By James Aspinwall, co-written by Alfred Pennyworth (my trusted AI) — February 27, 2026, 23:35
If you’ve ever set up a traditional VPN, you know the pain: port forwarding, firewall rules, certificate management, NAT traversal headaches, and that one config file you copy-pasted from Stack Overflow three years ago. Tailscale throws all of that away and gives you something that feels like magic — but is actually just good engineering on top of WireGuard.
What Traditional VPNs Actually Do
A traditional VPN (OpenVPN, IPSec, L2TP) creates an encrypted tunnel between your device and a central server. All your traffic flows through that server. This is the hub-and-spoke model:
Device A ──────► VPN Server ──────► Device B
Device C ──────► VPN Server ──────► Device DEvery packet between A and B takes a detour through the server, even if A and B are sitting on the same desk. The server is the single point of failure, the bottleneck, and the thing you have to maintain.
Key characteristics of traditional VPNs:
- Centralized architecture — one server handles all connections
- All traffic routes through the VPN server (unless you configure split tunneling)
- You manage certificates, keys, and user configs manually
- NAT traversal is your problem
- Scaling means bigger servers or more complex infrastructure
What Tailscale Does Differently
Tailscale builds a mesh network using WireGuard under the hood. Instead of routing through a central server, devices connect directly to each other:
Device A ◄──────────────► Device B
▲ ▲
│ │
▼ ▼
Device C ◄──────────────► Device D
Every device gets a stable IP (in the 100.x.x.x range), and connections are peer-to-peer. Tailscale’s coordination server only handles key exchange and discovery — your actual data never touches their infrastructure.
The Five Real Differences
1. Mesh vs. Hub-and-Spoke
Traditional VPNs funnel everything through a gateway. Tailscale creates direct WireGuard tunnels between devices. If your laptop in Vietnam needs to reach your server in New York, the traffic goes directly between them — not through some intermediary in Frankfurt.
2. Zero Configuration NAT Traversal
This is where Tailscale earns its reputation. It uses a combination of STUN, DERP (Designated Encrypted Relay for Packets), and hole punching to get through NATs and firewalls without you touching a single router setting. In 95%+ of cases, it establishes a direct connection. When it can’t, DERP relays step in — but even then, the relay only sees encrypted WireGuard packets.
Traditional VPNs? You’re opening ports, configuring port forwarding, and praying your ISP doesn’t use CGNAT.
3. Identity-Based, Not IP-Based
Traditional VPNs authenticate you and then trust your IP. Tailscale ties everything to identity (Google, Microsoft, GitHub, or OIDC). Access control is about who you are, not what IP you got assigned. Their ACL system lets you write rules like “the engineering team can reach the database servers” instead of “10.0.1.0/24 can reach 10.0.2.5:5432.”
4. No Server to Maintain
With OpenVPN or WireGuard (raw), you’re running and patching a server. Tailscale’s coordination server is SaaS — you install the client, authenticate, and you’re on the network. The control plane is theirs; the data plane is yours.
5. MagicDNS
Every device on your tailnet gets a DNS name automatically. Instead of remembering 100.64.0.3, you just use my-server.tail1234.ts.net. No DNS server to configure, no /etc/hosts hacks.
When You Still Want a Traditional VPN
Tailscale isn’t always the answer:
- Privacy/anonymity — If you want to mask your IP from websites, you need an exit node or a traditional VPN provider. Tailscale can do exit nodes, but it’s not its primary design.
- Site-to-site with legacy gear — If you’re connecting to a corporate network that speaks IPSec and nothing else, Tailscale can’t help.
- Full traffic interception — Some organizations need to inspect all employee traffic for compliance. Hub-and-spoke VPNs make this easy. Tailscale’s mesh model makes it harder (by design).
- Air-gapped or offline environments — Tailscale needs to reach its coordination server for key exchange. No internet, no tailnet.
The WireGuard Connection
Tailscale is not a VPN protocol — it’s an orchestration layer on top of WireGuard. WireGuard does the encryption (ChaCha20, Curve25519, BLAKE2s). Tailscale handles everything else: key distribution, NAT traversal, access control, DNS, and device management.
You could set up raw WireGuard and get the same encryption and performance. What you wouldn’t get is the automatic peer discovery, NAT traversal, identity-based ACLs, and the ability to add a new device in 30 seconds.
Quick Comparison
| Traditional VPN | Tailscale | |
|---|---|---|
| Architecture | Hub-and-spoke | Mesh (peer-to-peer) |
| Protocol | OpenVPN, IPSec, L2TP | WireGuard |
| NAT traversal | Manual port forwarding | Automatic (STUN/DERP) |
| Authentication | Certificates/passwords | SSO (Google, GitHub, OIDC) |
| Encryption | Varies by protocol | WireGuard (ChaCha20) |
| Server maintenance | You manage it | SaaS control plane |
| DNS | Manual configuration | MagicDNS (automatic) |
| Scaling | Bigger servers | Just add devices |
| Latency | Extra hop through server | Direct peer connections |
| Self-hostable | Yes | Partially (Headscale) |
The Headscale Option
If the idea of Tailscale’s coordination server being hosted by someone else bothers you, Headscale is an open-source, self-hosted implementation of the Tailscale control server. You get the same mesh networking, same WireGuard tunnels, same NAT traversal — but you own the coordination layer. The trade-off is you’re back to maintaining infrastructure, which is exactly what Tailscale was trying to save you from.
Bottom Line
Tailscale solved the hardest part of networking — making devices find and talk to each other securely without configuration. Traditional VPNs give you a tunnel. Tailscale gives you a network. If you’re connecting a handful of devices, servers, or containers across different locations and you’re tired of fighting NAT, Tailscale is the tool. If you need to funnel all corporate traffic through a chokepoint for inspection, stick with the traditional approach.
The best part? Tailscale’s free tier covers up to 100 devices and 3 users. That’s enough to try it with zero commitment and decide for yourself.