OpenVPN vs. Tailscale

Tailscale and OpenVPN are two popular Virtual Private Network (VPN) providers. As such, both offer a secure tunnel to access your private network—and both come with a free version.

When it comes to usability, maintainability, and security options, Tailscale and OpenVPN differ vastly. Read on to find out how the two solutions compare.

Overview of OpenVPN

OpenVPN is an SSL VPN. OpenVPN offers multiple products: VPN-as-a-service, a commercial self-hosted VPN solution, and an open-source VPN solution. The core OpenVPN protocol code is open-source, and OpenVPN implementations are available for all major desktop and mobile operating systems. This comparison focuses on the VPN-as-a-service, known as OpenVPN Cloud.

Users of OpenVPN can rest assured that the traffic between their device and the VPN server is encrypted. For that reason, OpenVPN has been a popular solution for personal and business use for twenty years.

Comparison matrix

Tailscale OpenVPN
VPN type Mesh VPN SSL VPN
Open source Yes

Clients but not coordination server

Yes

Core OpenVPN client

End-to-end encryption Yes No
Role-based access controls Yes Yes
Integrates with identity providers for single sign-on Yes

Google, AzureAD, GitHub, Okta, OneLogin, and more

Yes

SAML and LDAP

Client required Yes Yes
Pricing Per user

Free for personal use and open source

Paid for enterprise

Per connection

Free for 2 or 3 connections, or fully self hosted

Paid for enterprise

Initial setup

To set up OpenVPN, a user first needs to create an account with a username and password (SAML and LDAP are also available). After account creation, an admin needs to deploy a connector for their network. This includes specifying the subnet routes and the domains that should use that connector. They also need to invite other users in their organization to download clients and use their network. Once at least one connector is deployed, then users can connect to those resources over the OpenVPN network.

Tailscale focuses on usability, for both end users and IT teams. An end user can start using Tailscale by downloading the client, and signing in through an SSO account, like GitHub or Google Workspace. There is no need for a separate set of credentials. Then, users are part of their network and can connect to anything else already on the network, as restricted by access control lists (ACLs).

Network administration

OpenVPN requires more initial setup and configuration. To make the network accessible, an admin needs to deploy connectors for each set of subnet routes and domains they want to manage. Users are managed with usernames and passwords, and optionally SAML or LDAP.

Configuration for Tailscale can be easily managed incrementally, so that users can connect to resources as soon as they join a network. The direct integration of Tailscale with single-sign-on (SSO) means that there are no separate accounts to manage.

Both OpenVPN and Tailscale have complex configurations allowing routing subnets, internet-bound traffic, and role-based access control.

Concept in OpenVPN Related concept in Tailscale
Access Group Access Control List (ACL)
Custom VPN Topology Using ACLs to restrict access in the network
Full Mesh VPN Topology ACLs that allow all access:

{ "action": "accept", "src": ["*"], "dst": ["*:*"] },

Connector Subnet router
VPN Egress Exit node
Internet Access ACLs controlling exit nodes:

{ "action": "accept", "src": ["*"], "dst": ["autogroup:internet:*"] },

Host Node
Owner Owner
Administrator Admin
User Member

Connectivity

Tailscale is a peer-to-peer mesh VPN which allows for direct connections between devices, whereas OpenVPN is a VPN with a concentrator that funnels traffic between devices.

OpenVPN is an SSL VPN, which makes it flexible for use with many firewalls and NATs. OpenVPN can be run in pfSense, whereas Tailscale cannot. Tailscale can run behind a pfSense firewall with some configuration changes. Both Tailscale and OpenVPN can be used for establishing difficult connections requiring NAT traversal.

OpenVPN requires the configuration of regions, whereas Tailscale connects devices regardless of their region.

Security

OpenVPN offers many encryption mechanisms from OpenSSL with many user-definable options. Though this allows flexibility and agility, it also means a user could potentially choose a less secure option.

Tailscale is based on WireGuard, and uses strong encryption by default. WireGuard is opinionated so does not allow for user-controlled encryption and settings, and instead uses industry-best default settings.

Both WireGuard and OpenVPN have undergone security audits. WireGuard is a significantly smaller amount of code, making it easier to audit than OpenVPN.

Pricing

OpenVPN is priced per connection, whereas Tailscale is priced per user.

OpenVPN offers three options for its product: OpenVPN-as-a-service, self-hosted commercial, or self-hosted open-source. As of November 2021,

  • OpenVPN-as-a-service, OpenVPN Cloud, is free for up to 3 simultaneous connections. Above 3 simultaneous connections, OpenVPN-as-a-service is a paid offering, with the minimum package of 10 simultaneous connections priced at $75/month.
  • The self-hosted commercial option, the OpenVPN Access Server, is free for up to 2 simultaneous connections. Above 2 connections, OpenVPN Access Server is a paid offering, with the minimum package of 10 simultaneous connections priced at $75/month, plus the cost of any relevant infrastructure like the virtual machine for the Access Server and the bandwidth between the server and the clients.
  • The self-hosted open-source option is free to use for any number of users, but you have to configure and manage OpenVPN yourself in that case. When using the open-source solution, you’ll need to pay for one or more virtual machines to host the OpenVPN infrastructure, as well as the bandwidth to and from the infrastructure.

Tailscale is a commercial product with a free tier. Tailscale hosts and manages the control plane, and devices need a client installed to connect to the network. There is no infrastructure you need to run yourself. Tailscale is priced per user.

Switching from OpenVPN to Tailscale

Let’s briefly consider the case of Tailscale customer Zego, who moved from using OpenVPN to Tailscale.

Zego initially started out with OpenVPN, but found that it was expensive and complex to debug. Whenever a VPN issue arose, Zego’s IT team would spend extra time figuring out whether it was a VPN client program issue, a DNS issue, or an implementation issue. When the COVID-19 pandemic began and Zego’s team shifted completely to remote work, the IT team found it difficult to keep supporting Zego’s sizable customer support and customer success teams on the traditional VPN.

Fast forward to today, Zego is a satisfied Tailscale customer. All of Zego’s infrastructure, which includes Kubernetes clusters and subnet routers, is now only accessible through Tailscale. From its account managers to its developers, the entire company now uses Tailscale to connect to internal services. Zego’s IT administrators can spend less time on VPN problems.

The bottom line

Both OpenVPN and Tailscale offer enterprise VPN solutions.

If you have specific legacy configuration requirements (e.g., LDAP authentication) or specific encryption protocols, then OpenVPN may be a better choice for you.

If you want a simpler configuration that works with existing SSO providers, and provides peer to peer connections, then Tailscale may be a better choice for you.

Last updated

WireGuard is a registered
trademark of Jason A. Donenfeld.

© 2022 Tailscale Inc.

Privacy & Terms