← Back
TL;DR: For most self-hosters in 2026, pick WireGuard if you want raw speed and full control, Tailscale if you want a working mesh in under a minute, and OpenVPN only when you need to punch through a restrictive firewall. Tailscale is the easiest — but it routes your network metadata through a third party. If you want Tailscale's convenience and full sovereignty, self-host its control plane with Headscale on a €5 VPS.
Every self-hoster hits the same wall: you've got Vaultwarden, a media server, and a dashboard running at home or on a VPS, and now you need to reach them from your phone without exposing a single port to the internet. The answer is a VPN — but "WireGuard vs OpenVPN vs Tailscale" is the question that stalls everyone, because the three aren't even the same kind of thing.
I've run all three in production. This post is the honest comparison I wish I'd had: what each one actually is, how they compare on speed, setup, privacy, and cost — and which one you should pick based on what you're protecting and who's on your team.
Quick comparison: WireGuard vs OpenVPN vs Tailscale
Here's the whole decision on one screen. Details and the reasoning behind each row follow below.
| WireGuard | OpenVPN | Tailscale | |
|---|---|---|---|
| What it is | Protocol (DIY) | Protocol (DIY) | Product, built on WireGuard |
| Speed | Fastest (kernel module) | Slowest | Fast (~10–15% tax, userspace) |
| Setup time | 30–60 min, manual | Hours (PKI/certs) | Under 1 minute |
| NAT / CGNAT traversal | Manual port-forward | Manual | Automatic |
| Adding a device | Edit config, restart | Edit config, restart | One command, ~30s |
| Fully self-hosted? | Yes | Yes | No — control plane is Tailscale's* |
| Privacy / control | Full sovereignty | Full sovereignty | Metadata on Tailscale's coordination server |
| Cost | VPS only (~€5/mo) | VPS only | Free for personal use, then paid per user |
| Best for | Speed + full control | Legacy / firewall bypass | Easiest mesh, teams, CGNAT |
* Unless you run Headscale, the open-source self-hosted control server — covered below.
The 30-second answer
If you just want the right pick without the deep dive: choose WireGuard when you control the network and want the fastest, leanest tunnel; choose Tailscale when you're behind CGNAT, juggling many devices, or setting up access for non-technical people; choose OpenVPN only when a firewall blocks everything except TCP 443 and you need to disguise VPN traffic as HTTPS.
Everything else is detail. Here's that detail.
What you're actually comparing (this trips everyone up)
WireGuard and OpenVPN are VPN protocols; Tailscale is a product built on top of WireGuard. That single distinction explains every difference that follows. When you run WireGuard or OpenVPN, you build the whole VPN yourself — keys, peers, routing, firewall rules. When you run Tailscale, you get a finished mesh network where the hard parts (key exchange, device discovery, NAT traversal) are handled by Tailscale's coordination servers.
So the real question isn't "which protocol is best" — WireGuard already won that fight. It's "how much of the plumbing do I want to own?" WireGuard hands you the engine; Tailscale hands you the car.
Speed: WireGuard wins, OpenVPN loses badly
WireGuard is the fastest of the three because it runs as a Linux kernel module with a tiny, modern codebase, while OpenVPN runs in userspace and carries decades of legacy crypto. In independent benchmarks WireGuard routinely moves 3–4× the throughput of OpenVPN on identical hardware, with lower CPU usage and far lower latency.
Tailscale rides the WireGuard protocol, so its raw data path is nearly as fast — but on most platforms it uses a userspace WireGuard implementation, which costs roughly 10–15% versus kernel-mode WireGuard. In practice you'll never notice that on a home connection; it only matters if you're saturating a multi-gigabit link.
I run WireGuard (the in-kernel module on Ubuntu 24.04, figures current as of June 2026) on the same Hetzner CPX22 in Helsinki that I benchmarked at 99.98% uptime across 33 days. Re-establishing a dropped tunnel when my phone switches from Wi-Fi to LTE is effectively instant — WireGuard just resumes on the next packet, where OpenVPN used to take several seconds to renegotiate. For a "reach my homelab from anywhere" use case, that responsiveness matters more than peak throughput.
Note: OpenVPN's one genuine speed-adjacent advantage is TCP mode on port 443 — it can masquerade as HTTPS and slip through firewalls that block everything else. WireGuard is UDP-only, so a network that blocks UDP blocks WireGuard.
Setup and maintenance: from one minute to one afternoon
Tailscale is the easiest to set up by a wide margin, OpenVPN is the hardest, and WireGuard sits in the middle — simple to understand, but every device is manual. This is where most people actually make their choice.
A minimal WireGuard server is just an interface and a list of peers:
# /etc/wireguard/wg0.conf (server)
[Interface]
Address = 10.8.0.1/24
ListenPort = 51820
PrivateKey = <SERVER_PRIVATE_KEY>
[Peer] # one block per device
PublicKey = <CLIENT_PUBLIC_KEY>
AllowedIPs = 10.8.0.2/32
That's readable — but you generate a key pair for every device by hand, add a [Peer] block, open a UDP port on your firewall, and restart the interface. For the full walkthrough (key generation, client configs, QR codes for mobile, iptables routing), see my step-by-step WireGuard VPN setup guide.
OpenVPN is the same idea with far more ceremony: a certificate authority, server and client certs, TLS auth keys, and a sprawling config file. It's powerful and battle-tested, but you'll spend an afternoon on your first setup.
Tailscale collapses all of that into tailscale up. You install one package, authenticate with an SSO provider, and the device joins your network — NAT traversal, key rotation, and DNS handled automatically. Adding a tenth device takes the same 30 seconds as the first.
Privacy and control: the part the generic comparisons skip
WireGuard and OpenVPN are fully self-hosted — no third party ever sees your network — while standard Tailscale routes your coordination metadata (device names, public keys, who can reach whom) through Tailscale's servers. Your traffic is always end-to-end encrypted and never touches Tailscale; but the control plane that decides which devices trust each other is theirs, not yours.
For a lot of people that trade-off is fine — Tailscale is a reputable company and the convenience is real. But "own your stack instead of renting it" is the whole reason most of us self-host, and outsourcing the trust layer of your private network sits uneasily with that.
Headscale: Tailscale's magic, fully self-hosted
Headscale is an open-source, self-hosted implementation of Tailscale's control server — you get Tailscale's zero-config client experience while owning the coordination layer end to end. The official Tailscale apps connect to it directly, and as of 2026 it supports the features that matter: ACLs, exit nodes, subnet routing, and OIDC login.
You run it as a single container plus a config file on a cheap VPS:
# docker-compose.yml — Headscale control server
services:
headscale:
image: headscale/headscale:stable
command: serve
volumes:
- ./config:/etc/headscale # holds config.yaml (required)
- ./data:/var/lib/headscale
ports:
- "8080:8080"
restart: unless-stopped
You'll need a config.yaml (server URL, IP ranges, DERP settings) — grab the template from the Headscale repo. Point your Tailscale clients at your server with tailscale up --login-server=https://your-domain, and you have a private mesh with nobody else in the loop.
A €5/month Hetzner box runs this comfortably. Before you expose anything, harden the VPS first — a control server is exactly the kind of thing you don't want misconfigured.
Cost: free until you have a team
WireGuard, OpenVPN, and Headscale cost only what your VPS costs — typically around €5/month — while Tailscale is free for personal use and then charges per user once you scale. As of 2026, Tailscale's free Personal plan covers a small number of users and is genuinely generous for one person's homelab; team plans start at a few dollars per user per month (check Tailscale's pricing for current tiers, which changed in April 2026).
The math is simple: a solo self-hoster pays nothing meaningful either way, so pick on convenience. A small team or a privacy-maximalist comes out ahead self-hosting WireGuard or Headscale on a single cheap server. If you don't have a box yet, here's my best VPS comparison for self-hosting in 2026 — any of the €4–5 tiers handles a VPN control plane without breaking a sweat.
Which VPN should you use?
Who should use WireGuard
You control at least one endpoint with a public IP (a VPS or a home connection you can port-forward), you want the fastest possible tunnel, and you're comfortable editing a config file. WireGuard is the lean, sovereign default — and the foundation everything else is built on.
Who should use Tailscale
You're behind CGNAT (no public IP), you manage many devices or non-technical users, or you simply value your time over the last 10% of control. Tailscale's NAT traversal and one-command onboarding are unmatched. Want the convenience without the third party? Run Headscale.
Who should use OpenVPN
You need to traverse a hostile firewall that only allows TCP 443, you're integrating with legacy enterprise gear that already speaks OpenVPN, or you require a feature WireGuard deliberately omits. Otherwise, in 2026, WireGuard supersedes it.
My pick: WireGuard for my own infrastructure where I control the endpoints, and Headscale the moment more than a couple of devices or people are involved. I reach for Tailscale's hosted version only for throwaway setups I won't maintain. I haven't started a new OpenVPN deployment in two years.
Troubleshooting common VPN problems
WireGuard handshake never completes (no latest handshake line). Cause: the server's UDP port isn't reachable. Fix: confirm ListenPort is open in your firewall and forwarded on your router, and that the client's Endpoint uses the server's public IP, not a LAN address.
Tunnel connects but you have no internet. Cause: missing NAT/forwarding on the server. Fix: enable net.ipv4.ip_forward=1 and add a MASQUERADE rule (or use WireGuard's PostUp/PostDown); on the client, set AllowedIPs = 0.0.0.0/0 to route all traffic.
Tailscale device shows offline behind CGNAT. Cause: both peers are behind strict NATs and direct connection failed. Fix: it's still working — traffic is relayed through a DERP server (slower but functional); set up an exit node or subnet router for a stable path.
Can't reach LAN services over the VPN. Cause: only the VPN subnet is routed. Fix: in WireGuard add the LAN range to the client's AllowedIPs; in Tailscale/Headscale advertise a subnet route with --advertise-routes.
Headscale clients can't log in. Cause: the server_url in config.yaml doesn't match the URL clients use (often an HTTPS/reverse-proxy mismatch). Fix: make them identical, and ensure your reverse proxy forwards WebSocket upgrades.
Frequently asked questions
Is WireGuard better than OpenVPN?
For almost everyone in 2026, yes. WireGuard is faster, uses modern cryptography, has a fraction of OpenVPN's codebase (easier to audit), and is far simpler to configure. OpenVPN only wins when you specifically need TCP-over-443 firewall evasion or compatibility with existing OpenVPN infrastructure.
Is Tailscale just WireGuard?
Tailscale uses the WireGuard protocol for its encrypted data transport, but it is not "just WireGuard." It adds a coordination server that automates key exchange, device discovery, NAT traversal, ACLs, and DNS — the orchestration layer that vanilla WireGuard makes you build yourself.
Is Tailscale safe for privacy if it uses a third party?
Your traffic is end-to-end encrypted and never passes through Tailscale's servers — only your metadata (device keys, names, and access rules) lives on their coordination plane. That's a reasonable trade for most people, but if you want zero third-party involvement, self-host the control plane with Headscale and keep everything on your own infrastructure.
Do I need a VPS to self-host a VPN?
Not strictly — you can run WireGuard on a home server if your ISP gives you a public IP and you can port-forward. But a cheap VPS gives you a stable public endpoint, works even behind CGNAT, and keeps your home IP private, which is why most self-hosters put their VPN (or Headscale) on a €5 box.
Can WireGuard and Tailscale run on the same network?
Yes. They use different ports and address ranges, so you can run a manual WireGuard tunnel and a Tailscale mesh side by side during a migration. Just avoid overlapping subnets (e.g., don't put both on 10.0.0.0/24) to prevent routing conflicts.
Conclusion
The 2026 answer to "WireGuard vs OpenVPN vs Tailscale" is less about protocols and more about how much of your network you want to own. WireGuard is the fast, sovereign default; Tailscale is the effortless mesh that trades a little control for a lot of convenience; OpenVPN is the legacy specialist you reach for only when a firewall forces your hand. And Headscale erases the one real downside of Tailscale by putting its control plane back on your own VPS.
If you're ready to build one, start with my WireGuard VPN setup guide, pick a host from the best VPS comparison, and once it's up, use it to reach a self-hosted Vaultwarden or any of these self-hosted alternatives to SaaS without exposing a single port. A VPN is the front door to your whole self-hosted stack — it's worth getting right.
Affiliate disclosure
This post contains affiliate links to hosting providers I actually use and pay for. If you sign up through one, I may earn a commission at no extra cost to you — and I only recommend infrastructure I run myself. Provider recommendations here are based on my own benchmarks, not payouts.
— enim
Comments
Sign in with GitHub to comment. Threads live in the byteguard-comments repo.