(Shamless plug) I am also working on a similar FOSS, self-hosted project called Octelium https://github.com/octelium/octelium that you might find interesting if you are interested in this space. Octelium is, however, more of a generic/unified zero trust secure access platform that can operate as a remote access VPN, a ZTNA platform, API/AI/MCP gateway, a PaaS, an ngrok-alternative and a homelab infrastructure. It provides unified client-based as well as clientless access for both humans and workloads; dynamic identity-based secretless access (e.g. HTTP/gRPC/k8s without sharing API keys and access tokens, SSH without distributing passwords/private keys, postgres/MySQL databases without sharing passwords, etc.); dynamic L7-aware, identity-based access control ABAC via CEL and OPA as well as dynamic routing to upstreams via policy-as-code; native Passkey login/WebAuthn/TOTP MFA and support for OIDC/SAML IdPs, OpenTelemetry-native L7-aware visibility and auditing; clientless access via OAuth2 for workloads, WireGuard and QUIC tunneling, including in rootless mode; passwordless SSH'ing into containers and IoT without SSH servers; deploying and securing access to containers; declarative k8s-like management with horizontal scalability among other features. You can read more in the README if you're interested.

I can only recommend giving headscale a try. It's free, works extremely well, and can be used with the official Tailscale clients. Was super easy to set up.

https://headscale.net/stable/

I recommend it the NetBird team is transparent and easy to reach. I switched from Tailscale a while ago (2y), went fully self-hosted, and upgrades across versions have been smooth, which tells me they care about the self-hosted, not just their cloud offering.

A bit lower level than most things discussed here but on the topic of overlay networks, I’ve used nebula for years and can recommend it

https://github.com/slackhq/nebula

Tailscale is the only non-self-hosted part of my setup now and this has bugged me since. I use a custom Nameserver rule to point all my subdomains to a Caddy container sitting on my Tailnet. Caddy handles the SSL and routes everything to the right containers. I skipped Tailscale Funnel on purpose; since these are just family services, I’d rather keep them locked behind the VPN than open them up to the web. This project looks promising as a replacement for my current setup and for its digital sovereignity of self hosting the server. I'm looking to manage several embedded devices remotely via Tailscale, but I've hit a major roadblock: the 90-day maximum expiration for Auth Keys. Constantly renewing these tokens is a significant maintenance burden, so I'm searching for a more permanent, 'set-and-forget' solution for my remote hardware.

Long-time ZeroTier user here. Recently switched to NetBird (self-hosted on a Hetzner VPS) and it’s been seamless so far. DNS functionality is excellent (something ZeroTier lacked), and the access-control model is very well designed. It’s easy to understand what’s going on and to grant one-off access when needed. Only real and very minor gripe is the Android app: I wish it were on F-Droid and a bit more robust, as it sometimes drops when roaming. Nevertheless, congratulations on a fabulous piece of software! I hope it keeps improving :)

We just evaluated this the other day and we were pretty impressed by it. We were looking for something we could self host for wireguard config but tbh we might just pay for the managed solution.

F-droid inclusion seems to be stalled https://gitlab.com/fdroid/rfp/-/issues/2688

Having it in F-droid, vetted by their policies is kind of my benchmark for "software that is guaranteed to be not crapware."

That being said I'm rooting for the devs, having an alternative for tailscale+headscale would be nice, because as it stands it's kind of dependant on the goodwill of a for profit company (finite).

I replaced Teleport by a bunch of various tools, and I had to chose between tailscale/headscale and netbird for the network connectivity. I’m pleased with netbird so far.

I had some weird bugs on a few old servers during the transition, and the support was helpful even though I am a small customer. We eventually switched to user space wireguard on those servers.

https://github.com/netbirdio/netbird

Netbird's flexibility with IdPs is really nice. I recently switched mine to Pocket ID. Overall, it's perfectly sufficient and lightweight for homelab use.

I'm really missing something like Cisco DMVPN. A VPN mesh between different routers where all routers have a connection to each other, so that all traffic doesn't have to pass through the hub. And that runs on a router, because all these solutions only run on a regular computer with a complete OS.

But it's missing a tailscale funnel like feature, right? That's one of the main features that I use for some home assistant instances.

I'm currently comparing it with pangolin and headscale for my small scale company infrastructure access. Been running headscale for my own setup for a while but maybe netbird or pangolin might be better for real production.

Last time I checked it couldn't do ipv6... in 2026?

Using it self hosted for almost a year now, no issues, just works for me.

If the VPN connection would stay connected despite having it set up that way in the web UI.. It would be a good product.

Still haven't figured out how to do Termux on Android with netbird ssh yet.

How does this compare with Defguard? Also European but seems more featureful maybe?

Sweet. Alternatives are always something good.

For someone who want to setup a private network between host/devices, I feel the dilemma is always:

1. Trust a third party like Tailscale by giving them the key to your kingdom, but everything is incredibly easy and secure.

2. Self-host but need at least one host with a fixed IP address and an open port on the Internet. What requires a set of security skills and constant monitoring. That includes headscale, selhosted netbird, zerotier or a private yggdrasil mesh.

Missing some technical bits to be a true contender for me but I bet they are getting there. That said I've seen so many shadcn based scam sites that my brain starts associating shadcn with scams.

Besides the solid product, Misha & Maycon are just great and friendly people to work with.

There's also https://pangolin.net/ which is kind of similar, and I believe a YC company.

Tailscale is great and headscale is an important step to gain trust. However, headscale is useless without the clients, and Tailscale geoblock installing clients where they can. If the platform requires jailbreak for installing user-chosen software, as is the case with iOS, then it all becomes useless.

Open (preferably free software) clients without idiotic restrictions could be one of the main advantages for any competing solution. Does Netbird provide them?