8.8 KiB
| marp | theme | class | paginate |
|---|---|---|---|
| true | gaia | invert | true |
VPN Without Vendor Lock-in
FLOSS Solutions for Secure Networking
MakerFLOSS · June 2026
Why VPNs?
Remote Access — Securely connect to your home/office network from anywhere
Site-to-Site — Link multiple locations into one virtual network
Zero Trust — Replace traditional perimeter security with identity-based access
Privacy — Encrypt traffic on untrusted networks
Traditional vs Modern VPNs
| Aspect | Traditional (IPSec, OpenVPN) | Modern (WireGuard-based) |
|---|---|---|
| Codebase | 100k+ lines | ~4,000 lines |
| Speed | Good | Excellent |
| Configuration | Complex | Simple |
| Cryptography | Configurable (risk) | Fixed, modern |
| NAT traversal | Tricky | Built-in (UDP) |
| Battery/CPU | Higher overhead | Minimal |
WireGuard changed everything in 2020 when it was merged into Linux kernel.
The Landscape at a Glance
| Solution | Type | Self-host | Fully FLOSS | NAT punch | UI |
|---|---|---|---|---|---|
| WireGuard | Protocol | N/A | ✓ | Manual | ✗ |
| Pangolin | Reverse proxy | ✓ | ✓ | Via Gerbil | ✓ |
| Tailscale | Mesh VPN | Partial | ✗ | DERP | ✓ |
| Netbird | Mesh VPN | ✓ | ✓ | STUN/TURN | ✓ |
NAT Traversal Techniques
Gerbil (Pangolin) Public-facing reverse proxy that accepts incoming connections and forwards them through WireGuard tunnels to internal Newt agents. Clients connect out to Gerbil.
DERP (Tailscale) Designated Encrypted Relay for Packets — Tailscale's proprietary relay servers. Used when direct peer-to-peer fails. Traffic is encrypted end-to-end; relays see only ciphertext.
NAT Traversal Techniques
STUN/TURN (Netbird, standard)
- STUN: Discovers your public IP and port mapping — enables direct connections
- TURN: Relay fallback when direct connection impossible (strict NAT/firewall)
WireGuard — The Foundation
WireGuard is a protocol, not a product. It's the building block the others use.
Key properties:
- In-kernel since Linux 5.6 (2020)
- ~4,000 lines of code — auditable
- Cryptographically opinionated: Curve25519, ChaCha20, Poly1305
- Silent by default — no response to unauthenticated packets
- Roaming — endpoints can change IP seamlessly
WireGuard — How It Works
graph LR
subgraph "Peer A (10.0.0.1)"
A[wg0 interface]
end
subgraph "Peer B (10.0.0.2)"
B[wg0 interface]
end
A <-->|"encrypted UDP"| B
Each peer has:
- A private key (never leaves the device)
- A public key (shared with peers)
- An allowed IPs list (what traffic goes through the tunnel)
No central server required — but someone has to distribute configs.
WireGuard — Pros and Cons
Pros
- Blazing fast, low latency
- Simple config files
- Kernel-level performance
- Battle-tested cryptography
Cons
- No built-in key distribution
- No NAT traversal coordination
- No access control policies
- No management UI
Best for: sysadmins who want full control, site-to-site links
Pangolin — Self-Hosted Reverse Proxy
Pangolin is a reverse proxy and tunneling solution, not a traditional VPN.
Architecture:
- Pangolin — Central server with web UI and proxy
- Gerbil — Public-facing proxy (handles NAT traversal)
- Newt — Agent on each client (creates WireGuard tunnel)
Use case: Expose internal services to the internet securely without opening ports.
Pangolin — Architecture
graph TB
Internet[Internet] --> Gerbil[Gerbil Proxy]
Gerbil --> Pangolin[Pangolin Server]
Pangolin --> Newt1[Newt Agent]
Pangolin --> Newt2[Newt Agent]
Newt1 --> Service1[Internal Service]
Newt2 --> Service2[Internal Service]
Traffic flows: Internet → Gerbil → Pangolin → Newt → Your service
No port forwarding needed on the client side.
Pangolin — Pros and Cons
Pros
- Fully self-hosted and FLOSS (Apache 2.0)
- Web UI for managing sites and users
- Automatic HTTPS via Let's Encrypt
- Works behind any NAT
- SSO integration (OIDC)
Cons
- Not a mesh VPN — hub-and-spoke only
- Relatively new project
- Requires a public-facing server
Best for: exposing self-hosted services, homelab access
Tailscale — The Polished Option
Tailscale builds a mesh VPN on top of WireGuard with zero configuration.
How it works:
- Coordination server distributes keys and handles NAT traversal
- Devices connect directly when possible (peer-to-peer)
- Falls back to DERP relays when direct connection fails
- MagicDNS provides automatic DNS for all devices
Tailscale — Architecture
graph TB
Coord[Coordination Server] -.->|key exchange| A
Coord -.->|key exchange| B
Coord -.->|key exchange| C
A[Device A] <-->|"direct WireGuard"| B[Device B]
A <-->|"via DERP relay"| C[Device C]
DERP[DERP Relay] --> C
Direct connections when possible, relayed when behind strict NAT.
Tailscale — Pros and Cons
Pros
- Zero-config setup — just install and sign in
- Excellent NAT traversal
- Cross-platform (Linux, macOS, Windows, iOS, Android)
- MagicDNS and HTTPS certificates
- ACLs and SSO
Cons
- Coordination server is not open source
- Free tier limited; business features require subscription
- Vendor lock-in concern
Alternative: Headscale — FLOSS coordination server (community project)
Netbird — Self-Hosted Mesh VPN
Netbird is a fully FLOSS alternative to Tailscale with self-hosting support.
Components:
- Management Server — handles key distribution, ACLs
- Signal Server — coordinates peer connections
- STUN/TURN — NAT traversal (coturn)
- Netbird Agent — runs on each device
Netbird — Architecture
graph TB
Mgmt[Management Server] -.->|policies, keys| A
Mgmt -.->|policies, keys| B
Signal[Signal Server] -.->|peer discovery| A
Signal -.->|peer discovery| B
A[Device A] <-->|"direct WireGuard"| B[Device B]
TURN[TURN Relay] -.->|fallback| A
Self-host everything or use their managed service.
Netbird — Pros and Cons
Pros
- Fully FLOSS (BSD-3-Clause)
- Self-hostable control plane
- Web UI for management
- SSO integration (OIDC, SAML)
- Network policies and ACLs
- Built-in reverse proxy (v0.65+) — expose services publicly like Pangolin
- Active development
Cons
- More complex to self-host than Tailscale to use
- Younger project than Tailscale
- Smaller community
Best for: organizations wanting Tailscale-like UX with full control
Detailed Comparison
| Feature | WireGuard | Pangolin | Tailscale | Netbird |
|---|---|---|---|---|
| License | GPL | Apache 2.0 | Proprietary* | BSD-3 |
| Self-host control plane | N/A | ✓ | Via Headscale | ✓ |
| Mesh networking | Manual | ✗ | ✓ | ✓ |
| NAT traversal | Manual | ✓ (Gerbil) | ✓ (DERP) | ✓ (TURN) |
| Web UI | ✗ | ✓ | ✓ | ✓ |
| SSO (OIDC/SAML) | ✗ | ✓ | ✓ | ✓ |
| ACLs / Policies | ✗ | ✓ | ✓ | ✓ |
| Reverse proxy mode | ✗ | ✓ | ✗ | ✓ (v0.65+) |
*Tailscale clients are open source, coordination server is not.
Which Should You Choose?
WireGuard directly — Full control, simple site-to-site, technical users
Pangolin — Expose services publicly, homelab, reverse proxy use case
Tailscale — Easiest setup, don't mind some vendor dependency
Tailscale + Headscale — Tailscale UX with self-hosted control plane
Netbird — Full FLOSS, mesh VPN + reverse proxy, organization with SSO needs
MakerFLOSS Lab Context
From our lab design, we plan to use Netbird for:
- Remote access to lab services from outside
- Connecting VPS to local infrastructure via tunnel
- Zero-trust access to pre-production zone
VPS -.->|Netbird| FLOSSFirewall
Self-hosted on our infrastructure, integrated with Authentik for SSO.
Resources
| Resource | Link |
|---|---|
| WireGuard | wireguard.com |
| Pangolin | github.com/fosrl/pangolin |
| Tailscale | tailscale.com |
| Headscale | github.com/juanfont/headscale |
| Netbird | netbird.io |
| Netbird GitHub | github.com/netbirdio/netbird |
Questions?
Slides made with Marp