How to Make a VPN: Build It Yourself vs. Tailscale
Many people are interested in making a VPN between their devices in order to make collaboration easier. They do this to share files between devices without the cloud, play games together, collaborate on projects and more. All without worrying about confusing firewall settings and spending hours configuring things. WireGuard is a popular protocol to use for this because it is battery efficient and fast.
VPNs offer the following benefits to users and the services they protect:
- End to end encryption: A service behind a VPN will always be protected with military-grade encryption. This will make it impossible for malicious actors in that coffee shop to be able to see what you are doing behind it.
- Private availability: Those computers behind the VPN won’t be directly visible from random places on the internet. This makes it impossible for hackers to break into them.
- Convenience: A VPN will let computers on that VPN communicate with each other, which means you don’t have to worry about firewalls getting in the way.
Making a VPN with WireGuard can be a tedious and error-prone task. In order to do it, you need to do these steps:
- Create or designate a server you pay for as the host for the VPN
- Lock down all of the firewall settings so that only VPN and SSH traffic can go to it via the internet
- Make sure that the server can route traffic through the VPN interface
- Install the WireGuard kernel module
- Set up a keypair for the server
- Figure out an IP address range that won’t collide with home networks, coffee shops and other public wifi
- Figure out every device you want to join to the VPN
- Make a keypair for every device
- Put the public key into the server configuration
- Reload the server configuration, disrupting everyone’s connections in the process
- Configure each client device (instructions vary by OS)
And voila, you have yourself a VPN! Everything is routed through that central server though, which can get expensive if you have a lot of data passing through computers behind the VPN. This can get worse if you have employees in multiple locations, multiple offices or even multiple continents. If the VPN hub is in Montreal and the service is in San Francisco, your packets go through Montreal even if you’re standing next to the machine in San Francisco.
Let’s compare that to the steps to set up Tailscale:
- Sign up for free on tailscale.com
- Install Tailscale on every device you want on the VPN
- Log into Tailscale on those devices
- There is no step 4: You’re done!
Much easier! Tailscale handles the IP addressing, public key management and connectivity between your devices. The devices will all connect to each other instead of one big central server. This means that traffic from someone in San Francisco will go directly to a server in San Francisco instead of having to bounce around across the world. This allows you to have the fastest connections possible.
Tailscale has even more benefits than we’ve listed here. Here’s a high level outline of some of the bigger ones:
|With Tailscale||Without Tailscale|
|Strong correlation between computers and users in the admin console, system tray icon and mobile apps||Spreadsheets keeping track of IP address ownership and names of computers|
|MagicDNS lets you connect to computers directly by name||Memorizing IP addresses or having to set up a complicated DNS server on your own|
|Taildrop for instant file sharing across computers like AirDrop on Apple devices||Setting up complicated file sharing systems using separate accounts from your identity provider|
|Use the identity management system you’re already used to, a Google Workspace user correlates 1:1 with a Tailscale user||Manual setup that requires error prone encryption key generation and configuration|
|Seamless adding of new machines||Disruptive rehashing of configuration files that kills all traffic until it’s done|
|Tailscale keeps growing and changing||Manual setup required for any additional features and polish|
|A support team to rely on if things go wrong||Expensive contractors and WireGuard experts|
|Distributed mesh||Single point of failure|
How much does Tailscale cost? Tailscale is free for personal use and evaluation. Check our pricing page for more information.
In most cases the answer is no, however depending on government regulations the answer may be yes. Check your local government regulations of your country or locality if you are unsure.
A malicious actor will only be able to see that you are using Tailscale, they will not be able to see the contents of your traffic. Those contents are encrypted with better encryption than most banks use, which will keep your information secure.
Tailscale doesn’t do this by default, however you can set up an Exit Node to do this. When you enable an Exit Node, all the traffic sent out to the internet will go through that node. This will make websites you connect to think that node’s IP address is the one you are using instead of the one you are actually connecting with, thus hiding your IP address behind the exit node.
This will depend on your individual security posture, but a VPN can definitely be convenient if you need to access your home network on the go. Forget a file on your home tower? Remote into it over Tailscale and copy it over to your phone with Taildrop. This convenience expands to your workplace too. This allows you to use these same conveniences at home and work.
You can host anything behind Tailscale ranging from a Minecraft server, a web server, photo collections or more. If you can do it on the public internet, you can do it privately with Tailscale.
Tailscale lets you easily share services to other Tailscale users using Node Sharing. Node Sharing allows you to share individual computers with other people. Giving someone access to a dedicated Minecraft server won’t give them access to your photo collection on another computer.