Pritunl vs. Tailscale

A common issue with the traditional VPN is its inability to scale well: usually, a remote user needs to be connected to a central VPN concentrator, which can create a bottleneck. This is why the focus of newer VPN solutions tends to be on improving connectivity and speed, in addition to shifting to identity-based security, allowing the use of single sign-on and user group-based security policies. These new features help to speed things up, while securely bypassing the rigidity of old VPNs.

Both Tailscale and Pritunl have created VPNs that make serious improvements on the usability of remote access VPNs in the modern work environment. Here, we’ll compare the two, and outline each one’s unique advantages.

Pritunl features

Pritunl is advertised as the “enterprise VPN server.” Pritunl was originally built on the OpenVPN protocol, but now also supports a WireGuard implementation. Pritunl connects clients to each other by routing communications through a server, rather than just a mesh network. These replicated VPN servers that have automatic routing and automatic failover. This is true for both the OpenVPN and the WireGuard implementations.

Comparison matrix

Tailscale Pritunl
Open source? Yes (except coordination server) Yes
Integrates with identity providers for single sign-on? Yes
(Google, Office 365/Azure AD, Okta, etc.)
Yes
Mesh VPN Yes No
End-to-end encryption? Yes Proxy forwards between users and apps
Connection latency Minimal (point-to-point mesh) Depends on nearest proxy location
ACLs and security policies? Yes (central ACL policy) Yes
Forward all traffic through gateway? Optional (exit nodes) Enabled by default, can be configured
Pricing Free for individuals. Paid plans for teams and enterprise Free version with limited functionality, paid plan for enterprise features

Tailscale advantages

Management of database and servers

Pritunl requires setting up your own MongoDB instance as well as Pritunl Servers, which are user managed. which run alongside a MongoDB instance and are user managed. There is no fully managed service. This makes the initial setup and continued maintenance of these servers the responsibility of the users. Once the server is set up, administrators can configure the organization’s SSO identity provider, which allows existing users to be able to login to Pritunl on their devices.

Tailscale makes connecting devices straightforward: you simply install and log into Tailscale on each device using your organization’s SSO identity provider. Tailscale manages key distribution, key rotation, machine certificates, and all configurations for users, which is very useful if any of the devices on the network belong to non-technical users.

Meaningful Feature Distribution Across Plans

While Pritunl and Tailscale have many similar VPN features, a lot of Pritunl’s best features are restricted to their enterprise plan. Tailscale, alternatively, allows free users to access powerful features. For example, Tailscale includes single sign-on on our free version, and Pritunl includes this feature only in their enterprise plan.

A Mesh Network with True Peer-to-Peer Communications

While Pritunl virtually facilitates client-to-client communications, they aren’t true peer-to-peer connections like we see with Tailscale, since these pass through a server. Tailscale uses a coordination server only for sharing keys and connecting devices, as a control plane, not intercepting traffic, as in a data plane.

Pritunl’s Use Cases

Supports Multiple Protocols

If you’re someone who could benefit from the flexibility of being able to use either WireGuard or OpenVPN, Pritunl can offer this.

More Customizable WireGuard server compared to Tailscale

Pritunl offers a more configurable WireGuard server, providing users with greater flexibility.

The Bottomline

Pritunl is suited toward enterprise environments: their enterprise plan includes the most comprehensive set of functionalities, including single sign-on, automatic failover, VXLan support, and DNS mapping. Relative to Pritunl, Tailscale is better suited for enterprises looking for a more managed opinionated offering, as well as for small teams or individual users looking for specific features like SSO at a smaller scale.

Last updated

WireGuard is a registered
trademark of Jason A. Donenfeld.

© 2022 Tailscale Inc.

Privacy & Terms