Compare WireGuard Mesh Tools

WireGuard is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography and supports mesh networking. However by default it requires manual configuration. As such adding a new client to the network would require the admin to update O(n²) client configurations each time they add a new client. wg-dynamic was a proposed WireGuard-native tool that would help with autoconfiguration, unfortunately development of this has gone stale. So here is a list of alternative tools instead.

Table

Feature\Software	Open source	Free	Full Mesh	Auto conf	Devices	Supports Users	Allows full tunnel	Subnet Access	NAT traversal	Linux	Windows	MacOS	Android	iOS	OpenWRT	Custom DNS
Vanilla WireGuard	✅	✅	❌	❌	Unlimited	❌	✅	✅	❌	✴️	✴️	✴️	✴️	✴️	✴️	✅
Tailscale	✅❗0	❌🆓	✅	✅	Unlimited 2️⃣0️⃣	✅ 1️⃣	✅	✅	✅	🌐	🌐🔏	🌐🔏	🌐🔏	🌐🔏	✅	✅
Headscale	✅	✅	✅	✅	Unlimited	❌	✅	✅	✅	🌐	🌐	🌐	🌐❗2	❌	✅	✅
Netmaker	✅❗1	✅	✅	✅	Unlimited	✅	✅	✅	✅	🌐	🌐	🌐	✴️❄️	✴️❄️	✅	✅
WGSD	✅	✅	✅	❌	Unlimited	❌	✅	❌	✅	✅	❌	❌	❌	❌	❌	❌
Innernet	✅	✅	✅	❌	Unlimited	✅	✅	❌	✅	✅	❌	✅	❌	❌	❌
Wesher	✅	✅	✅	✅	Unlimited	❌				✅	❌	❌	❌	❌	❌	❌
Netbird	✅	✅	✅	✅	Unlimited 2️⃣0️⃣	✅	✅	✅	✅	✅	✅	✅	❌	❌	✅	🔜
wgmesh	✅	✅	✅	✅	Unlimited	❌	✅	❌	❌	🌐	❌	❌	❌	❌	❌	❌

⁰Tailscale's client code is open source. Tailscale's control server code is entirely closed source (It's a SaaS product).
¹Netmaker uses the SSPL license, which is not an "official" open source license occording to the OSI.
²Headscale uses the tailscale android client. Instructions

Legend

• 🆓 Has free tier
• 3️⃣ Limited amount on free tier (e.g 3)
• 🔏 This software version is closed source
• 💳 Paid version only
• 🌐 Client can join as member of the full mesh
• ✴️ Client can join as a 'spoke' off a node/gateway on the mesh
• ❄️ Client can join the network but updates to the network are not automatically propgated to the client
• 🔜 Developer claims the feature is coming soon
• ❗⁰ Significant exception to the feature (should link to explanation)

Disclaimer

WireGuard is a registered trademark of Jason A. Donenfeld.

Changes

Please help update this table by using issues or pull requests. You may find https://www.tablesgenerator.com/markdown_tables helpful (File -> paste table data)

Columns

Column	Description
Feature\Software	The name and hyperlink to the project's main repository or website.
Open source	Is the project open source.
Free	Is the project entirely free to download, install and use.
Full Mesh	Does the project allow every peer to communicate with every other peer directly. Relying on AllowedIPs to route traffic via a central peer in a hub and spoke model does not count.
Auto conf	When a new peer is added to the mesh, are all other peers update automatically. Usually a requirement to be featured in this repo
Devices	How many devices can the mesh support.
Supports Users	Does the project allow users to be configured, usually for user access control.
Allows full tunnel	Is the project capable of tunnelling all external traffic over at least one of the peers.
Subnet Access	Can a device 'expose' the devices on its subnet to peers, usually using wiregaurd's AllowedIPs. This could allow you to access resources on your home network if your router was connected to the mesh, for example.
NAT traversal	Can two peers that are each behind a separate NAT communicate with one another. This usually requires some other non-NATed central peer to update each NATed peer with the other's IP and port. Sometimes called NAT hole-punching
Linux	Can the project be set up on a Linux machine e.g Ubuntu
Windows	Can the project be installed on a Windows machine.
MacOS	Can the project be installed on a MacOS machine.
Android	Is there an Android App and can it connect to every other peer.
iOS	Is there an iOS App and can it connect to every other peer.
OpenWRT	Can the project be installed on an OpenWRT router. Useful if you want everything on your network to be able to access the devices on the mesh
Custom DNS	Can the DNS provider used by all peers be configured centrally.