Compare WireGuard Mesh Tools
WireGuard is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography and supports mesh networking. However by default it requires manual configuration. As such adding a new client to the network would require the admin to update O(n2) client configurations each time they add a new client. wg-dynamic was a proposed WireGuard-native tool that would help with autoconfiguration, unfortunately development of this has gone stale. So here is a list of alternative tools instead.
Table
| Feature\Software | Open source | Free | Full Mesh | Auto conf | Devices | Supports Users | Allows full tunnel | Subnet Access | NAT traversal | Linux | Windows | MacOS | Android | iOS | OpenWRT | Custom DNS |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Vanilla WireGuard | Unlimited | β | ||||||||||||||
| Tailscale | βπ | Unlimited 1οΈβ£0οΈβ£0οΈβ£ | β | β | π | β
|
||||||||||
| Headscale | Unlimited | β | ||||||||||||||
| Netmaker | Unlimited | β | π | π | ||||||||||||
| WGSD | Unlimited | β | β | |||||||||||||
| Innernet | Unlimited | β | ||||||||||||||
| Wesher | β | β | Unlimited | β | ||||||||||||
| Netbird | β | Unlimited |
||||||||||||||
| wgmesh | β | β | Unlimited | β | β | |||||||||||
| wiresmith | β | β | Unlimited | β | π | β | β |
1Netmaker uses the SSPL license, which is not an "official" open source license occording to the OSI.
2Headscale uses the tailscale android client. Instructions
3When routing all traffic through an exit node tailscale ignores custom DNS. Issue
Legend
π Has free tier3οΈβ£ Limited amount on free tier (e.g 3)π This software version is closed source- π³ Paid version only
π Client can join as member of the full meshβ΄οΈ Client can join as a 'spoke' off a node/gateway on the meshβοΈ Client can join the network but updates to the network are not automatically propgated to the clientπ Developer claims the feature is coming soonβ 0 Significant exception to the feature (should link to explanation)
Disclaimer
WireGuard is a registered trademark of Jason A. Donenfeld.
Changes
Please help update this table by using issues or pull requests. You may find https://www.tablesgenerator.com/markdown_tables helpful (File -> paste table data)
Columns
| Column | Description |
|---|---|
| Feature\Software | The name and hyperlink to the project's main repository or website. |
| Open source | Is the project open source. |
| Free | Is the project entirely free to download, install and use. |
| Full Mesh | Does the project allow every peer to communicate with every other peer directly. Relying on AllowedIPs to route traffic via a central peer in a hub and spoke model does not count. |
| Auto conf | When a new peer is added to the mesh, are all other peers update automatically. Usually a requirement to be featured in this repo |
| Devices | How many devices can the mesh support. |
| Supports Users | Does the project allow users to be configured, usually for user access control. |
| Allows full tunnel | Is the project capable of tunnelling all external traffic over at least one of the peers. |
| Subnet Access | Can a device 'expose' the devices on its subnet to peers, usually using wiregaurd's AllowedIPs. This could allow you to access resources on your home network if your router was connected to the mesh, for example. |
| NAT traversal | Can two peers that are each behind a separate NAT communicate with one another. This usually requires some other non-NATed central peer to update each NATed peer with the other's IP and port. Sometimes called NAT hole-punching |
| Linux | Can the project be set up on a Linux machine e.g Ubuntu |
| Windows | Can the project be installed on a Windows machine. |
| MacOS | Can the project be installed on a MacOS machine. |
| Android | Is there an Android App and can it connect to every other peer. |
| iOS | Is there an iOS App and can it connect to every other peer. |
| OpenWRT | Can the project be installed on an OpenWRT router. Useful if you want everything on your network to be able to access the devices on the mesh |
| Custom DNS | Can the DNS provider used by all peers be configured centrally. |