Back to blogNexGuard
Comparison··9 min read

Tailscale vs NexGuard: an honest comparison after migrating

Davronbek Achilov
Davronbek Achilov
Founder, NexGuard

I want to start by saying Tailscale is a great product. We used it from late 2023 until early 2025, and most of that time it was the right choice. This is not a hit piece. This is what I learned about both products by running them in production for similar workloads.

What Tailscale does better

Mesh networking. Tailscale's NAT traversal is in a different league. We had peers in mobile networks, university dorms, and some hotel WiFi networks that nobody should ever connect from, and Tailscale would still figure out a direct path most of the time. When NexGuard can't punch through, we fall back to a relay. Tailscale has DERP relays too, but their direct-connect rate is higher in our experience.

MagicDNS. Being able to ssh user@server-name from anywhere on the network without managing /etc/hosts is genuinely nice. We do not have a comparable feature yet.

The mobile apps. iOS and Android both feel polished. We have a desktop client (egui), and a mobile app is on the roadmap, but Tailscale is years ahead here.

ACL system. Their HuJSON ACL syntax is verbose but powerful. We do per-peer firewall rules but not the same level of policy expressiveness.

What NexGuard does better

Pricing for small teams. Tailscale's free tier is 3 users / 100 devices, and the moment you need a fourth user you jump to $6/user/month. For a 10-person company that's $60/month. Our free tier on self-hosted is 5 devices per server. Our paid plans start at $9/server, not /user. If you have 10 people on one server, that's $9 instead of $60.

Self-hosting story. Tailscale has Headscale (community-built control server) but it is not officially supported. NexGuard's control plane runs on your Linux box. The relay (for fallback when direct fails) is ours, but the actual VPN traffic only flows through it when WireGuard direct fails. For most teams, after the first connection, traffic is peer-to-peer.

No SSO mandatory. To use Tailscale you need a Google, Microsoft, GitHub, or Okta account. Our token-based model lets you onboard people who do not have any of those, which matters more than I expected. We have customers whose IT policy forbids OAuth providers entirely.

Server resource usage. We benchmarked both at 50 peers on a 4GB Hetzner box. Tailscale's tailscaled used about 180MB resident. Our vpn-server used about 14MB. If you are running this on a small VPS alongside other services, that matters.

Outbound-only mode. NexGuard's relay mode means our customers can run the VPN server on machines that have no inbound ports open at all. The server reaches out to our tunnel server. Tailscale can do something similar with Funnel and DERP, but the model is different — you still need an account that can authorize devices.

Where they're roughly equal

Setup time. Both are a curl-pipe-bash. Both work in 30 seconds. Connection quality on home/office networks. Indistinguishable for most users. WireGuard cryptography. Same protocol underneath. Same level of confidence.

Who should pick which

Pick Tailscale if: - You have a globally distributed remote team and need bulletproof NAT traversal - You want MagicDNS and an iOS/Android app today - You already use SSO and want users to log in with Google/Okta - You don't mind paying per-user as you scale

Pick NexGuard if: - You have a small team and per-user pricing feels wrong for your use case - You want to fully self-host the control plane - You need to give access to people without SSO accounts (contractors, vendors) - You're running on small/cheap VPSes and care about resource overhead - You want simple email-based invites that produce a token

The migration

Took about four hours. We exported peer keys from Tailscale (well, regenerated them — Tailscale doesn't expose private keys), set up our own server, sent invites, and let people connect on their schedule. We ran both in parallel for two weeks before turning Tailscale off.

The hardest part was changing one team member's muscle memory — they kept typing the old MagicDNS hostnames. We added /etc/hosts entries on their machines as a workaround.

We're not telling Tailscale users to switch. If Tailscale works for you, keep using it — they have built something genuinely impressive. But if you've been quietly frustrated by the per-user pricing or the SSO requirement or the lack of a real self-hosted story, NexGuard might fit better.

More from the blog

Why we built NexGuard after three years of WireGuard pain
Engineering · 7 min
Self-hosted VPN for small teams: what nobody tells you
Guide · 8 min
The hidden cost of per-user cloud VPN pricing
Business · 6 min