I find myself a bit confused, as I’m not an expert in this field. I’m looking for advice on what to use: ZeroTier, HeadScale, or Netmaker. My goal is to place my services behind a VPN for added security. I’m wondering which of these options is better and more secure. Is it worth comparing Netmaker to HeadScale and ZeroTier, or are they best suited for different purposes? If I opt for ZeroTier, is self-hosting a better choice, or should I go with their free plan?
Netmaker Netbird Headscale/tailscale with your own drep server
This sequence
I would just use Tailscale, especially with the builtin quality of life features (Airdrop-like, SSH MFA…)
Wireguard its default, and already part of of kernel just needs proper config and config tools
Objectively you reduce your attack surface if you actually self-host wireguard, since you dont control 3rd party products, and cannot give any guarantees wrt their security.
Unpopular opinion, yes, but security > convenience ;-)
Personally after using headscale for a while, I ended up going with Netbird.
I prefer the UI of Netbird, plus it’s been extremely stable and straightforward to setup and configure.
my main issue with headscale was headscale-ui though, not headscale itself. So if the former works for you, then you I’d say go with it.
my take: zerotier has weird licensing, and possibly other issues. I like tailscale best, which means headscale in your list. I’ve never tried netmaker but I’ve settled on (a) straight wireguard for one of my networks, (b) yggdrasil for a different network where I can’t use a VPS / can only use public relays (my usage on that is mostly ssh type stuff; low bandwidth, so far it has worked fine)
here’s an excellent, and very comprehensive, review of various mesh VPNs: https://changelog.complete.org/archives/10478-easily-accessing-all-your-stuff-with-a-zero-trust-mesh-vpn
I had good experience with netbird and firezone
Wireguard is the fastest since it is based off the kernel. Headscale is slower as it uses the Go implementation. Unless you needing ACL, wireguard is your best bet.
I tried netmaker, nebula, and ended up using netbird. My issue with all the others was traversing my corporate network. Netmaker and Nebula UDP hole punching failed while Netbird just did it without issues by relying on coturn.
I did not test headscale, which could have worked by using DERP relays, because user space wireguard on Linux clients and registry editing to make the client work on Windows are a setback for me. Also, access control is far less user friendly with respect to what netmaker and netbird developed.
The only thing to know before selfhosting netbird is that it requires an identity provider, zitadel as installed by default or any other selfhostable solutions take a lot of resources so if running on a base VPS one should look instead for a managed IDP.
BTW unless you are behind a cgnat you don’t need any of these solutions, neither a VPS with wireguard. Its weird that nobody uses the simplest solution anymore, which is a dynamic DNS.
if you additionally want to have a domain pointing at your server, just set CNAME for the ddns name in your dns settings.
I think besides the very minor advantage of having a fixed IP (unless you want to run mailserver) instead of a fixed domain name, most people think they don’t have to take care of security anymore because cloudflare does it for them.
In my case, I run a Wireguard server on my router. Not every router firmware has that option, though (and some people may have the option and not realize it).
I think there are some people who worry about opening up the port for the VPN. But it’s not a particularly high security risk, and services like Tailscale aren’t automatically better just because they initiate outbound connections.
People overestimate what something like Cloudflare does for them. It can be helpful for a number of use cases and includes some good risk mitigation options, but it a service is still available to the outside world, it’s still a potential vulnerability point that needs to be hardened reasonably at the level of the application and one’s own network, too.