OpenVPN vs. Tailscale
Tailscale and OpenVPN are two popular Virtual Private Network (VPN) providers. As such, both offer a secure tunnel to access your private network—and both come with a free version.
When it comes to usability, maintainability, and security options, Tailscale and OpenVPN differ vastly. Read on to find out how the two solutions compare.
OpenVPN is an SSL VPN. OpenVPN offers multiple products: VPN-as-a-service, a commercial self-hosted VPN solution, and an open-source VPN solution. The core OpenVPN protocol code is open-source, and OpenVPN implementations are available for all major desktop and mobile operating systems. This comparison focuses on the VPN-as-a-service, known as OpenVPN Cloud.
Users of OpenVPN can rest assured that the traffic between their device and the VPN server is encrypted. For that reason, OpenVPN has been a popular solution for personal and business use for twenty years.
|VPN type||Mesh VPN||SSL VPN|
Clients but not coordination server
Core OpenVPN client
|Role-based access controls||Yes||Yes|
|Integrates with identity providers for single sign-on||Yes||Yes
SAML and LDAP
Free for personal use and open source
Paid for enterprise
Free for 2 or 3 connections, or fully self hosted
Paid for enterprise
To set up OpenVPN, a user first needs to create an account with a username and password (SAML and LDAP are also available). After account creation, an admin needs to deploy a connector for their network. This includes specifying the subnet routes and the domains that should use that connector. They also need to invite other users in their organization to download clients and use their network. Once at least one connector is deployed, then users can connect to those resources over the OpenVPN network.
Tailscale focuses on usability, for both end users and IT teams. An end user can start using Tailscale by downloading the client, and signing in through an SSO account, like GitHub or Google Workspace. There is no need for a separate set of credentials. Then, users are part of their network and can connect to anything else already on the network, as restricted by access control lists (ACLs).
OpenVPN requires more initial setup and configuration. To make the network accessible, an admin needs to deploy connectors for each set of subnet routes and domains they want to manage. Users are managed with usernames and passwords, and optionally SAML or LDAP.
Configuration for Tailscale can be easily managed incrementally, so that users can connect to resources as soon as they join a network. The direct integration of Tailscale with single-sign-on (SSO) means that there are no separate accounts to manage.
Both OpenVPN and Tailscale have complex configurations allowing routing subnets, internet-bound traffic, and role-based access control.
|Concept in OpenVPN||Related concept in Tailscale|
|Access Group||Access Control List (ACL)|
|Custom VPN Topology||Using ACLs to restrict access in the network|
|Full Mesh VPN Topology||ACLs that allow all access:
|VPN Egress||Exit node|
|Internet Access||ACLs controlling exit nodes:
Tailscale is a peer-to-peer mesh VPN which allows for direct connections between devices, whereas OpenVPN is a VPN with a concentrator that funnels traffic between devices.
OpenVPN is an SSL VPN, which makes it flexible for use with many firewalls and NATs. OpenVPN can be run in pfSense, whereas Tailscale cannot. Tailscale can run behind a pfSense firewall with some configuration changes. Both Tailscale and OpenVPN can be used for establishing difficult connections requiring NAT traversal.
OpenVPN requires the configuration of regions, whereas Tailscale connects devices regardless of their region.
OpenVPN offers many encryption mechanisms from OpenSSL with many user-definable options. Though this allows flexibility and agility, it also means a user could potentially choose a less secure option.
Tailscale is based on WireGuard, and uses strong encryption by default. WireGuard is opinionated so does not allow for user-controlled encryption and settings, and instead uses industry-best default settings.
Both WireGuard and OpenVPN have undergone security audits. WireGuard is a significantly smaller amount of code, making it easier to audit than OpenVPN.
OpenVPN is priced per connection, whereas Tailscale is priced per user.
OpenVPN offers three options for its product: OpenVPN-as-a-service, self-hosted commercial, or self-hosted open-source. As of November 2021,
- OpenVPN-as-a-service, OpenVPN Cloud, is free for up to 3 simultaneous connections. Above 3 simultaneous connections, OpenVPN-as-a-service is a paid offering, with the minimum package of 10 simultaneous connections priced at $75/month.
- The self-hosted commercial option, the OpenVPN Access Server, is free for up to 2 simultaneous connections. Above 2 connections, OpenVPN Access Server is a paid offering, with the minimum package of 10 simultaneous connections priced at $75/month, plus the cost of any relevant infrastructure like the virtual machine for the Access Server and the bandwidth between the server and the clients.
- The self-hosted open-source option is free to use for any number of users, but you have to configure and manage OpenVPN yourself in that case. When using the open-source solution, you’ll need to pay for one or more virtual machines to host the OpenVPN infrastructure, as well as the bandwidth to and from the infrastructure.
Tailscale is a commercial product with a free tier. Tailscale hosts and manages the control plane, and devices need a client installed to connect to the network. There is no infrastructure you need to run yourself. Tailscale is priced per user.
Let’s briefly consider the case of Tailscale customer Zego, who moved from using OpenVPN to Tailscale.
Zego initially started out with OpenVPN, but found that it was expensive and complex to debug. Whenever a VPN issue arose, Zego’s IT team would spend extra time figuring out whether it was a VPN client program issue, a DNS issue, or an implementation issue. When the COVID-19 pandemic began and Zego’s team shifted completely to remote work, the IT team found it difficult to keep supporting Zego’s sizable customer support and customer success teams on the traditional VPN.
Fast forward to today, Zego is a satisfied Tailscale customer. All of Zego’s infrastructure, which includes Kubernetes clusters and subnet routers, is now only accessible through Tailscale. From its account managers to its developers, the entire company now uses Tailscale to connect to internal services. Zego’s IT administrators can spend less time on VPN problems.
Both OpenVPN and Tailscale offer enterprise VPN solutions.
If you have specific legacy configuration requirements (e.g., LDAP authentication) or specific encryption protocols, then OpenVPN may be a better choice for you.
If you want a simpler configuration that works with existing SSO providers, and provides peer to peer connections, then Tailscale may be a better choice for you.