Back to blogNexGuard
Business··6 min read

The hidden cost of per-user cloud VPN pricing

Davronbek Achilov
Davronbek Achilov
Founder, NexGuard

A friend who runs a 25-person agency in Berlin called me last month asking why his Tailscale bill had gone up. He had not added users. Tailscale had moved one of his licensed features from a lower tier to a higher tier. His annual cost went from $1,800 to $2,400 in one billing change.

This is not a hit piece on Tailscale. They have a business to run. But it made me think about the hidden costs of per-user VPN pricing for teams that grow beyond a handful of people.

The math

Per-user pricing typically looks like $5-$10/user/month. Sounds reasonable when you have 5 people. At 10 people, you are at $50-$100/month — $600-$1,200/year. At 25 people, $1,500-$3,000/year. At 50 people, $3,000-$6,000/year.

Now compare to the alternative: a $20/month Hetzner box running a self-hosted VPN. That serves 50 people for $240/year. With NexGuard's Team plan ($19/month), you are at $228/year for the software plus the $240 for the server — call it $470/year for 50 users.

The break-even point is somewhere around 10-12 users. Below that, per-user SaaS is fine. Above that, the math starts demanding an explanation.

The hidden costs of cloud VPN

It is not just the sticker price.

Vendor lock-in. You cannot migrate Tailscale's MagicDNS hostnames to another service. If you build a workflow around their DNS naming, you have to redo it elsewhere.

SSO requirement. Most cloud VPNs require Google/Microsoft/Okta. If you have contractors who do not have those accounts, you have to either provision them in your IDP (which costs more, and creates a security surface) or maintain a separate access mechanism.

Pricing transparency. SaaS pricing changes. Sometimes for the better, sometimes not. You do not control it.

Data residency. Your VPN provider sees connection metadata: who connected when, from where. Most are honest about not logging traffic content, but the metadata itself is sensitive for some businesses.

The hidden costs of self-hosting

Honest accounting of the other side:

Time investment. If you are doing it yourself with raw WireGuard, expect 4-8 hours of setup and 1-2 hours per month of maintenance. Multiply by your hourly rate.

Server uptime is now your problem. If the VPN server crashes at 2am, somebody has to deal with it. SaaS providers handle this for you.

Security updates. You have to keep the underlying OS and WireGuard updated. Not hard, but it is on you.

Knowledge concentration. If only one person knows how the VPN is configured, you have a bus factor problem.

This is exactly why managed self-hosted exists as a category — products like NexGuard that you self-host but where the vendor handles updates and tunnel infrastructure. Best of both worlds: your data stays on your servers, but you do not have to be a part-time WireGuard sysadmin.

Real-world numbers from our customers

Three NexGuard customers I have permission to mention:

  • An engineering team in Tashkent, 15 people. Switched from a different VPN that was charging $90/month. Now paying $19/month for our Team plan, plus $8/month for a small VPS. Saving $63/month, $756/year.
  • A film studio in Ankara, 22 people across two offices. Switched from rolling their own WireGuard (volunteer admin, lots of pain). Now paying $19/month for our Team plan. Saving zero dollars, but their volunteer admin got their evenings back.
  • An insurance company in Berlin, 8 employees plus 6 contractors. Were using Tailscale's $5/user plan. NexGuard cost them $9/month for the Starter plan because they only have one server. Saving $61/month.

The agency from the start of this post is currently running a trial of NexGuard. He has not made a decision yet. But he likes that the price is the price, and that adding people does not change it.

When per-user pricing actually makes sense

I will be honest about this. Per-user pricing makes sense when: - Your team is under 10 people and growing slowly - You need features that are genuinely per-user (audit per-user, billing per-user) - You have heavy mobile usage and need polished iOS/Android apps yesterday - You have a compliance requirement that needs SOC 2 certification (we are working on this, do not have it yet)

If any of those describe you, do not move just to save money. Use the tool that fits your problem.

But if you are a 15-person team paying $90/month for a service that is essentially "WireGuard with a UI", you are paying for the UI. There are alternatives.

More from the blog

Why we built NexGuard after three years of WireGuard pain
Engineering · 7 min
Tailscale vs NexGuard: an honest comparison after migrating
Comparison · 9 min
Self-hosted VPN for small teams: what nobody tells you
Guide · 8 min