Long-time ZeroTier user here. Recently switched to NetBird (self-hosted on a Hetzner VPS) and it’s been seamless so far. DNS functionality is excellent (something ZeroTier lacked), and the access-control model is very well designed. It’s easy to understand what’s going on and to grant one-off access when needed. Only real and very minor gripe is the Android app: I wish it were on F-Droid and a bit more robust, as it sometimes drops when roaming. Nevertheless, congratulations on a fabulous piece of software! I hope it keeps improving :)
They are not only a wrapper for Wireguard even though people keep saying that.
Each of the tools gives different benefits and yes, you can roll all of that on your own, but let's take Tailscale as an example: You have custom ACLs to secure your network on a client/user/device basis with tagging of devices. You have your own tailscale SSH connection, the possibility to create private-public tunnels (just like Cloudflare tunnels). The hole punching using DERP servers and native IPv6/IPv4 interoperability means it really connects any device on any network type to all other devices. And of course the management pane and GUI you talked about.
This is not supposed to be a marketing ploy for Tailscale, but saying "they are just a wrapper for Wireguard" is plain wrong.
I had to use tailscale to bust through port forwarding on chained routers because, even with ports configured correctly, wireguard wasn't able to get through.
My use case was for remote access into a home-hosted Nextcloud instance, via an ISP supplied fibre router (IPv4, not CGNAT), then my own Gl iNet router, then to my Nextcloud instance.
Despite opening up port forwarding correctly, wireguard just couldn't get through that chain, whereas tailscale got through with no problems.
Downside of using tailscale is that it's messy to use at the same time as a VPN on your client device. Split tunnelling supposedly works, but I couldn't get it going.
As other have pointed out, Tailscale and Netbird are much more than wrappers around Wireguard. ZeroTier does not use Wireguard and they have their own lightweight tunnels, which in their recent multi-threaded implementations are more performant but not as fast as Wireguard in my testing.
I don't think there's a direct way to integrate any of them into existing mesh networks, but I could be wrong.
But paid Tailscale is $5 a month right? So you gotta be paying more to self host and deal with all the problems yourself, not have derp servers all over the world, etc. Why?
Why do you assume OP paid $5 a month? You get Tailscale for free in many use-cases. Your argument that self-hosting is more expensive is still valid, but I don't get the 5$.
I already run a VPS for other things, this fits cleanly into that setup, NetBird’s been low-maintenance, and I don’t need global relays. That’s enough for me.
Also long time zerotier user here, I run a controller for our company. I'm starting to experience infrequent but annoying drops in connection, and DNS is a headache.
I switched from Zerotier to Tailscale last year and Tailscale is far more performant and stable but Zerotier works better with multicast, specifically multicast video. I even ran a Zerotier moon to help but it was still worse than Tailscale.
