Sign in Subscribe

Best.VPN.Ever.

Servers@Home

3 min read
Best.VPN.Ever.
https://netbird.io

Today I want to admit that I was wrong. I have been using and pushing wg-easy as an amazing way to manage a wireguard server for remote access back into your home network. That wasn't the part that was incorrect - wg-easy really is an amazing front end.

What I was wrong about was the type of VPN which is best. Wireguard is the best thing to happen to VPNs probably ever. However, we have not been using it correctly. Some very smart people figured out how to use it better, and now we have overlay/mesh VPNs.

To explain why that is important, I am going to use pictures and talk about the old way vs the new way. This is the old way:

image courtesy of Tailscale

In the old way, if I was in NYC and my wireguard server was in California and a client wanted to connect from NJ, this is how the traffic would be routed. Super inefficient since my traffic must be relayed at all times through the hub. The other issue with this is if my wireguard server sits on the subnet of 192.168.1.0/24 that's all my clients get access to.

image courtesy of Tailscale

This is the new way. Notice how there is no "server". Every node can make a direct connection to every other node. Aside from the obvious speed and privacy benefits of this, it also opens up the possibility of publishing subnets from any node. So for example, if node1 is on 192.168.1.0/24 and node2 is on 10.0.0.0/24 any node can get access to those subnets. Simultaneously. With no configuration needed on the node. If two nodes have access to the same subnet I can publish the route through both of them for high availability. Magic.

There are more than one provider of this type of VPN, but the most famous is Tailscale. However, I think Netbird is the best out there.

The reason for this is usability. While both of those VPNs are amazing, as soon as I saw the above mesh diagram I realized I do not want all nodes to be able to access all nodes. I may want to isolate some of them on their own little island. This is not easy with Tailscale, but is dead simple with Netbird. For that reason alone I would switch.

That isn't to say there aren't things I miss about Tailscale, like the ability to share an endpoint with a friend without inviting them to my entire VPN. That is something I wish Netbird implements in the future.

The other aspect of all this is management. The nodes in a mesh network need a control plane to coordinate them, as shown below:

image courtesy of Netbird

While both Netbird and Tailscale have a pretty solid UI, again, I find Netbird to be more usable. Also, when you decide to self-host (yes you can self-host both), only Netbird has the exact same UI for continuity.

So what's the catch? While both of these are free, Netbird puts some features behind a paywall. Its not crazy ($5/mo), you would have to self-host to get it all for free. Also both are limited to 100 endpoints which I think is a lot, but hey, maybe you have a big network. No judgement. But really, there is no catch. This is simply amazing technology I wanted to share that you should 100% try because as soon as I did I was hooked. There is no going back for me.