Wireguard vs Tailscale vs OpenVPN?

Wireguard is the fastest of those and probably the most secure.

Tailscale is wireguard with extra steps. I personally use plain wireguard, it's already pretty easy to set up with config files, but now there's even graphical front-ends for it which generate the config for you, including a QR code that you just have to scan on your phone, so really simple. I don't think you can set up OpenVPN by just scanning a QR code :D

Wireguard if you have a static public IP. Tailscale (which runs on Wireguard) if you don't.

Using wireguard with a front-end like pivpn is as easy as running the command pivpn -a to setup a new profile for a new device while displaying a QR code for it

WireGuard is an absolute breath of fresh air. I have WireGuard enabled on my main router bridged to the cable modem. My phone is connected to the VPN on my router 24/7.

Sometimes when I’m working with clients and they are in restricted environments which would force me to jump through all kinds of VPN routes, jump hosts, and Remote Desktop gateways just to get to a system or desktop that I can’t actually place the tools I need on, I can jump through those hoops to the host and then just WireGuard out to my network, and then that server looks like another host on my network that I can access directly, i.e. 10.0.0.5.

So, now I can just bring up a link, and then VS Code over SSH directly to the server, automate Docker tasks, apply configuration as code, or anything else that was going to be impossible to do from a locked down corporate VDI desktop.

Naturally, that exposes the host to other threats that could potentially originate from my network, which is why I’d like to move this capability to a separate isolated pfSense device or or hardened VM that can only be accessed via physical console.

I’d still keep my phone connected at the edge for all of the advantages that presents. Namely, overall network performance is seemingly improved by having all traffic on a low bandwidth high latency network route through a 1.5Gbps upstream connection. Not to mention, I have direct access to every other service or IPMI interface I might need to get a finger on.

There's also headscale which is an OS self-hosted version of Tailscale if you're worried about trust.

One problem with raw wire guard is no support for tcp 443. Many a times when traveling, especially internationally, you may connect to shady hotspots which block everything except web browsing.

OpenVPN can be run in port 443 and Tailscale will use derp for proxy and still work in those situations. Witeguard being udp will not.

I have not used Tailscale so cannot comment on it.

In the traditional hub-and-spoke model, I think OpenVPN makes sense for you if you really want redundant VPN servers. With OpenVPN you can set multiple remotes (server A and server B) and the client will automatically fail over if one goes down. WireGuard is stateless, does not care about the peer being down and does not have a built-in failover mechanism so you would have to build your own failover routing on top. There are examples of that if you google it. Otherwise you could go full mesh networking and just not have to worry about VPN servers. There are tools to make that easier, like Tailscale.

OpenVPN is a slow, finicky, deprecated mess. The only reason to use it is because it is already widespread and lots of documentation exists. Wireguard is the new version of it and outperforms it in every way. Tailscale is a proprietary mesh building wrapper for wireguard. Usually with wireguard two peers have to communicate through the server. With tailscale they all connect directly to each other.