@amm0, would it be possible to ask you a question about my relatively simple setup? If so, I would love to reach out. Thanks!
Very nice work @Amm0
But the following is also nice to know
Tailscale vs. ZeroTier: Side-by-Side Comparison
Feel free to post your needs/question(s) and any relevant config.
I think that’s article is a pretty good summary. I’d agree with most of it, specifically
Tailscale is different than WireGuard in many ways, but it’s a better comparison to ZeroTier than WireGuard due to the way that it’s set up and configured, as well as its functionality.
I kinda focus on the interaction with RouterOS features in this original article here - than a comparison of VPN/protocols. But do agree Tailscale is more similar to ZeroTier since both have some centralized control of clients/members/peers & routing, vs “pure WireGuard” that really just a peer-to-peer protocol within Linux kernel that OTHER things can make sure for a complete VPN solution (i.e. with Tailscale and Mikrotik’s new Back-to-Home be examples of providing some higher-level control/policy to WireGuard.
But the high-level decision between WG/tailscale/BTH/etc vs ZeroTier is if “ethernet-like” Layer2 link is needed. The need for Layer2/ethernet-like often comes up with devices that use multicast or other discovery protocols. Conversely, pure/unicast IP networks would likely be better severed with some WireGuard-based protocol – since WG/tailscale/BTH is more efficient than ZeroTier, especially if all traffic is Layer3/IP. And Tailscale add all the “policy management” stuff that’s often needed in corporate/enterprise/education markets - that ain’t in ZeroTier (or RouterOS). While ZeroTier “policy” is more limited to it’s “flow rules”, which is akin to doing policy management using Mikrotik’s bridge/firewall filters – so Tailscale makes a lot more sense when you need user-level access control than ZeroTier. And Tailscale add user-authentication between just ZeroTier’s simplistic (and ID-based) membership concept.
Additionally, Mikrotik’s ZeroTier support has not expanded significantlly since I wrote this article*. So some of ZeroTier’s newer features/configuration are not available on Mikrotik. Specifically low-bandwidth mode, peering control, and load balancing options. And CHR/X86 lacking ZeroTier remains a significant limitation since now some other solution is still needed for a VPN/SD-WAN/etc. WG is available on ALL Mikrotik platforms, and there are ways of integrating plain WG links into Tailscale - so that be another advantage from a Mikrotik POV.
I still maintain as an out-of-band management protocol for Mikrotik’s (at least ones that’s support ZT) is hard to beat – especially with RoMON being enabled. Other use cases, does require more thought into picking between ZT and Tailscale or something else - starting with if there any Layer2 or multicast needs since that’s not easily fixed AFTER a VPN/SD-WAN deployment.
Additionally, in the Mikrotik context…older routers might still be better off with IPSec-based things since some older routers with limited CPUs do support hardware encryption – while both ZeroTier and WG are going increase CPU load since they cannot make use of hardware encryption in older routers (that support IPSec in hardware). So that be another important consideration if dealing with older hardware.
*in fairness, Mikrotik did add the option of running you’re own controller since my original post, but I’m less sure of the use cases.