A common issue with the traditional VPN is its inability to scale well: usually, a remote user needs to be connected to a central VPN concentrator, which can create a bottleneck. This is why the focus of newer VPN solutions tends to be on improving connectivity and speed, in addition to shifting to identity-based security, allowing the use of single sign-on and user group-based security policies. These new features help to speed things up, while securely bypassing the rigidity of old VPNs.
Both Tailscale and Pritunl have created VPNs that make serious improvements on the usability of remote access VPNs in the modern work environment. Here, we’ll compare the two, and outline each one’s unique advantages.
Pritunl is advertised as the “enterprise VPN server.” Pritunl was originally built on the OpenVPN protocol, but now also supports a WireGuard implementation. Pritunl connects clients to each other by routing communications through a server, rather than just a mesh network. These replicated VPN servers that have automatic routing and automatic failover. This is true for both the OpenVPN and the WireGuard implementations.
|Yes (clients but not coordination server)
|Integrates with identity providers for single sign-on?
(Google, Office 365/Azure AD, Okta, etc.)
|Proxy forwards between users and apps
|Minimal (point-to-point mesh)
|Depends on nearest proxy location
|ACLs and security policies?
|Yes (central ACL policy)
|Forward all traffic through gateway?
|Optional (exit nodes)
|Enabled by default, can be configured
|Free for individuals. Paid plans for teams and enterprise
|Free version with limited functionality, paid plan for enterprise features
Management of database and servers
Pritunl requires setting up your own MongoDB instance as well as Pritunl Servers, which are user managed. which run alongside a MongoDB instance and are user managed. There is no fully managed service. This makes the initial setup and continued maintenance of these servers the responsibility of the users. Once the server is set up, administrators can configure the organization’s SSO identity provider, which allows existing users to be able to login to Pritunl on their devices.
Tailscale makes connecting devices straightforward: you simply install and log into Tailscale on each device using your organization’s SSO identity provider. Tailscale manages key distribution, key rotation, machine certificates, and all configurations for users, which is very useful if any of the devices on the network belong to non-technical users.
Meaningful Feature Distribution Across Plans
While Pritunl and Tailscale have many similar VPN features, a lot of Pritunl’s best features are restricted to their enterprise plan. Tailscale, alternatively, allows free users to access powerful features. For example, Tailscale includes single sign-on on our free version, and Pritunl includes this feature only in their enterprise plan.
A Mesh Network with True Peer-to-Peer Communications
While Pritunl virtually facilitates client-to-client communications, they aren’t true peer-to-peer connections like we see with Tailscale, since these pass through a server. Tailscale uses a coordination server only for sharing keys and connecting devices, as a control plane, not intercepting traffic, as in a data plane.
Pritunl’s Use Cases
Supports Multiple Protocols
If you’re someone who could benefit from the flexibility of being able to use either WireGuard or OpenVPN, Pritunl can offer this.
More Customizable WireGuard server compared to Tailscale
Pritunl offers a more configurable WireGuard server, providing users with greater flexibility.
The bottom line
Pritunl is suited toward enterprise environments: their enterprise plan includes the most comprehensive set of functionalities, including single sign-on, automatic failover, VXLan support, and DNS mapping. Relative to Pritunl, Tailscale is better suited for enterprises looking for a more managed opinionated offering, as well as for small teams or individual users looking for specific features like SSO at a smaller scale.