Is Tailscale actually WireGuard?

Yes — Tailscale uses WireGuard as its encryption layer (the data plane). What Tailscale adds is a SaaS control plane that orchestrates peer discovery, key rotation, NAT traversal and ACLs. When you ping a Tailscale node, WireGuard is the protocol moving the packet.

Is Tailscale really free forever?

The Personal plan is free up to 100 devices and 3 users, with no announced expiration. Beyond that, or as soon as you need SSO, audit logs, or more than 3 users, you jump to Premium at around $18/user/month. At 5 users, that's $1,080/year — a Contabo VPS at €60/year does the same thing.

Is WireGuard self-host more secure than Tailscale?

More secure no, more sovereign yes. Tailscale has a sound design with a minimal control plane (private keys never leave the devices) and is publicly audited. Raw WireGuard gives you full control over the attack surface — no third party, no SaaS coordinator to compromise — but you carry the hardening burden alone.

How long does it take to migrate from Tailscale to WireGuard self-host?

Plan for 2 to 4 hours for a 5-node setup if you already have a VPS at hand. The long part isn't WireGuard itself (10 min) but scripting configs, putting a key rotation system in place, and observability. Our full guide is here: self-host VPN on Contabo with WireGuard 2026.

Tailscale vs WireGuard self-host: which one in 2026?

Affiliate disclosure — This post contains Contabo affiliate links. If you grab a VPS through them, we earn a commission at no extra cost to you. We only document what we actually run in production on our own VPS.

The question comes up every week on self-hosting forums: you know WireGuard, you know Tailscale is "managed WireGuard", and you wonder whether $18/user/month for Tailscale Premium is worth it, or whether you should commit to full self-host on a $5/month VPS. The answer isn't binary — it hinges on how many nodes you deploy, your tolerance for vendor lock-in, and what you do with your time.

We've run both in production: Tailscale for a 12-node dev/staging mesh for 14 months, then migration to raw WireGuard on Contabo in March 2026, after thinking through annual cost and sovereignty. This comparison is the result of that experience, not a doc compilation. We'll cover the real architecture, costs at 1/5/20 nodes, the traps we hit, and a concrete decision guide.

What Tailscale actually is (and isn't)

Tailscale is not a new VPN protocol — it's a control plane sitting on top of WireGuard. The data plane (the actual packet encryption) stays 100% WireGuard. What Tailscale handles for you:

Discovery — each node announces its public IP to the coordinator (Tailscale SaaS). Other nodes pull that info to set up the tunnel.
NAT traversal — STUN + ICE-like punching to open a direct tunnel between two nodes behind symmetric NATs. When that fails, fallback to DERP relays (TCP/443).
Key management — automatic WireGuard key rotation, device expiry, config signing.
ACLs — a declarative JSON file defining who can talk to whom, on which ports. Compiled into iptables rules pushed to every node.
MagicDNS / Tailnet name — resolution of machine-name.your-tailnet.ts.net across your mesh.

The Tailscale client code is open source (github.com/tailscale/tailscale). The SaaS control plane is not — but Headscale is an open-source reimplementation of the control plane, compatible with the official client. That matters for what follows.

What Tailscale isn't: it's not a consumer VPN like NordVPN. Tailscale doesn't give you an exit IP to make Netflix US think you're in New York. You can configure a Tailscale "exit node", but that's a node you run — on a VPS, for example. We'll come back to that, because it's exactly where the economic case flips toward self-host.

Architectures compared

Managed Tailscale:

[App A] ── WireGuard ──► [App B]
   │                        │
   └──► SaaS Coordinator ◄──┘
        (Tailscale Inc.)

The coordinator orchestrates. Packets go A → B directly over WireGuard whenever NAT allows, or via a Tailscale DERP relay as fallback (extra latency + SaaS dependency).

WireGuard self-host (hub-and-spoke):

[Client 1] ──► [Contabo VPS Hub] ◄── [Client 2]
                     │
                 [Client 3]

Everything goes through the hub. Predictable latency, full control, but the hub is a single point of failure (and a single point of optimization).

WireGuard self-host (manual full-mesh):

[Node A] ◄──► [Node B]
    ▲          ▲
    │          │
    ▼          ▼
[Node C] ◄──► [Node D]

N²/2 tunnels to configure. Becomes unmanageable past 5-6 nodes — that's exactly the problem Tailscale solves on the managed side.

Architecture choice in self-host is critical: for 1 to 4 nodes, hub-and-spoke is unbeatable in simplicity; past that, you either accept Tailscale or deploy Headscale (the open-source control plane).

Honest comparison table

Criterion	Tailscale Free	Tailscale Premium	WireGuard self-host	Headscale + WG self-host
Annual cost (5 nodes)	$0	~$1,080	€60 (Contabo VPS S)	€60
Annual cost (20 nodes)	n/a (max 3 users)	~$4,320	€60	€60
Initial setup	5 min	5 min	30 min	2 h
Automatic NAT traversal	Yes	Yes	No	Yes
Dynamic mesh	Yes	Yes	No (static)	Yes
Declarative ACLs	Yes	Yes	Manual iptables	Yes (Tailscale ACL JSON compat)
Exit node	Yes (1 included)	Yes (unlimited)	Yes	Yes
Audit logs	Limited	Full	DIY logging	DIY logging
Enterprise SSO	No	Yes (SAML/OIDC)	No	Manual OIDC
Vendor lock-in	High	High	Zero	Zero
Data sovereignty	No	No	Yes	Yes
Ongoing maintenance	Near-zero	Near-zero	Low-medium	Medium

Three observations you never see on sponsored comparison blogs:

Tailscale Premium is great value for 1-3 users with many nodes. If you're solo running 15 personal servers, $0 on the Free plan. No debate.
The math flips at 4-5 users. At 5 users × $18/month, that's $90/month = $1,080/year — for a service technically equivalent to WireGuard + a control plane you can host yourself on a Contabo VPS S at €4.99/month.
Self-host maintenance isn't zero, but it isn't crushing either. Our WireGuard hub-and-spoke setup on Contabo demands roughly 1h/month average: system upgrades, key rotation every 6 months, log review.

Case 1 — Solo, managing your own machines

Verdict: Tailscale Free, no hesitation.

The Tailscale Personal plan (100 devices, 3 users) covers 99% of personal use cases. MagicDNS works in two clicks, NAT traversal saves you half a day of pfSense, and the mobile client (iOS/Android) is honestly well-built. At this stage, don't waste time self-hosting WireGuard.

The only reason to flip to raw WireGuard solo is learning. If you want to understand WireGuard deeply, building your own hub-and-spoke on a VPS is the exercise. That's exactly what our self-host VPN Contabo WireGuard guide covers, and it's a skills investment that pays off many times over the medium term.

Case 2 — Small team (2-5 people)

Verdict: Tailscale Free if you fit in 3 users, otherwise WireGuard self-host.

At 4-5 users, Tailscale Premium becomes $864-$1,080/year. For the same money, you get:

12 months of a Contabo VPS S (€60/year)
Time to script WireGuard with Ansible (10 h ≈ €500 at €50/h)
Remaining budget for Headscale as an option

This equation holds if one person on the team can write shell scripts. Otherwise, the opportunity cost rises, and $18/user/month Tailscale becomes competitive again.

Recommended self-host setup for 5 nodes:

One Contabo VPS S Nuremberg (4 vCPU, 8 GB, €4.99/month) — see our Contabo review 2026.
WireGuard in hub-and-spoke. The VPS is the hub, all clients point to it.
Static routes on the server side: one AllowedIPs per client peer.
ACLs via iptables: by default each client only sees the hub; inter-client routes are opened on demand.
Minimal observability: wg show every 5 min via cron + alert if a peer is offline > 15 min.

Accepted downside of hub-and-spoke: every packet transits through the VPS. If Alice in Paris sends a file to Bob in Berlin, the packet goes Paris → Nuremberg → Berlin. That's ~25 ms of extra latency vs Tailscale, which would have set up a direct tunnel. For 90% of collaboration uses (SSH, RDP, files via Syncthing), it's invisible. For real-time voice, it starts to show.

Case 3 — Team of 10-20+ or compliance

Verdict: Tailscale Premium or Headscale self-host. Not raw WireGuard.

At 10+ nodes, manual WireGuard full-mesh becomes unmanageable, and hub-and-spoke doesn't scale well (the hub becomes a network bottleneck). Two serious options remain:

Tailscale Premium: you accept $200-$400/month and focus on your actual business. Audit logs, SAML, ACLs, support — all included. For a growing B2B SaaS company, that's probably the best ROI.

Headscale self-host: you host the open-source control plane (github.com/juanfont/headscale) on your own VPS. The official Tailscale clients point at your coordinator — the magic still works, but with no vendor lock-in and no monthly bill. Plan 2-3 days for a clean setup with PostgreSQL backend, TLS certificate, and OIDC for auth. See Headscale docs.

Headscale is the sweet spot for anyone wanting Tailscale-like with full sovereignty. It's also a case where the upfront investment (2-3 days of a sysadmin) pays off in less than 2 months vs Tailscale Premium at 10 users.

Security compared — where the real risks sit

Tailscale:

The coordinator never sees your private keys (they stay local).
But: the coordinator distributes public keys and establishes sessions. A coordinator compromise would let an attacker inject a rogue peer into your mesh.
Tailscale Inc. publishes a detailed threat model and has its code regularly audited.
Attack surface: local client + SaaS control plane + DERP relays.

WireGuard self-host:

Attack surface: local client + VPS hub (which you administer).
No third party, but everything rides on the robustness of your VPS config: hardened SSH, firewall, automatic updates.
Concrete risk: if your hub VPS is rooted, the attacker has access to /etc/wireguard/*.conf configs and can decrypt active traffic. That's why we recommend WireGuard + port knocking and a client-side kill-switch.

Headscale:

Same client-side risks as Tailscale, plus the coordinator hosting responsibility.
Upside: you know the operator (you) and you control the logs.

None of the three options is intrinsically more secure. The deciding factor is who runs the updates. Tailscale does them for you automatically; in self-host, you have to put unattended-upgrades in place.

Real costs over 36 months — projection

We ran the math over 36 months for the three scenarios (5 nodes, 5 users), with conservative assumptions:

Scenario	Direct cost 36m	Indirect cost (time)	Total
Tailscale Premium	$3,240	5h setup × €50/h = €250	~$3,500
WireGuard hub-and-spoke Contabo	€180	15h setup + 36h maint = €2,550	~$2,700
Headscale + WireGuard Contabo	€180	30h setup + 50h maint = €4,000	~$4,180

The result is less obvious than it looks. Raw WireGuard remains cheapest at 5 nodes in total cost, but Headscale becomes more expensive than Tailscale Premium once you factor in time opportunity cost. Tailscale Premium is the lowest-risk option but the highest direct cash cost.

If you value your time above €70/h, Tailscale Premium becomes nearly as competitive as raw WireGuard. If your time is cheaper (junior, side project, learning), self-host wins.

How to migrate from Tailscale to WireGuard self-host

That's the path we took in March 2026. The result fits in one week of work, spread over 3 weekends:

Audit existing setup — list every Tailscale node, their Tailnet IPs (100.x.x.x), their current ACLs.
Provision a Contabo VPS S as the hub. See Contabo VPS step-by-step tutorial — 20 min end-to-end.
Install WireGuard on the hub, generate a server key, open UDP 51820 in the Contabo firewall.
Define a static IP plan — for example 10.66.0.0/16 on the WireGuard side, with clean mapping to the old Tailnet IPs.
Generate one WireGuard config per client, distribute via secure channel (Bitwarden, Signal, never email).
Switch over: one client at a time, verify connectivity, adjust AllowedIPs server-side.
Shut down Tailscale progressively, keep it running in parallel 1-2 weeks for quick rollback if something breaks.

The migration is doable but it's a project — not an afternoon thing. If the team is 8+ users and we're talking 30+ nodes, seriously, stay on Tailscale Premium and invest the saved time in your product.

My verdict (pragmatic)

Solo, personal projects, 1-10 machines → Tailscale Free. Don't waste your time.
Solo nerd, learning mood, €5/month budget → WireGuard self-host on Contabo. A skills investment that pays back 10x.
Small team 2-5 people, no strong compliance → WireGuard hub-and-spoke on Contabo. Sovereignty + €60/year vs $1,000/year.
Team 5-15, growth phase, B2B compliance → Tailscale Premium. Cash well spent.
Org 15+ with sovereignty constraints (EU, public sector, defense) → Headscale self-host. The option that aligns sovereignty and scale.

Worst possible choice: raw WireGuard with manual full-mesh at 10+ nodes. You'll spend your weekends on it and it'll end up as a broken mesh on a Tuesday night.

Going further

Sources and references:

Published 2026-06-05. Comparison based on 14 months of Tailscale production use (12 nodes, 4 users) followed by a migration to a WireGuard hub-and-spoke on Contabo in March 2026. Tailscale pricing pulled from tailscale.com/pricing in June 2026 — verify before deciding, it evolves. Real performance and savings depend on team size, compliance constraints and sysadmin tolerance.

Reminder: WireGuard, Tailscale and VPN self-hosting are perfectly legal in the EU, US, Canada and most democratic countries. VPNSmith publishes this content for educational purposes.

★ Datacenter Nuremberg GDPR · ✓ IPv4 dédiée incluse · 200+ Mbps garantis

Get Contabo30 jours satisfait ou remboursé→