LINKS
---------------------------------------------------
Amazon Affiliate Store
🛒 www.amazon.com/shop/lawrences...
UniFi Affiliate Link
🛒 store.ui.com?a_aid=LTS
All Of Our Affiliates that help us out and can get you discounts!
🛒 lawrencesystems.com/partners-...
Gear we use on Kit
🛒 kit.co/lawrencesystems
Use OfferCode LTSERVICES to get 10% off your order at
🛒 www.techsupplydirect.com?aff=2
Digital Ocean Offer Code
🛒 m.do.co/c/85de8d181725
HostiFi UniFi Cloud Hosting Service
🛒 hostifi.net/?via=lawrencesystems
Protect you privacy with a VPN from Private Internet Access
🛒 www.privateinternetaccess.com...
Patreon
💰 / lawrencesystems
Chapters
00:00 Comparing Overlay VPN Networks Tailscale, Netbird, Netmaker, Zerotier
02:16 What is an Overlay VPN
03:47 Comparing Tailscale Netbird Netmaker Zerotier and Twingate
08:34 A Detailed Look at Tailscale and Netbird features
11:15 Self Hosted Netbird Interface 
Наука
thank you for the great video. I used Tailscale in the past but switched to Netbird for many reasons. You already mentioned a lot already. For me there is one killa-feature and that is, that the company behind NetBird a German company so they have to stick to the GDPR. I love it!
Timely vid! I've dabbled with Tailscale, primarily because they have a good Terraform module, but I have yet to actually do stuff with this other than testing accessing my home setup from the office. Will check out alternatives.
Been running netbird from v0.6.0 and it’s great it’s come along way and it’s been extremely stable, the addition of IOS and Android has been amazing
Thank you for the kind words from the NetBird team :)
@@netbirdio I really like your product, but there is no exit node
When it is ?
Opened this video exactly because I was made aware of Twingate, but the content I find is sponsored. Will be trying netbird, seems really easy to get things done and should be enough for my needs
Thanks for the demo and info. I am using Twingate, but will try Netbird. Have a great day
Thank you from the NetBird team :)
Thanks for this! Awesome explanation as always
Totally appreciate your channel!
Glad you enjoy it!
ZeroTier is also available for ASUStor NAS devices, OPNsense, and even some retro gaming handheld custom firmwares like ArkOS.
He knows but intentionally did not mention to show pfsense in good light
Would love to see a follow up to this of the performance of these networks. simple speed tests even.
Tailscale with headscale as coordination server works very well for me. I would like to test netbird but currently it lacks some features that are important for me. E.g. exit nodes (will be available in march) and dual stack networking with IPv4 and IPv6. These features are already running fine with Tailscale and headscale. GoodiesHQ is currently working on an ACL UI Builder which will be integrated into the open source Admin-UI. Interesting times to come :)
My only issue with Tailscale is the ACL syntax isn’t clear from the documentation. The default is a permit any which isn’t great and it doesn’t integrate with firewall rules in pfsense the way ZeroTier does with opnsense.
I’m not writing json rules for ACL…there needs to be a better way to do it and clearer documentation
Thank you and I agree 100%. TS needs a better and clearer way to define rules and ACLs beyond JSON - we’re not all developers.
I use ZeroTier for everything network myself. So amazing! People just need to be more willing to learn. OpenWRT does firewalling really good in a GUI where I configure my ZeroTier.
very very nice disclosure at beginning. no sponsor here. by the way, nothings bad about sponsorship, I trust some youtubers and also with sponsor it's ok, but knowing before is a great choice.
Thanks, now I can ssee the rest of the video.
I haven't found anything similar to ZeroTier's 6PLANE addressing for container based routing. It's especially useful as it makes use of IPv6 NDP emulation for finding the shortest route between container.
I haven't found any Wireguard-based solution similar yet, but I guess it would not be as seamless as zerotier automatic adressing
Thanks so much for this video! I'm really excited about netbird, as I haven't seen yet an open source solution which you can easily self host. I just wonder what security aspects you got to look out for, such as separating directories of the DB files and the web server fikes etc. looking forward to Your video about netbird!! Shame is, that zerotier and any other wire guard based solution, doesn't work great.... Tinkered a lot with excluding IP ranges from zerotier, but still doesn't seem to work alongside.....
Thanks for the video. Would really like to see a performance test comparing Tailscale and Netbird in terms of throughput and LATENCY. Everyon tests throughput, but for some reason you rarely see latency info included. Edit: Netmaker has phone apps for iOS and Android now.
I've been using Tailscale for a while. Their ACL syntax does require a bit getting used to but does the job really well. But their error messages when I mess up could be better. But after this video, Netbird peaked my intrest. I might try it with a test environment sometime.
I've been a happy Tailscale user for quite some time, and have considered going the Headscale route. However, I may well give Netbird a try. (That's what homelabs are for, right?)
good timing. I'm a newbie to networking and just put express VPN configuration files on my Beryl Travel Router using OpenVPN. It was super easy. Not sure if this is related or not, but thought it was cool to be able to do that.
j'apprécie votre indépendance
I use both zerotier and tailscale on same machines. They work together! zerotier and tailscale also work on my openwrt router
Why?
Yeah, why?
is the "Exit Node" feature on the roadmap in Netbird ? I think that is a very important feature to have, or at least its a more common usecase. hopefully it is, because netbird looks very promising.
Agree. Exit node is the killer feature that would keep me from trying Netbird.
We will deliver this! Thank you for pointing this out
What is the use case for an exit node?
I’m looking at self hosted VPN to access my home network from public networks.
@@netbirdioDo you have an issue on GitHub to follow this?
@@majorgear1021Exit node allows you to route out of your overlay network making it an actual tunnel network. Without the exit node you could still VPN to get access to your internal resources but you would exit locally depending on where your device is located.
Exit node is possible on netbird on with Linux os right now
Thanks for the video. Kinda missed some talking points about integrating OPNSense. And also wanted to ask is there any reason you use the google chrome browser on your Linux machine?
OPNSense is slow on security so I don't recommend it lawrence.video/opnsense and I use Chrome for business and Firefox for personal
@@LAWRENCESYSTEMSyou mean opnsense doesn't pay you ... got it
Curious as homelaber , running pfsense+WireGuard, when would it make sense to use netbird?
if you have more devices at more locations that all need to be connected .
Nice video!
Is there any guidance on the horsepower required for the machines doing the wireguard encryption / decryption to ensure that this does not limit transfer rates.
Wireguard's overhead is effectively non-existent. I have a Raspberry Pi running as a Wireguard server at home and you can't tell any difference between the VPN being on or off.
Any overhead will be unrelated to Wireguard itself and how Wireguard is implemented. For example Tailscale does some really weird things with it for NAT traversal which does slow it down a little.
@@antikommunistischaktionthanks for the comparison. Sounds like a case for point-to-point wireguard VPN for large file transfers
Only issue I have with Tailscale is on a mobile device...when moving between Cellular and WiFi sometimes traffic does not move through Tailscale until one stops and restarts the Tailscale client. Easy enough to do but annoying. Would be great if Tailscale client would deactivate in known WiFi SSIDs and reactivate when moving to unknown WiFi SSIDs or cellular. When doing an internet search this has been mentioned multiple times by users.
Hey.. thanks for a great video.. Very good comparison and details of the options. I wanted to ask a question... I have a VPN esque setup with Twingate at the moment and it works well. However, it doesn't and seems it can't do on thing I'd like for it to do.. Use my private DNS on my local network instead of using my provider (cell/remote wifi) DNS. I'd like for it to block ads but also appear as if I'm using my home IP rather than somewhere else. Thanks in advance for your time.
If you are using Tailscale with pfsense you can choose your pfsense as an exit node.
Hey do you know if Tailscale is also available for opensence?
ZeroTier *does* have a 3rd-party open-source web UI called "ZeroUI".
I haven't touch the ZeroTier website web UI in over a year.
I use it too.
You might want to test ztnet web ui.
Great video again. They seem to be good tools. As a noob, why do I as a home user want to use these over say a Wireguard VPN included in some modem/routers like a Fritzbox? It is fast and pretty easy to setup.
If what you have works for you, keep doing it.
Using these tool is mostly about removing the configuration/maintanence parts and controlling access. E.g., you won't need to manually distribute WireGuard keys with let's say NetBird.
How do you see this in the context of the commercial environment where site to site VPN / IPSec is still the standard ?
It's becoming very popular with companies due to the added individual controls.
Would love to see NordVPNs meshnet in vids like this, I’ve been using it for a while now and have no complaints, super easy to setup and get going on all platforms including Linux/CLI.
ok so which one would work best in a self hosted game server?
can you make a video to explain how can I controle the traffic over my proxy server which people are connected to via SSH please
Zerotier here is the only option here that allows you to self host your controller without having a public IP address, even behind CG NAT.
The "coordination" layer is split into routing and a controller. The routing handles connecting the nodes, and the controller (which counts as another node) authorizes nodes into the network, meaning that you don't have to give them the power of managing your network, just self host your controller and let them do the routing for you. The whole architecture is pretty well though out.
Also there's a self hosted controller web GUI called ztnet that recently popped up, it looks pretty modern and has a lot of features.
You could use Headscale with the upstream Tailscale DERP relays, which is just about the same as using ZeroTier’s roots while using your own controller.
ZeroTier kept disconnecting and crashing on both iOS and Android (doing a speedtest, the VPN literally disconnects mid test and requires a reconnect, which suggests it crashed), which is a shame because I wanted to use it for L2.
@@ReturnJJ Thanks for correcting me! I wasn't aware of the DERP thing. Is that relatively new? Back when Headscale came out I did some research to switch but I wasn't able to find an alternative to the whole controller-roots paradigm.
Sounds great. I’m trying Netbird first, thought.
Apparently NetBird will receive exit node functionality in March 2024. Also, for NetMaker you can use Ingress Gateway nodes to allow any Wireguard capable device (e.g. smartphones) to connect to the network.
actually running it myself and loving netbird but i had 2 issues which is now 1 issue and you share the same is that that need to have an option for exit node
We will deliver this feature! Thank you for the feedback
Nebula could be mentioned as well, it's what i personally use as it's very easy to setup and provision new clients, it's only available as selfhosted and it's fully open source.
Plus the fault us deny all and you allow the port/protocol/host that will have access and the lighthouse/manager node can be more that one, providing grrat availability.
I forgot to add it to the list, but it's mentioned verbally in the beginning and my video on it is in the forum post.
Defined Networking now offers a non-selfhosted Nebula service, but doesn't seem to have open source clients (dnclient).
Can you compare speed on each? I looked at netbird but was turned off by the fact you have to have an account for the self hosted option. Do you what data they collect when you self host?
You DO NOT need an account to self host Netbird.
There is no need for an account when self hosting NetBird.
We collect anonymized stats about the control server installation, e.g., number of peers. But you can easily opt out from this when running the NetBird server on your
I'd like to see a Twingate review.
Network Chuck did a sponsored video on it ruclips.net/video/IYmXPF3XUwo/видео.htmlsi=_qkDhCqpuO7iGRVZ
What is the IPv6-support situation with Tailscale/Netbird?
Tailscale supports IPv6 seamlessly. I'm running in on several hosts which are IPv6-only and it works fine.
Netbird's Android app is a little buggy (from my experience prior to Aug 2023). But it works and is cool.
What we need are VLESS Reality based mesh network solutions
I'd like (another) video comparing VPN and Network Overlays. My concern has been the need for Multiple Authentication methods which is fine in VPNs (eg either certificate + user creds or user creds + OTP), but network overlays seem to only be certificates which has been why I haven't taken them up.
My use case involves an AD environment with remote users changing passwords and computer policies that run prior to users logging in.
ZeroTier has plugin for Mikrotik routers
Great video I have created a small gateway with dpdk, vpp and use zerotier to route over it. Runs 100% line rate locally and maxs out the internet with little cpu use. Also makes my security bulletproof. I will add ipv6 as a next step.
My experience with Tailscale: works fine with one user, but I tried adding someone else as a user and couldn't figure out why it didn't work even with expiration turned off on everything.
Tailscale works great for my needs, its was super easy, even for me, to setup (most this command prompt stuff gives me a headache) and it just Works !! Just tunneled in checked up on my server from my phone while at the beach!! Would be nice if they made a Core plugin too though! as sometimes i dont have both NAS' turned on, and can only tunnel in if scale nas is on
In the review there is mention of BSD support. I’m also a GUI guy, not brave enough to try stuff that requires significant CL interface.
I run an Ubuntu VM on my TrueNAS Core with Tailscale and use it to provide access to other services on the TrueNAS server
@@DaveHart-G yeh, i have seen people do custom jails with it in, using scripts etc, so it is possible but id prefer plug in. Running it from my VM could work though, thats good idea !! Can it still become the exit node, and give u access to rest of your network?
Wouldn't consider netmaker as a stable product. It struggles with NAT traversal, broken GUI in windows and the web interface had a lot of bugs.
Though tailscale (hosted by them) has a bunch of convenient features such as Tailscale SSH, taildrop and funnels.
And for the most part, I think trusting that the coordination server hasn't been compromised is what tailnet lock is supposed to be for? According to them anyway.
(I've actually integrated tailscale into my home network with full subnet routing and everything.)
It's a new beta feature but looks promising.
@LAWRENCESYSTEMS tailnet lock?
I've had it enabled since they introduced it. They've improved the ux for signing new nodes since then. Now you can click a button in the admin panel that will open the deaktop client /mobile app to prompt you to sign nodes.
Not sure if they've addressed that one ux issue regarding shared nodes and tailnet lock though. (Nodes accessing your shared nodes need to have their keys signed too, it was missing ux, not sure if its changed though.)
has tailsacle + headscale gotten closer to raw wireguard performance. last I looked it wasnt worth it
It can't use the kernel module so it hasn't, but it's still probably the fastest overlay network I've used. I've used NFS via Tailscale and as long as my laptop is on a good connection it's relatively pain free.
@@antikommunistischaktion Agreed. Performance has never been a problem with Tailscale for me. I have a self-hosted Jellyfin instance that I can reach from anywhere using my laptop or tablet which has been a life saver when traveling and/or staying over a relative's house for a couple of days and that worked well even on saturated public networks. It did stutter and had to buffer a little bit every now and then which forced me to transcode to 720p on the latter case but it worked surprisingly well considering the limitations. Much better than I expected.
Tailscale adds features at a very fast pace and this looks to me like a security problem.
Not if they are doing it right.
the only thing stopping my from using headscale is the fact that it uses docker. i hate using docker.
Who's Lawrence?
I am not clever at coming up with company names so I used my last name as my company name, hence Lawrence Systems.
Zerotier has a opnsense module
This guy has a huge hate boner for Opnsense
Why didn't you just do a 360° rotation ok the first pilar to have the ladder under the non damaged part of the bridge?
netbird ftw
how can netbird cost 5$/user/month if I am selfhosting it? Or is this the "not selfhosted" version?
Self hosted is free
Netbird sounds very promised.
first
waiting for self hosted netbird setup and explanation
poorly carried out, biased towards pfsense omitting that zerotier also does have an opnsense plugin. also not really showing all mentioned solutions equally. barely a real comparison. sorry, I've seen better, less biased vids from you tom.
Yes, you can tell who is he "favoring".
Your channel is nice and informative, but your pfsense bias it's doing a disservice to other possibly better options, like OPNsense, specially if you care for the morality of the devs or vendors.
Netgate has bad morals?
@@PhrozenNlolololol
He’s gone over it many times before. Because opnsense is downstream, they don’t fix bugs or contribute code. So vulnerabilities take considerably longer to be patched. The support contracts are also sub-optimal when compared with the netgate equivalent.
@@xbhollandx Yep. One of the MAIN reasons why I am still using pfsense. Security is more important than features.
@@xbhollandx Opnsense is not downstream of pfsense. It's a fork. And do you have any evidence to back claims about vuln patch cycle times?