Intro
Tailscale is a terrific solution to connect personal compute devices across overlay networks. It is based on Wireguard, a great open source VPN.
NetFoundry is a terrific platform to connect applications across zero trust overlay networks. It is based on OpenZiti, a great open source secure networking platform.
Similar? Or extraordinarily different?
Let’s unpack this to see which use cases we may want to use Tailscale for, and which use cases we may want to use NetFoundry for. We’ll also link to performance benchmarks and feature-by-feature comparisons.
1a. Solution versus platform: Tailscale
Tailscale is packaged as an easy to use solution. And, it is exactly that. You will find a great VPN solution (rather than a platform which enables you to build on top of it). The Tailscale VPN solution is built primarily for user to machine type use cases, and does a very nice job making those use cases simple and powerful.
1b. Solution versus platform: NetFoundry
The NetFoundry platform enables you to build solutions for a variety of secure networking use cases: from IoT to multicloud, and everything in between. Use the SDKs to embed secure networking anywhere (even inside your app, load balancer, database, etc.), with SLAs and support. Use the APIs for integrations such as identities (e.g. SPIFFE) and policies. The OpenZiti platform (which NetFoundry is built on) is 100% open source.
2a. Device-centric versus app-centric: Tailscale
Tailscale requires agents. This means it is great for use cases in which:
- It is viable to provision and manage agents
- It is acceptable for the agents to expose all the device’s data and services to every other device on the mesh
The default is the agents give every device full access to every other device (you need to layer on ACLs to create a more secure model), and for the agents to route all the data across the overlay. Tailscale makes that use case very simple and powerful.
2b. Device-centric versus app-centric: NetFoundry
NetFoundry includes a first-of-its-kind agentless option (embed zero trust networking in your app using the SDKs), as well as app-specific agents (for every OS and cloud). This means it is great for use cases in which:
- Agents are not viable or desirable
- You want to connect specific services or apps, without exposing all data and services to every node on the network.
It is an app-centric model. For example, a NetFoundry agent or SDK-embedded service on your server may only enable me to access one microservice over a certain port, while enabling you to access different microservices across other ports. The server itself is not exposed to the zero trust mesh overlay – specific apps or services are.
This model enables teams to build secure networking inside any app or solution, ranging from SaaS to IoT. Meanwhile, MSPs and providers use the platform to add zero trust to their services, or simply white label solutions for specific use cases. This model is new so here is a visual – the first two diagrams show traditional VPNs, the 3rd shows this new option of embedding zero trust networking inside the process space of a specific app:
3a. Overlay versus zero trust overlay: Tailscale
Tailscale networks are relatively secure because the overlay networks are gated by the Tailscale clients, which are gated by logins to large SSO providers (use your Google, Microsoft, etc. accounts).
The defaults are any device on the overlay is trusted with full access to all other devices, and inbound UDP ports are opened to each device on your overlay. The ports are open to improve the chances of direct routing. When there is no direct routing, the data is backhauled through a limited number of Tailscale data centers, which decreases throughput (see benchmark data).
From a use case perspective, that model is terrific if you can trust all the devices on your network, want to send all traffic across your overlay, and can configure other “bolted-on” security solutions to deal with the vulnerabilities of open inbound ports and network-level access.
3b. Overlay versus zero trust overlay: NetFoundry
NetFoundry zero trust overlay networks are gated by NetFoundry endpoints (or SDK-embedded software), which are gated by X.509 certificate-based identity and authentication (you can optionally add posture checks, MFA and SSO).
Once you successfully authenticate, you are still not exposed to the overlay, and you don’t have default access to resources on the overlay. Instead, your least privileged access policies determine what you can access, and what you are exposed to. Likewise, you choose which apps to put on your zero trust overlay, and which apps you would rather route elsewhere.
That security model is important if your use case calls for zero trust networking tenets such as reducing the surface area for attacks (via certificate-based gates and closed inbound ports and link listeners). Similarly, the security model is important to minimize the blast radius (via least-privileged access and app level microsegmentation). Security can be a trade-off: if your use case makes more sense to be default-open, then Tailscale may be the better solution.
Summary
Should I use Tailscale or NetFoundry? Well, it depends on the use case.
If you want a simple VPN to connect an admin to a limited number of devices, and you have another way to secure the resultant open overlay (or security is not a top priority), then Tailscale is likely the better fit for your use case.
If you want a platform to build on, or need more fine-grained control or security, then NetFoundry is likely a better fit for your use case. Generally, NetFoundry fits best for use cases in which:
- You want to build secure networking into your solution
- Agentless zero trust
- When you do want agents, you want them route some apps on the overlay, and some to other routes
- You don’t want every node to have default open access to every other node
- You don’t want to depend on SSO from the huge providers
- You want APIs to integrate with your systems or with other solutions
- You need performance and don’t have direct routing
The Tailscale and NetFoundry SaaS options are each built on great open source, Wireguard and OpenZiti respectively. You can check out this comparison of OpenZiti and Tailscale to dive in even deeper.
