What are Overlay VPNs?

Overlay VPNs are a type of Virtual Private Network (VPN) that facilitate a virtual network overlay that runs on top of whatever internet service happens to be present. What that means is you can have a remote or local user access something like a web server without exposing the web server to the internet. Many overlay VPNs also support tunneling all internet traffic like a traditional VPN but it isn’t strictly necessary.

What is Wireguard?

Wireguard is a VPN protocol that establishes a layer 3 virtual connection between a set of peers. It uses UDP and to authenticate you set both keys and IP addresses on each end. It is highly efficient and secure since it doesn’t have a bunch of extra features. It encrypts traffic and then decrypts traffic with the keys you set. 

The major drawbacks of Wireguard include its lack of any way to manage and authenticate users like OpenVPN and similar protocols. It is purely designed as a layer 3 tunnel to transmit packets over.

The roll of overlay VPN services

Some of the more open overlay VPN services use Wireguard as a underlying protocol. In these types of products the software and upstream service control things like permissions, IP addresses and NAT/Firewall hole punching. Many overlay network services are designed to allow tight controls while having good performance which is why Wireguard is commonly used under the hood. The overlay VPN software talks to Wireguard and tells it what keys, address and routes to use. 

To learn more about NAT traversal check out the nice write up from Tailscale: https://tailscale.com/blog/how-nat-traversal-works

Mainstream overlay VPN services

Tailscale

Tailscale is the most popular since it was the first to offer a user friendly commercial overlay network service. It offers tight controls and many cool features like managed reverse proxies. The biggest downside with Tailscale is that it is complex to manage since ACLs are controlled via a text file instead of a GUI. Tailscale also does so many different things to the point where it can be overwhelming to use for basic tasks. From a open source/libre perspective, Tailscale does have fully open clients but the server side software is proprietary. You can still self host it via a third party project called Headscale but it is unofficial. (Although Tailscale does contribute to it)

Netbird

Netbird is similar to Tailscale but it has a much smaller learning curve since the GUI is used to configure everything. The company itself is both younger and smaller but because they are focusing on simplicity they have started growing in popularity. The target audience seems to be people who have less in depth knowledge about tech who want a simple to manage service. The Netbird server software is also fully open source/libre and self hostable so you can run it on your own hardware. The streamlines approach to services makes Netbird easier to work with even though they don’t have as many features or integrations as Tailscale.

Other services and software

Hyprspace

Hyprspace is a interesting project on Github which provides a overlay VPN service on top of the Libp2p framework. It isn’t really a fully developed product since it is a side project for the primary dev. The interesting part is that it relys on the decentralized nature of Libp2p so it doesn’t need a dedicated self hosted or public service to work. It doesn’t have the features of products like Tailscale/Netbird but it also seems to be fairly simple to set up. The downside is that the main dev seems to be set on Nix so the portablity of the service is less than ideal.

https://github.com/hyprspace/hyprspace

Nebula

Nebula is a overlay VPN service started and used by Slack. It originally was a internal to Slack but in 2019 it was spun off into its own non profit. Slack still sponsors its development but anyone is free to use it. It doesn’t have a pubic instance or service but it is relitively simple to self host. One interesting thing about Nebula is that it doesn’t use Wireguard but instead roles its own networking as a part of the software. 

Tinc

Tinc is a project from long ago which pioneered the concept of a overlay network. It was initally started in 1998 and provides a way for nodes to connect to each other even if a direct connection is not possible. Due to its simple design, Tinc is highly flexible. However, it lacks good security controls and is purely designed to be a basic network for other things to run on top of. It uses OpenSSL or LibreSSL instead of Wireguard since it predates the Wireguard protocol.

The major problem with Tinc is the state of the development. It has not seen much activity in recent years as interest in the project has slowly faded.

Netmaker

Netmaker is a product that tries to compete in the same space as Netbird and Tailscale. However, it is overcomplex and and difficult to set up while not being all that competitive featurewise with larger services.