The short answer
Tailscale uses WireGuard. The question "Tailscale vs WireGuard" is malformed — they aren't peers in a comparison. The real question is "do I want raw WireGuard with all configuration on me, or a product that manages WireGuard for me?" Both answers are valid; they solve different operational problems.
- Pick raw WireGuard for 1-2 sites, hand-managed, version-controlled config files. Free, full control, your responsibility entirely.
- Pick Tailscale for fully-remote teams of users, where each member already runs a laptop you'll install an agent on. Per-user pricing matches the workload.
- Pick neither for SMB multi-branch with physical routers — see the third-option section below.
Two layers, not two products
WireGuard is a data-plane protocol: it defines how two endpoints encrypt packets to each other, given a public key per peer and an endpoint address. That's the entire scope of the protocol. WireGuard does not specify how peers discover each other, how keys are exchanged, what NAT traversal mechanism to use, or how to express access policy. Those are deliberately out of scope.
Tailscale is a coordination layer built on top of WireGuard. It implements key exchange (via Tailscale's coordination server), peer discovery (the server tells each peer about other peers), NAT traversal (DERP relays for double-NAT), access control lists (the ACL DSL evaluated server-side), and identity (via SSO with Google/Microsoft/Okta). The actual packet encryption between two Tailscale peers is WireGuard — same protocol, same primitives, same wire format.
Other products in this space — NetBird, MeshWG, Headscale — are also coordination layers on top of WireGuard. They differ in coordination model, hosting model, and pricing, but the data plane is interchangeable.
Side-by-side comparison
| Aspect | Raw WireGuard | Tailscale |
|---|---|---|
| Data plane | WireGuard | WireGuard (identical) |
| Configuration | Per-peer .conf files, hand-managed | Auto-generated by coordination server |
| Key management | You generate, distribute, rotate by hand | Coordination server issues and rotates |
| Peer discovery | Manual: every peer needs every other peer's endpoint | Automatic via tailnet |
| NAT traversal | UDP hole punching (works for one-side-public) | DERP relays for double-NAT |
| Access policy | Per-router firewall + Allowed IPs | ACL DSL, server-side evaluation |
| Identity | Public key only | SSO (Google/Microsoft/Okta) → user → keypair |
| Cost | Free (hardware/hosting only) | Free 3 users, $6/user/month thereafter |
| Lock-in | None (config is open standard) | Coordination server proprietary (or migrate to Headscale) |
| Setup time, first tunnel | 15-30 minutes manually | ~2 minutes via signup |
Configuration: same protocol, very different operator load
Raw WireGuard between two sites — the entire config file on one side:
[Interface]
PrivateKey = aBcDeFgHi...
Address = 10.100.0.2/16
ListenPort = 51820
[Peer]
PublicKey = ZyXwVuTsR...
Endpoint = peer.example.com:51820
AllowedIPs = 10.100.0.0/16, 192.168.20.0/24
PersistentKeepalive = 21Mirror on the other side, swap the keys + endpoint. Done. For 2 sites this is 30 minutes of work and produces a fully functional, kernel-speed tunnel with zero ongoing cost.
Same scenario via Tailscale: install the Tailscale app on both routers (or use Tailscale's subnet router feature), authenticate each to your tailnet, declare the subnet routes in the admin panel. The tunnels come up automatically; key management, NAT traversal, and access control are handled by the coordination server.
The 2-site case favours raw WireGuard. The 20-site case overwhelmingly favours a coordination layer — but maybe not Tailscale specifically, depending on your shape.
Where raw WireGuard breaks down
The quadratic peer growth in a full mesh is the canonical pain point: 5 sites = 10 peer relationships configured on both ends = 20 entries. 10 sites = 45 relationships = 90 entries. Real operators in this position either move to hub-and-spoke (every branch peers only with HQ, all branch-to-branch traffic transits HQ) or to a coordination layer.
Beyond peer growth, three operational issues compound:
- Key rotation. Every key rotation requires updating the peer entry on every other peer's config. With 20 routers, that's 19 manual config edits per rotation.
- Dynamic IPs. WireGuard's Endpoint field is static. If a peer's public IP changes (typical for residential ISPs), every peer pointing at it needs its config updated. Tailscale and similar coordination layers do this discovery automatically.
- Double-NAT (CGNAT). Two peers both behind CGNAT can't directly handshake. Raw WireGuard offers no relay path; you'd run your own. Tailscale's DERP servers handle this transparently.
The third option neither Tailscale nor raw WireGuard is
For SMB multi-branch businesses (5-30 sites, each with a router, some non-laptop devices behind each router), neither raw WireGuard nor Tailscale fits cleanly. Raw WireGuard hits the operational issues above. Tailscale's per-user pricing scales linearly with team size while the actual mesh scales with sites, not people, so the pricing model is misaligned.
The shape that fits: router-based managed WireGuard. The coordination layer of Tailscale, but the tunnel terminates on the router (TP-Link, MikroTik, OpenWrt, OPNsense, pfSense, Ubiquiti, Asus, GL.iNet) so every LAN-side device joins automatically with no per-device install or per-user licence.
MeshWG is built for this specifically. Per-router pricing (₹349 ≈ $4.20/month, 2 free), generated paste-ready configuration in each vendor's native format, central policy, CGNAT relay built in. For a 10-branch business with 100 staff: $42/month on MeshWG vs $600/month on Tailscale Business.
When to pick which
- 1-2 sites, technical operator → raw WireGuard. 30 minutes once, free forever.
- Fully-remote team, no offices → Tailscale. Per-user pricing matches the workload; the official clients are excellent.
- 3-30 sites with routers → MeshWG (or NetBird managed). Router-based avoids per-device costs; managed coordination avoids quadratic config growth.
- Want Tailscale's UX but on your own server → Headscale. Same clients, self-hosted control plane.
- Want self-host with both managed and self-host options from one vendor → NetBird.
Frequently asked questions
Is Tailscale just WireGuard?
Tailscale uses WireGuard as its data-plane protocol — every Tailscale tunnel is a WireGuard tunnel under the hood. What Tailscale adds is the coordination plane: a managed service that handles key exchange, peer discovery, NAT traversal, and access control. Raw WireGuard requires you to configure peer public keys, endpoints, and allowed IPs by hand on every device. Tailscale does that automatically by having every device talk to Tailscale's central control server. The protocol is the same; the operational model is very different.
Is Tailscale faster than WireGuard?
No — Tailscale cannot be faster than WireGuard because Tailscale IS WireGuard at the data-plane layer. The relevant comparison is throughput on identical hardware: a WireGuard tunnel configured by hand and a Tailscale tunnel between the same two endpoints achieve identical throughput. Differences in benchmarks usually come from Tailscale's userspace implementation on platforms without kernel WireGuard (older macOS, Windows), where there's a small CPU overhead. On modern Linux with kernel WireGuard, Tailscale's tunnels are kernel-speed.
Should I use Tailscale or raw WireGuard for site-to-site VPN?
Depends on your operational shape. For 1-2 sites configured once and rarely touched, raw WireGuard with config files committed to git is fine and free. For 3+ sites, peer rotation, key rotation, dynamic IPs, or NAT traversal, a coordination layer (Tailscale, NetBird, MeshWG, Headscale) saves more operator time than it costs. The quadratic growth of WireGuard peer relationships (5 sites = 10 peer pairs, 10 sites = 45) is the practical trigger to move beyond hand-rolled.
Can I self-host Tailscale's coordination server?
Yes, via Headscale — an open-source re-implementation of Tailscale's coordination protocol. The official Tailscale clients authenticate against it transparently. You run Headscale on your own server; your data plane stays under your control; you get the Tailscale UX without depending on Tailscale Inc.'s infrastructure. NetBird is the other common self-host path with its own clients.
Is WireGuard more secure than Tailscale?
Tailscale's data plane IS WireGuard, so the cryptographic security is identical — the same Noise_IK handshake, the same ChaCha20-Poly1305 + Curve25519 primitives. The trust boundary differs at the coordination layer: with raw WireGuard you trust nobody beyond the peers themselves; with Tailscale you trust Tailscale's coordination server to issue keys and authenticate identities correctly. For most operators that trade is worth it (the alternative is hand-managing keys); for high-assurance scenarios (regulated, sovereign) Headscale moves the trust boundary back to your own infrastructure.
What's the right Tailscale-vs-WireGuard answer for a multi-branch business?
Neither, often — both are aimed at slightly the wrong shape. Raw WireGuard configured per-router becomes painful past 3 sites (quadratic peer growth). Tailscale's per-user pricing scales poorly when you have devices that aren't users (POS terminals, IP cameras, printers behind each branch router). The shape that fits is router-based managed WireGuard: a coordination plane like raw WireGuard's mental model, but on the router so per-LAN-device cost stays zero. MeshWG is built specifically for this. See /alternatives/tailscale/ for the full alternative landscape.
Next steps
For multi-branch SMB shapes, MeshWG's free tier covers 2 routers indefinitely — same WireGuard protocol Tailscale uses, but on the router instead of every device.