VPN & Mesh Networking
WireGuard, Tailscale, Headscale — connecting machines without opening ports.
WireGuard ate the VPN world. Mesh wrappers around it (Tailscale, Netbird, etc.) made VPN setup so easy that "open a port" is no longer the default move.
WireGuard ecosystem
- ★ WireGuard — the kernel module / protocol everyone runs. Modern, fast, audited.
- wg-easy — web UI for managing WireGuard configs.
- Algo — bash + Ansible scripts for one-command WireGuard server.
- Streisand — older but still works; multiple protocols.
Mesh networking (zero-config-ish)
- ★ Tailscale — WireGuard mesh + identity; SSO via your IdP; ACLs as code; the default in 2026. Free for personal use up to 100 devices.
- ★ Headscale — open-source self-hosted Tailscale control plane; uses Tailscale clients. Ideal if you want the Tailscale experience without the SaaS dependency.
- Netbird — open-source competitor; self-host or hosted.
- ZeroTier — older mesh; software-defined VLAN style; not pure WireGuard.
- Nebula (Slack) — peer-to-peer VPN with PKI; powerful but more setup.
- Innernet — open-source Tailscale-shape; lighter feature set.
- Twingate — commercial zero-trust network access; Tailscale competitor.
Cloudflare Tunnel + Access (no VPN)
- ★ Cloudflare Tunnel (
cloudflared) — outbound-only tunnel from your box to Cloudflare; expose specific services without opening ports. Free. - ★ Cloudflare Access — zero-trust auth in front of internal apps; free tier up to 50 users.
- Cloudflare WARP — client-side; routes user traffic through CF; free.
Other zero-trust offerings
- Pomerium — open-source identity-aware reverse proxy.
- Boundary (HashiCorp) — privileged session manager; integrates with Vault.
- Smallstep SSH / OAuth-driven SSH — see SSH & Bastion.
What modern setups look like
- All admin access over Tailscale. No public SSH ports; firewall blocks 22 from internet.
- Cloudflare Tunnel to expose web apps; Cloudflare Access in front for staff.
- Headscale if you don't want Tailscale's SaaS.
- WireGuard direct when you control both ends and want zero dependencies.
Patterns to adopt
- ★ Stop opening ports. Tunnel + mesh covers 95% of "expose this internal thing" needs.
- ACLs in code. Tailscale ACLs are JSON — version them in git.
- Short-lived auth. Use SSO + device check; rotate tokens; don't share long-lived keys.
- Subnet routers for accessing legacy boxes that can't run a WireGuard client.
- Magic DNS — Tailscale resolves device names without DNS config. Use it.
Common topology
- Each laptop and server runs a Tailscale client.
- ACLs allow only your laptop → SSH on prod boxes.
- Cloudflare Tunnel exposes
app.example.compublicly with Cloudflare Access in front. - Internal-only services (Grafana / Prometheus) are reachable only inside the tailnet.
- Public ports on each VM: 80, 443 only.
Pick this if…
- Default mesh, hosted, free for small teams: Tailscale.
- Self-host the control plane: Headscale.
- Pure OSS: Netbird or WireGuard direct.
- Expose web services without opening ports: Cloudflare Tunnel + Access.
- Zero-trust at scale: Pomerium or Twingate.
- You're not sure where to start: Tailscale + Cloudflare Tunnel covers 90% of needs.