New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Overlay Network across WAN in 2025
As titled, what is the best way to form a Overlay Network across WAN in 2025?
Right now, I typically use one of the following methods to communicate between my servers: Wireguard, Tailscale, or just direct Public IP + Firewall. They are all fundamental and it is done manually.
As the number of idlers increase, and as managing multiple small VPNs becomes increasingly troublesome, I am considering migrating everything to a single solution. I have been thinking of using Tailscale exclusively, but I would prefer something fully open-source.
Some features I would love to have included (in order of priority):
- Mesh networks (The nodes can communicate with each other without going through a central server)
- Custom relay for NAT traversal
- Subnet router (Expose local subnet)
- Virtual subnets (Can be in the form of VLAN/ACL)
- Exit node with optimized latency routing (I am aware Neoon has written something similar, but I would prefer a more mature solution)
- Multiple/HA/Decentralized coordination/control servers (eg. No Single point of failure)
I am currently looking into Netmaker and Netbird, but would love to hear from the experts here 
Thanks in advance!
Comments
Headscale is an open source, self-hosted implementation of the Tailscale control server
https://github.com/juanfont/headscale
Last I remember there isn't a UI for it but just taken another look and seems to have pretty great UI now: https://github.com/tale/headplane (Ya ya I know CLI works but Tailscale UI has spoiled me)
Will look into it a little bit more and since I can provide my own DERP servers as well it pretty much ticked the first 4 boxes, thanks for suggesting this again
Bu no means an expert on this. I use Tailscale as I like the simplicity. I was using it for my home stuff but have begun to use it both for server-server stuff but also to pull back some personal services such that they’re only available over the VPN.
I haven’t really looked into it as I wasnt too interested in maintaining it, but maybe a self hosted Headscale is an option. Isn’t highly available from what I can see (at least officially) so might be a bust, and I’m also aware you give up some capabilities with the self hosted option.
Check out https://github.com/slackhq/nebula
been using it for years
If I understood your question correctly, why not do BGP between them over the VPN yo have??
Each VPS has it's own AS and sub nets ( if any ) and create an "internal" BGP between all of them and this way you can access any of them from any one of them
This would imply an initial work to set up and you cannot have internal duplicate subnets, but if you fix that, it will actually work fine.
Looking for the simple solutions as well.
Netmaker actually looks great. Netbird is out of my scope (100 machines limit lol)
have been thinking about something like this for a while now, but got no time
Also I’ve been playing with Ansible for the first time this weekend. This role (and a new collection is in the works) in my testing works well to streamline/automate the onboarding. Run that and I then just need to log into the Tailscale admin and complete the final approvals (since I’m using Tailscale Lock) and optionally set the servers to not expire. Unsure if I can streamline that further by using and interfaces that the Tailscale client exposes to automate the Tailscale Lock authorisation if ansible is on a signing node.
Anyway, may be a small thing to help streamline the deployment of Tailscale, not that it’s too involved in my case.
Actuallly…looks like the new collection has had dependencies fixed in the past 24hrs and might be an option too
QUIC Protocol Replaces WireGuard It would be more efficient, right?
I love Yggdrasil, pretty neat experiments network.
I'm using Headscale and it does everything I need. I have it setup with Authentik for user access control over OIDC, ACLs to control who can access what, Prometheus/Grafana to monitor node activity and I'm using the built-in Derp server so that none of my traffic every touches Taiilscale's network.
Headscale is installed as a binary, (i.e. not Docker), and it runs comfortably on a 1c/1g VPS with Debian 12. My instance is currently serving 40+ active clients with no issues and it never peaks above ~15% CPU. Traffic requirements are also very minimal because the Derp Relay is barely used so it mostly serves keys and metadata.
The only things to be aware of is that the Headscale server shouldn't be part of the Tailnet, (i.e. don't install Tailscale on that server), and ACLs are really important because the default setup allows all clients to communicate with each other, which you almost certainly don't want.
I've also managed to setup a load of Exit Nodes that route traffic out over a commercial VPN, (using a cluster of docker containers on one VPS), but at the moment I have performance issues and only get about ~30Mbps. I'm pretty sure it's related to MTUs but I haven't investigated it properly because I have a couple of DMCA-ignore endpoints with Exit Nodes that I can use for torrenting.
I'm not using a UI for it because I prefer the CLI, but I'm thinking about setting up Headplane for it at some point. However I suspect it'll need more than a 1c/1g to run them both together and I'm just not that bothered about a UI anyway: https://github.com/tale/headplane
zerotier
been looking for the same, something that can also save my time and be 0 maintenance setup.
stuck with cloudflare zero trust and wireguard
That's what we do in AS200690.
Each server has a private ASN for reaching each other.
The private ASNs are stripped on public BGP sessions.
Between the servers, the tunnels are usually IP6GRE, but can have SIT or WireGuard too.
The tunnels are all defined in Netplan.
Tailscale/Headcale is great if you just want something that works™ and don't get those random 3AM urges to rebuild your network from the ground up with all the fancy bells and whistles, because otherwise you'll quickly run into some limitations.
For a good amount of time I used it as an overlay for a k8s cluster. The only major downside was doing dynamic routing ranged from incredibly annoying to sometimes impossible since you have to talk to the coordination server every time you want to route a subnet to a specific node (e.g., you can't easily do fancy failovers) which majority of software do not support (only one I know that has integration for it is the k3s tailscale CNI) nor are extensible enough to do so.
After that I went on a pilgrimage to find alternative tooling but found myself going back to WG, I then decided to take the overkill pill and now run VyOS routers all over the place and route internal traffic using WG/OSPFv3/BGP (IPv4-less core, I love the IPv4-with-IPv6-nexthop extensions).
I'd recommend just biting the WG bullet, pick your favorite orchestration: netmaker/netbird/heck even ansible, and do the routing yourself if you're up for a little a bit of adventure.
I've got Netbird set up in production, it's been very stable and easy to use. I like that you can limit certain ports/services, as well as configure different DNS services accross different groups and networks.
It's easy to self-host as well - https://docs.netbird.io/selfhosted/selfhosted-quickstart
I use WireGuard with a homegrown solution. I keep a CSV file with all static IPs, domain names (for dynamic IPs), private keys, and peers. Whenever I make a change, I run a script to update all WireGuard configs and deploy the changes to all my devices in seconds via
sshPS: If iptables rules are needed, I include them in the WireGuard config using the
upanddownoptions—just another column in the CSV.+1 for netbird
I use headscale
Tested netbird also, was great too
Do you guys run Netbird/headscale etc servers exclusively on the VPS? Or is it ok to co-host with other apps?
I use Zerotier with ZTNET and custom planets. ZTNET even has an API. You can even deploy Zerotier with docker. I tend to just install zerotier to the host and connect with via a command. Can use ZTNET API to auth the machine or the webgui.
If you don't want to use custom planets you setup your own moons to not have to relay using zerotier's servers. https://docs.zerotier.com/roots/
This is what I use on new servers. This is for using a custom planet. Could of course add the connect commands to this or just you know, use normal zerotier servers.
I co-host with other apps. My servers can all direct connect with another so my relays are only used to establish connections. Most if not all don't use really much resources unless the relay is being used to transfer data.
Also to add I like zerotier because if the controller goes down than the other servers I have as planets/relays will run in read only, allowing the servers to still connect and find each other.
The Planets and Moons language seems like a big plus
I would like to take the opportunity to ask if there is some unknown advantage of netbird over Taiscale? I'm a heavy Tailscale user, but a lot of people have been telling me that netbird is better and such.
+1 on netbird also. i deployed the controller on an oracle cloud PAYG VM
I just like the ability to deploy the full controller as is without a differing implementation like tailscale/headscale. that was basically it for me. admittedly i find the way of security rules/ access control in netbird to be a bit strange and still am getting the hang of it. i would not call one better than the other just different. although...the ownership structures are very different and in that i do find netbird to be the safer ownership structure. regardless i find it difficult to rely on software that has large equity funds invested in it because private equity only wants one thing...so consider tailscale's large PE investments from venture capital. netbird also raises money in a similar way but significantly less at 4m vs 100m type investments
I think I can throw away the headscale-admin frontend UI! Of course, it's still very convenient!
I really wanted to like Netbird because it is objectively better than Tailscale, but the only thing I haven't been able to recreate using Headscale is the post-quantum encryption.
Self-hosted Netbird comes bundled with an Identity Provider, (Zitadel), has a nice UI, the Routes/ACLs are easier to setup and the security side seems a bit more solid. But Netbird's clients absolutely suck and the Exit Node functionality is a bit under-developed, (especially for the Android client).
Self-hosted Tailscsle, (Headscale), has much better clients, (from Tailscale), but it requires more effort to setup if you want to configure an IDP and UI etc. Tailscale/Headscale ACLs are also more of a hassle to setup because you have to write them in JSON, but the main thing that stops me using Netbird is the clients.
Very nice tbh. I'm pretty sure zerotier is completely free without limits if you selfhost. You'll still use zerotier planets to connect to networks. You could just create a custom planet network like I did and use only your own servers.
The moons allows you to create your own relay servers to use when using there planets.
If you have custom plenets or using zt, if the controller goes down, the machines/servers/nodes/whatever they are called will still be able to discover/connect to machines within the network. They basically be in a read only mode until the controller comes up. Really nice as I had my controller go down before. With headscale and netbird you can't do this. And I think netmaker requires you to pay to use this feature.
Also, if you wanna test this @FAT32 , I can give you access to my ztnet (your own logins) server if you want to try/test it.
WireGuard works for me. All my servers are in the same large network, and in fact even in two of them (over IPv4 and IPv6).
As a backup, I also run Tinc. It has not just mesh, but the self-healing feature, that is if any two nodes can no longer communicate directly, some third node will forward traffic between them. And also just in case WG gets blocked or I screw it up on a couple of clients that are behind an ISP NAT and VPN is the only way to ssh in.
The downside is that Tinc is purely userspace and also likes to fall back to TCP over TCP instead of using UDP as it's supposed to, so it's nowhere near as performant as WG.
Whats the issue you running into? So far I didn't manage to crash it once.