Tooling

VPN & Mesh Networking

WireGuard, Tailscale, Headscale — connecting machines without opening ports.

WireGuard ate the VPN world. Mesh wrappers around it (Tailscale, Netbird, etc.) made VPN setup so easy that "open a port" is no longer the default move.

WireGuard ecosystem

  • WireGuard — the kernel module / protocol everyone runs. Modern, fast, audited.
  • wg-easy — web UI for managing WireGuard configs.
  • Algo — bash + Ansible scripts for one-command WireGuard server.
  • Streisand — older but still works; multiple protocols.

Mesh networking (zero-config-ish)

  • Tailscale — WireGuard mesh + identity; SSO via your IdP; ACLs as code; the default in 2026. Free for personal use up to 100 devices.
  • Headscale — open-source self-hosted Tailscale control plane; uses Tailscale clients. Ideal if you want the Tailscale experience without the SaaS dependency.
  • Netbird — open-source competitor; self-host or hosted.
  • ZeroTier — older mesh; software-defined VLAN style; not pure WireGuard.
  • Nebula (Slack) — peer-to-peer VPN with PKI; powerful but more setup.
  • Innernet — open-source Tailscale-shape; lighter feature set.
  • Twingate — commercial zero-trust network access; Tailscale competitor.

Cloudflare Tunnel + Access (no VPN)

  • Cloudflare Tunnel (cloudflared) — outbound-only tunnel from your box to Cloudflare; expose specific services without opening ports. Free.
  • Cloudflare Access — zero-trust auth in front of internal apps; free tier up to 50 users.
  • Cloudflare WARP — client-side; routes user traffic through CF; free.

Other zero-trust offerings

  • Pomerium — open-source identity-aware reverse proxy.
  • Boundary (HashiCorp) — privileged session manager; integrates with Vault.
  • Smallstep SSH / OAuth-driven SSH — see SSH & Bastion.

What modern setups look like

  • All admin access over Tailscale. No public SSH ports; firewall blocks 22 from internet.
  • Cloudflare Tunnel to expose web apps; Cloudflare Access in front for staff.
  • Headscale if you don't want Tailscale's SaaS.
  • WireGuard direct when you control both ends and want zero dependencies.

Patterns to adopt

  • Stop opening ports. Tunnel + mesh covers 95% of "expose this internal thing" needs.
  • ACLs in code. Tailscale ACLs are JSON — version them in git.
  • Short-lived auth. Use SSO + device check; rotate tokens; don't share long-lived keys.
  • Subnet routers for accessing legacy boxes that can't run a WireGuard client.
  • Magic DNS — Tailscale resolves device names without DNS config. Use it.

Common topology

  • Each laptop and server runs a Tailscale client.
  • ACLs allow only your laptop → SSH on prod boxes.
  • Cloudflare Tunnel exposes app.example.com publicly with Cloudflare Access in front.
  • Internal-only services (Grafana / Prometheus) are reachable only inside the tailnet.
  • Public ports on each VM: 80, 443 only.

Pick this if…

  • Default mesh, hosted, free for small teams: Tailscale.
  • Self-host the control plane: Headscale.
  • Pure OSS: Netbird or WireGuard direct.
  • Expose web services without opening ports: Cloudflare Tunnel + Access.
  • Zero-trust at scale: Pomerium or Twingate.
  • You're not sure where to start: Tailscale + Cloudflare Tunnel covers 90% of needs.

On this page