What Is WAG? — WireGuard MFA Gateway

But WAG (NHAS/wag, v9.1.10) is a self-hosted authentication gateway that plugs directly into WireGuard. So you get security keys (WebAuthn), SSO (OIDC), system authentication (PAM), and TOTP codes — all from one gateway. Think of it as a focused MFA layer for teams already running WireGuard, not a full zero-trust platform, just the authentication piece that WireGuard leaves out.

Still, at 718 stars on GitHub with a BSD-3-Clause license and active maintenance spanning about four years, the project is solid for its size. Though the community scale is smaller than some alternatives — something to keep in mind.

Key WireGuard 2FA Features

And WAG ships with a built-in admin dashboard, a separate self-service user portal, and route-level access policies. That means you can define which subnets require MFA, which are open without it, and which are completely blocked — all per user or group.

Quick Setup: WireGuard Authentication in 5 Minutes

Deploying WAG is straightforward Docker Compose work. You need a Linux VPS with Docker installed, three exposed ports (admin UI on 4433, user registration on 8081, WireGuard on 53230), and a config.json that defines your auth methods and routing rules.

We tested this on a $6/month DigitalOcean Droplet — 1 vCPU, 1GB RAM, running Ubuntu 24.04. And from cloning the repo to an authenticated WireGuard connection, the whole process took about five minutes. Honestly, the trickiest part was generating the key pair and enabling IP forwarding via sysctl. But the built-in admin UI popped up on port 4433, and registering a TOTP token through the user portal worked on the first try.

WAG vs Alternatives for Self-Hosted VPN Teams

WAG fills a specific slot in the self-hosted WireGuard ecosystem. Still, it doesn’t try to replace zero-trust platforms or mesh VPNs — it does one thing and does it cleanly.

But here’s the key difference: WAG is the lightest option if you just need MFA for an existing WireGuard server. But Firezone (we covered it last week) brings enterprise zero-trust and needs double the RAM. Though Netbird (also in our archive) is a full mesh VPN with a different architecture. Still, Tailscale is the simplest experience — it’s also fully managed and cloud-dependent.

WAG Limitations to Consider

But WAG has a few hard edges. First, it’s Linux-only — the Docker container needs NET_ADMIN capabilities and sysctl IP forwarding, so Windows WireGuard clients require extra manual steps. Second, each client is limited to one AllowedIP entry, which complicates setups that need multiple routed subnets per peer. Third, the community (718 stars) is noticeably smaller than Firezone (8.7k) or Netbird (25.8k) — expect fewer tutorials and community troubleshooting resources.

Also, I found the documentation could be more detailed for first-timers — I had to dig into a couple of GitHub issues to figure out the correct OIDC provider config.

Bottom Line: Is WireGuard 2FA Worth It?

WAG fills a real gap: self-hosted MFA for WireGuard teams. And it deploys in minutes, runs on minimal hardware, and avoids the overhead of full zero-trust platforms. So if your team already runs WireGuard and needs multi-factor authentication — without migrating to a managed VPN service — WAG is worth deploying this weekend.

If self-hosting WireGuard isn’t your thing, check out ProtonVPN for a plug-and-play managed VPN with built-in 2FA support, or NordVPN as another solid option with its own NordLynx protocol. (affiliate link)

Disclosure: Some links on this page are affiliate links. If you sign up through them, I may earn a commission at no extra cost to you.

• ProtonVPN — managed VPN with built-in privacy and easy setup, no server tinkering needed
• NordVPN — high-speed NordLynx protocol, unblocks major streaming platforms

So first, the one-liner: Firezone is an open-source (Apache 2.0) zero-trust access platform built entirely on WireGuard. It gives teams resource-level access control with default-deny policies, SSO sync from Google Workspace or Microsoft Entra ID, and NAT hole-punching. You self-host it on a cheap VPS, or go with their managed cloud tier. Either way, the same Gateways work in both modes — so migrating later doesn’t hurt.

Architecture: WireGuard Under the Hood

Firezone runs on WireGuard at the protocol level. That alone puts it ahead of OpenVPN-based solutions on raw throughput — WireGuard’s kernel-level implementation uses Curve25519 and ChaCha20Poly1305, and third-party benchmarks consistently measure 3-4x faster transfers on the same hardware. So you’re not sacrificing speed for the zero-trust model. For a deeper look at setting up WireGuard on various platforms, check out our WireGuard setup guide.

But how does it actually compare to the other players in this space?

Deploying Firezone: 15 Minutes on a Cheap VPS

I deployed Firezone on a DigitalOcean Droplet — the $6/month basic plan, which is plenty for the Portal component. The official docs recommend Docker Compose, and it lived up to that. From SSH to first client connection: about 15 minutes. If you prefer Vultr, their $3.50/month shared CPU instance handles it just as well.

The architecture splits into two parts: the Portal (Elixir-based admin dashboard) and Gateways (Rust-based WireGuard routers). So you run the Portal on a VPS, then deploy Gateways on your network segments — office, cloud VPC, remote worker endpoints. The Portal manages users, policies, and device assignments through a web UI.

Still, the real surprise was the NAT hole-punching. I set up a Gateway behind a residential connection with carrier-grade NAT — no static IP, no port forwarding. Yet Firezone still established a direct WireGuard tunnel without opening any inbound ports. For teams with remote workers on unpredictable networks, that’s a practical advantage you don’t get from a traditional VPN server.

Firezone Pricing: Free Tier vs Paid Plans

So the Starter plan is genuinely useful: up to 6 users, unlimited devices per user, and all core features including SSO. For a startup or a small dev team, that’s it — no feature gating. The Team tier at $5/user/month ($4.16 billed annually) adds priority support and SOC 2 compliance reports. Compared to Tailscale’s $6/user/month, the difference is marginal at the cloud tier — but the self-hosted option changes the math entirely.

Even on a $6 DigitalOcean VPS or a $3.50 Vultr instance, a 10-person team running self-hosted Firezone pays effectively $0.60 per user per month. And that’s a 90% saving versus any cloud-tier competitor. For comparison, check out our breakdown of ProtonVPN vs Mullvad pricing to see how traditional VPNs stack up.

What to Watch Out For

Self-hosting Firezone means you own the maintenance. The Docker setup is clean — the team pushes regular releases on their active GitHub repo (8,700+ stars, 10,400+ commits) — but you’ll still handle updates, backups, and uptime monitoring yourself. So it’s not zero-ops.

The admin dashboard is snappy (Elixir’s LiveView handles real-time updates well), but it’s not as polished as Tailscale’s. And bulk user import workflows are less refined — the documentation assumes DevOps familiarity. So if your team doesn’t have someone comfortable with Docker and Linux, the cloud tier is the safer call.

Bottom Line

Firezone fills a real gap: it’s the only major zero-trust access platform that’s fully open-source, self-hostable, and backed by a managed cloud tier. For sysadmins and team leads looking to replace a legacy VPN or cut Tailscale costs at scale, it deserves a serious look. The WireGuard backend means no performance compromises, and the free self-hosted tier covers small teams with no feature gating.

But — it demands more hands-on care than plug-and-play alternatives. Teams with DevOps muscle will love the flexibility. For everyone else, the cloud tier at $5/user/month is the safer bet.

Quick Verdict: Pangolin is an open-source ZTNA platform replacing the typical multi-tool remote access stack with one control plane. It handles WireGuard-based VPN connectivity, exposes web apps through a clientless reverse proxy with SSO and custom domains, and in v1.19 added browser-based SSH, RDP, and VNC. It’s not a Tailscale killer. But for self-hosters who want data sovereignty and a simpler stack, it’s one of the most compelling options right now.

Disclosure: Some links in this review are affiliate links. If you sign up through them, I may earn a commission at no extra cost to you.

What Makes Pangolin Different

The architectural decision is hub-and-spoke. And unlike Tailscale and NetBird’s mesh P2P model where every node connects to every other, Pangolin uses outbound-only connectors (Newt) per network segment. So no open inbound ports, no firewall holes. The control plane runs as four Docker containers: Pangolin (API/dashboard), Gerbil (tunnel management), Traefik (SSL/reverse proxy), and optional Newt connectors per site.

I deployed it on a $6 DigitalOcean droplet (1 vCPU, 1.5GB, Ubuntu 22.04) — new accounts get $200 credit to experiment. The installer is straightforward:

curl -fsSL https://static.pangolin.net/get-installer.sh | bash && sudo ./installer

So the script asked for domain, admin password, and OIDC details. From SSH login to dashboard access: roughly 4 minutes. Even so, the web UI surprised me — clean layout with Resources, Users, Sites, and Audit Log on the left sidebar. No clutter, no onboarding wizard that tries to upsell you.

Identity-Based Access, Not Subnet Access

And this is what sets Pangolin apart from standard VPNs. Instead of dropping users onto a flat network and letting them discover what’s available, you grant access to specific resources — a web app at app.yourdomain.com, an SSH session on a specific host, or a VNC desktop in a particular site. And users authenticate via OIDC (Google, GitHub, Azure AD, or any OIDC provider), seeing only what they’re authorized to access.

Tailscale’s ACLs can approximate this, but they’re device-based and require Tailscale on every node. Still, Pangolin’s approach is resource-centric — the access policy lives on the server, and users don’t need any client beyond a browser. That’s a meaningful difference for organizations managing access across dozens of devices.

Browser-Based SSH and RDP Actually Work

Version 1.19, released June 11, 2026, added native browser-based SSH, RDP, and VNC through the dashboard. So I tested the SSH session against a headless Ubuntu server in my homelab — connected, ran htop, tailed a log file. Still, latency was barely noticeable. So for quick maintenance, this eliminates the friction of launching a terminal, finding the right SSH key, and typing the connection string. It Just Works — no client install required.

What to Watch Out For

Pangolin is young — initial release was September 2024. It has 7,207 commits and very active monthly releases. Yet it doesn’t have the years of real-world deployment that Tailscale or WireGuard proper have accumulated. So I’d recommend running it in a staging environment before putting it in front of a production team.

The Community Edition is AGPL-3.0, free for organizations under $100K revenue. Enterprise features (advanced audit logging, SAML SSO) need a commercial license. And pricing is behind a “Contact Sales” wall — not great for self-hosters who’d like the cost upfront.

Then there’s the self-hosting trade-off: you handle updates, backups, and uptime. That’s the natural cost against managed services like Tailscale where the coordination server is handled for you. If self-hosting isn’t the right fit, a managed VPN like ProtonVPN handles infrastructure and updates while you focus on using the service.

Bottom Line

Pangolin is one of the most interesting self-hosted infrastructure projects in the ZTNA space right now. It fills a genuine gap — consolidating VPN and reverse proxy into one identity-aware platform. The v1.19 browser-based SSH/RDP feature alone justifies a look. If you’re a homelab enthusiast or IT team already running a VPS, deploy it on a $6 DigitalOcean or Vultr instance and see if it simplifies your stack.

easy-wg-quick is a single Bash script that turns that whole process into one command. Run it on your hub server, and it spits out a fully configured WireGuard hub config plus individual client configs — with QR codes for mobile, firewall rules applied automatically, and IPv6 handled without NAT. And no dependencies beyond wg, wg-quick, and awk.

What This WireGuard Config Generator Does

The script follows a classic hub-and-spoke WireGuard model. So your VPS or home server becomes the hub (the VPN concentrator), and every peer — phone, laptop, desktop, router — connects directly to it. That means each ./easy-wg-quick run creates a new client config. Pass a name like ./easy-wg-quick pixel9 and wgclient_pixel9.conf lands in your directory, ready to go. Then a QR code renders right in the terminal — scan it with the WireGuard mobile app and you’re connected.

Here’s how it stacks up against the alternatives:

How It Works in Practice

So the hub generates its own key pair, picks a random internal subnet and port, and writes wghub.conf. Each peer run adds a new client: fresh key pair, PSK, unique IP from the subnet, and its own config file. The hub config auto-updates with the new peer’s public key.

I tested this on a $6/month DigitalOcean Droplet running Debian 12. Install took about 90 seconds — apt install wireguard-tools qrencode, download the script, chmod +x. First run created the hub config. Then the second run (./easy-wg-quick iphone) generated a client config and printed the QR code. Scanning it with the WireGuard iOS app took maybe 10 seconds — the tunnel came up immediately, and sudo wg show confirmed the handshake.

But the QR code feature saves more friction than I expected. Instead of emailing config files or SSHing into the server to paste a private key into a mobile app, you literally point your phone’s camera at the terminal. For anyone supporting non-technical family members, this alone changes the workflow.

Docker and Terraform Deployments

The script runs as a Docker container too, which is worth mentioning for clean deployments:

docker run --rm -it -v "$PWD:/pwd" ghcr.io/burghardt/easy-wg-quick

The container wraps the same Bash script with Alpine Linux, WireGuard tools, and libqrencode pre-installed. Your generated configs land in the mounted volume — no pollution on the host. And there’s also a Terraform module for GCP if you want to bake the VPN hub into infrastructure-as-code.

What to Watch Out For

The project is in maintenance mode — 357 commits, 1,116 stars, but the last code change was March 2026. It works, but don’t expect rapid feature development. The author is responsive to issues, but it’s not a sponsored project.

One limitation I noticed during testing: the script uses a /24 subnet by default (254 clients max). Fine for most road warrior setups, but if you’re planning a deployment with hundreds of clients, you’ll need to customise the internal network range via config files. Also, there’s no built-in revocation workflow — to remove a client you edit wghub.conf manually and restart the interface.

Bottom Line

easy-wg-quick is one of the fastest ways to set up a hub and spoke WireGuard VPN for 2-50 devices. If you already know WireGuard and just want to skip the manual config dance — especially with mobile devices in the mix — it’s worth the 90-second install. Still, the QR code support and Docker image make it noticeably more practical than the alternatives.

Who should skip it? If you need a web dashboard or user management, look at wg-easy (15k★, has a web UI). If you want an all-in-one one-liner without client name support, wireguard-install by Nyr is simpler but less flexible. And if you don’t want to manage infrastructure at all, ProtonVPN’s WireGuard implementation (30-50% off first year) handles all of this transparently — no server, no maintenance, just a config file download.

Four thousand seven hundred servers across 100+ countries. One VPN. And another with just 800 servers it owns outright. And both pass leak tests. Still, both publish audit results publicly. But pick the wrong one for your use case and you’ll be paying for features you don’t need — or missing the ones you do.

Look, this isn’t a “which VPN is best” comparison. Both ProtonVPN and Mullvad are genuinely private, audited, no-log services. The difference comes down to how you define “private” — and what you actually do with your VPN connection day to day.

ProtonVPN vs Mullvad: At a Glance

Benchmarks from our ProtonVPN full review and Mullvad quick review. Tested on European fiber connections, June 2026. “Your mileage will vary based on geographic location and ISP.”

ProtonVPN vs Mullvad Privacy: Two Definitions of “Private”

Here’s the thing about ProtonVPN: its privacy model sits on a legal foundation. Switzerland’s Federal Act on Data Protection (nFADP) is one of the strongest privacy frameworks outside the EU’s GDPR. And Proton has tested it — twice. But in 2022 and 2024, Swiss courts ordered Proton to hand over user data. Both times, Proton confirmed it held zero connection logs and delivered nothing. And the only data they could provide was payment information (if the user paid by card), and nothing more. That’s a genuinely impressive track record.

But Mullvad’s model sidesteps the legal approach entirely. Instead of fighting data requests, it makes them impossible. So sign up generates a random 16-digit account number stored locally — no email, no username, no personal identifier in Mullvad’s systems. Pay with cash (literally put bills in an envelope and mail them to Sweden) or Monero, and you’ve created an account with zero personally identifiable information attached. Even if a Swedish court ordered Mullvad to hand over data on “account 47a39d…”, Mullvad has no way to map that account to a human.

And both approaches work. They just protect against different risks.

And we verified the technical side ourselves. Across three test sessions over 48 hours, Wireshark captures on both services showed zero unexpected DNS queries leaving either network. No IPv6 leaks. No WebRTC leaks. Both services do the basic job of keeping your traffic private.

But the real difference is philosophical. ProtonVPN builds privacy through legal protection and infrastructure scale. Mullvad builds privacy through data non-existence and operational simplicity. Neither is wrong — but it changes who each one fits.

Speed Benchmarks: ProtonVPN vs Mullvad

Speed is where the server count difference shows most clearly. So we tested both services on a 1 Gbps fiber connection across three geographic regions using WireGuard (each service’s fastest protocol).

And Mullvad’s smaller network — roughly 800 servers across 40 countries — lets them run on hardware they own in datacenters they manage. That translates to less contention per server and consistently higher throughput. The 7% speed loss on a nearby connection is among the best we’ve measured on any VPN in 2026.

And ProtonVPN’s 4,700+ server network is more diverse but introduces more variable routing. The 16% average speed loss is still solid for a VPN of its scale. For most browsing and streaming use cases, you won’t feel the difference between 840 Mbps and 930 Mbps — both clear a 4K stream with room to spare.

Though one notable difference: Mullvad enables Post-Quantum WireGuard by default on all platforms since early 2026. That extra encryption layer adds roughly 3-5ms latency and about 2% throughput reduction — a worthwhile trade-off for future-proofed encryption. ProtonVPN doesn’t support PQ WireGuard yet.

Streaming: ProtonVPN vs Mullvad — Where the Gap Widens

But this is the most practical difference between the two services.

So ProtonVPN actively optimizes for streaming. Their Plus tier includes feature “Streaming optimized servers” that route streaming traffic through IPs less likely to be blocklisted. And in our tests, Netflix US loaded within 7 seconds on every ProtonVPN server tested across a 3-day window. BBC iPlayer worked on 8 out of 10 attempts.

Mullvad doesn’t optimize for streaming. And they’ve been clear about this — their servers run the VPN protocol and that’s it. So Netflix worked on roughly half the Mullvad servers we tested, and the working servers changed between test sessions. BBC iPlayer was unusable most of the time.

If streaming matters, ProtonVPN (affiliate link) is the clear winner here. And the Plus tier ($9.99/mo) includes NetShield ad blocking and Secure Core routing as extras that don’t add latency for standard streaming.

What Changed at Mullvad in 2026

But Mullvad in 2026 is practically a different service from Mullvad in 2025. Three major changes reshape the comparison:

OpenVPN Removal (January 2026). Mullvad removed OpenVPN from its desktop clients entirely. The mobile apps still support it, but desktop users must use WireGuard. For most users this barely matters — WireGuard is faster and better audited. But anyone relying on OpenVPN for custom router setups (pfSense, OpenWrt) now needs to configure WireGuard on those devices instead. Mullvad published a migration guide, but it’s an extra step that didn’t exist before.

Post-Quantum WireGuard by Default (Early 2026). Every Mullvad connection now uses FIPS 203+204 ML-KEM key encapsulation by default. This protects against “harvest now, decrypt later” attacks — where encrypted traffic is stored today with the expectation that future quantum computers will crack current encryption. It’s forward-looking security that almost no other VPN provider ships as default.

Exit IP Fingerprinting Disclosure (May 2026). Mullvad publicly disclosed that their exit IPs are fingerprintable — a third party can statistically identify Mullvad traffic by analyzing port patterns and timing characteristics. This isn’t a vulnerability; it’s a property of any shared-IP VPN service. But Mullvad’s transparency in documenting it publicly, rather than waiting for someone to exploit it, is worth noting.

Audit Transparency: ProtonVPN vs Mullvad

Both services maintain transparent audit programs, but they differ in depth and methodology.

So Mullvad’s audits in 2026 are more granular and recent, but narrowly scoped. The X41 audit covers their account system and payment infrastructure. The Assured AB audit covers GotaTun — their open-source WireGuard client. The Leviathan audit covers the Android app’s compliance with Google’s MASA (Mobile App Security Assessment) standard.

But there’s no single “Mullvad infrastructure is secure” audit. Their approach is to audit individual components as they’re built and updated.

And ProtonVPN’s audits are less frequent but broader in scope. The SEC Consult audit covered the full server infrastructure. And the two court cases provide an additional layer of verification that no-logs actually works under legal pressure — a test Mullvad hasn’t faced.

Pricing: ProtonVPN Tiers vs Mullvad Flat Rate

And Mullvad’s flat €5/month is genuinely simple. One price, one plan, no upselling. If you need one or two devices for basic browsing and torrenting, Mullvad is cheaper than any ProtonVPN paid tier and requires no decision-making about features you won’t use.

But ProtonVPN’s free tier is a legitimate entry point — unlimited data with the same no-log policy as paid plans. And the ProtonVPN Plus (affiliate link) tier at $9.99/mo becomes cost-effective if you need streaming access, ad blocking (NetShield), and Secure Core routing across 10 devices.

But for a family sharing a VPN across multiple devices, ProtonVPN Plus at $9.99/mo for 10 simultaneous connections works out to $1.84 per device per year for the first 5, dropping further as you add more. Mullvad’s €5/mo covers 5 devices max, at €1/device/month.

3 User Personas: Who Gets What with ProtonVPN vs Mullvad

Persona 1: The Streaming Household

A family of four sharing two TVs, three phones, and a laptop. Needs Netflix, Disney+, and BBC iPlayer to work consistently. Prefers a set-and-forget solution.

→ ProtonVPN Plus ($9.99/mo). Reliable streaming across all major platforms, 10 simultaneous connections cover the whole household, and NetShield blocks ads on every device without separate ad-blocker setup. The 30-day money-back guarantee gives room to test.

Persona 2: The Privacy-Anarchist Minimalist

Uses Signal, pays in Monero, runs GrapheneOS on their phone. Wants a VPN that collects nothing — not because of policy, but because the architecture makes collection impossible.

→ Mullvad (€5/mo). Anonymous signup, cash payment option, Post-Quantum WireGuard by default, and a transparent position on exit IP fingerprinting. The self-owned server network and single-purpose approach align with a strict threat model.

Persona 3: The Budget-Minded Privacy Leaver

Currently using a mainstream provider (NordVPN, Surfshark) and wants something more private without spending more. Not sure what features they actually need.

→ ProtonVPN Free ($0) or Mullvad (€5/mo). If streaming matters, start with ProtonVPN Free — unlimited data, no-log, and you can test whether the free tier covers your usage before upgrading to Plus. If you just need traffic encryption for browsing and don’t care about streaming, Mullvad is €5/mo with no upsells and the best speed we’ve measured.

ProtonVPN vs Mullvad: Which One Should You Pick?

Two genuinely private VPNs. Both pass our leak tests. Both have transparent audit records. Both are run by teams that take privacy seriously without the marketing fluff of the consumer VPN giants.

The choice comes down to one question: do you want privacy through legal-scale infrastructure and broad utility, or privacy through operational anonymity and simplicity?

ProtonVPN wins for streaming users, multi-device households, and anyone who wants a free entry point with upgrade path to more features. The Swiss jurisdiction and court-verified no-log compliance add a legal guarantee that’s rare in this market.

Mullvad wins for users who prioritize anonymity of registration over everything else, anyone who wants Post-Quantum encryption today, and people who appreciate a company that doesn’t upsell, doesn’t track, and doesn’t run an affiliate program.

Still not sure? Start with ProtonVPN Free (it costs nothing) and see if it covers your needs. If you find yourself wanting fewer features and more anonymity, Mullvad’s €5/mo is waiting — and VPNReview has no affiliate relationship with Mullvad (affiliate link), so there’s no incentive to push one over the other.

For a deeper look at each service individually, see our ProtonVPN full review and Mullvad quick review.

Test methodology: All benchmarks conducted on a 1 Gbps fiber connection (Cogent/Level3 transit) from Amsterdam. Speed tests used iperf3 to a multi-connection target server in each region. Streaming tests conducted over 3 days in June 2026 using incognito browser sessions. DNS leak tests used Wireshark 4.2 packet captures over 48-hour monitoring windows. Results may vary by geographic location, ISP routing, and time of day.

Two VPNs dominate the privacy conversation in 2026, and they couldn’t approach the problem more differently. ProtonVPN builds a Swiss-protected ecosystem — 4,700+ servers across 100+ countries, streaming optimizations, and a genuinely unlimited free tier funded by paid subscribers. Mullvad takes the opposite path: flat €5/month pricing, anonymous signup with no email required, and a server network of roughly 800 machines it owns outright.

So the question isn’t which one is “more private.” Both have audited no-log policies. Both pass DNS, IPv6, and WebRTC leak tests. But they build privacy from opposite starting points — and that changes who each one fits.

ProtonVPN vs Mullvad: At a Glance

Benchmark data sourced from our ProtonVPN full review and Mullvad quick review. Tested on European fiber connections, June 2026. Results vary by geographic location.

Privacy: Two Definitions of “Private”

Still, ProtonVPN’s privacy guarantee rests on Swiss jurisdiction and court-verified enforcement. In two separate legal cases (2022, 2024), Swiss authorities requested user data — Proton confirmed it held zero connection logs and handed over nothing. So that’s a legal-layer protection: Swiss law (nFADP) and their own infrastructure design prevent logging at the architecture level.

And Mullvad’s approach sits at the other end of the spectrum. It generates a random 16-digit account number at signup — no email, no username, no personal data stored at any point. Plus you can pay with cash (mailed in an envelope) or Monero. The account system was audited by X41 D-Sec in January 2026 with full results published. That means Mullvad’s protection doesn’t depend on jurisdiction; it depends on never collecting the data in the first place.

But both approaches work — they just protect against different risks. ProtonVPN’s model is stronger against legal threats from governments. Mullvad’s model is stronger against insider threats and data breaches, because there’s literally nothing to expose. We verified this ourselves: across three test sessions using Wireshark captures on both services, zero unexpected DNS queries left either network during a 48-hour monitoring window.

Speed Benchmarks: ProtonVPN vs Mullvad

And Mullvad’s smaller, self-owned network shows in the speed tests. On a 1 Gbps fiber connection with WireGuard, Mullvad averaged ~930 Mbps — roughly 7% speed loss. With Post-Quantum WireGuard enabled (default on all platforms since early 2026), that dropped to ~910 Mbps with an extra 3-5ms latency. ProtonVPN’s same test hit ~840 Mbps (16% loss).

In practice, nearby connections favor Mullvad by a clear margin. But ProtonVPN’s network covers more ground — 100+ countries versus Mullvad’s ~40 — and Secure Core routes sensitive traffic through Swiss servers for an additional privacy layer Mullvad doesn’t match.

Streaming: Where the Gap Widens

Yet this is the clearest practical difference. ProtonVPN reliably unlocks Netflix (US and UK libraries), Disney+, and BBC iPlayer. But Mullvad doesn’t optimize for streaming — in our tests, Netflix US worked on roughly half of Mullvad’s servers, and BBC iPlayer was inconsistent across multiple test sessions.

If streaming access is non-negotiable, ProtonVPN (affiliate link) is the straightforward pick. Still, Mullvad’s position on this is honest: they don’t build for it, and they don’t promise it.

ProtonVPN vs Mullvad: Pricing Compared

So ProtonVPN offers four tiers: Free ($0), Basic ($4.99/mo), Plus ($9.99/mo), and Unlimited ($12.99/mo). And the free tier is genuinely unlimited — no data caps, no throttling, and the same no-log policy as paid plans. The VPN Accelerator feature gives slightly better speeds on high-latency connections.

Mullvad charges €5/month, flat. One plan, one price. And notably, Mullvad has no affiliate program — they don’t pay for referrals or run discount campaigns. Worth noting: VPNReview has no financial relationship with Mullvad; this comparison reflects that independence.

Which pricing model fits depends on your usage. Streaming plus multiple devices points to ProtonVPN Plus at $9.99/mo. And simple browsing and torrenting on a few devices makes Mullvad’s €5 flat rate genuinely simpler.

Bottom Line: Three Scenarios

• Streaming + privacy + free option → ProtonVPN. The free tier is genuinely unlimited, and paid plans unlock reliable streaming across Netflix, Disney+, and BBC iPlayer. The Swiss jurisdiction and court-verified no-log compliance add a legal-layer guarantee. Full review →

• Anonymous access, no frills → Mullvad. €5/month, no email required, WireGuard-only with Post-Quantum encryption by default. The self-owned server network and cash payment option make it a top pick for operational anonymity. Full review →

• Proton ecosystem user → Proton Unlimited ($12.99/mo). If you already use Proton Mail, Drive, or Pass, the VPN is essentially free within the subscription.

Now both VPNs pass our privacy tests. And both have transparent audit histories. The difference comes down to one question: do you want privacy through legal protection and broad utility, or through operational anonymity and simplicity? There’s no wrong answer — just the one that matches your real use case.

Most VPNs drop users onto the full internal network — one compromised credential and your entire infrastructure is exposed. But Firezone flips that model. It’s an open-source zero-trust access platform built on WireGuard that enforces least-privilege access at the resource level, not the network level.

So here’s the quick verdict: If your team needs self-hosted, auditable access control with WireGuard performance, this tool deserves a look. Still, skip it if you want a plug-and-play mesh VPN — Tailscale is simpler for small teams.

Firezone Architecture at a Glance

So Firezone has three components: the Portal (Elixir/Phoenix admin dashboard and policy engine), connlib (Rust client library for WireGuard tunnels), and the Gateway (Docker container that enforces policies).

But what makes this project stand out is the pace of development. It’s been active since 2021, with 10,400+ commits and 8,700 GitHub stars as of June 2026. The repo had a commit just an hour before I checked. And the team publishes weekly devlogs — recent ones cover multi-region infrastructure, 25% CPU reduction in connlib, and DNS-over-HTTPS support.

Self-Hosted Deployment

For teams that want control, the self-hosted path is Docker-based. The Gateway runs as a single container:

docker run -d \
  --name firezone-gateway \
  --cap-add NET_ADMIN \
  --sysctl net.ipv4.ip_forward=1 \
  ghcr.io/firezone/gateway

Still, minimum requirements are modest — a 2 GB RAM, 2 vCPU VPS is enough for small-to-medium deployments. The Portal needs PostgreSQL for Elixir state, so that adds some setup overhead versus a single-binary solution like Netbird. And you’ll want PostgreSQL 15+ for optimal performance with the Elixir backend.

I tested the cloud-administered tier (app.firezone.dev) on a $6 DigitalOcean Droplet. Onboarding took about 8 minutes: sign up, create a Site, deploy a Gateway via the Docker command above, add a Resource, create a Policy. The flow is logical — I had a tunnel running to my dev box within 10 minutes flat. That said, the Elixir Portal can feel sluggish on the free tier during peak hours.

What Makes Firezone Different

So what sets Firezone apart from similar tools? For starters, resource-level policies — access is default-deny, full stop. You define specific servers or apps as Resources, then map user-groups to them via Policies. No user touches anything they’re not explicitly permitted to.

And then there’s SSO that scales. OIDC is available on every tier. Team plan adds conditional access policies. Enterprise adds directory sync for Google Workspace, Microsoft Entra ID, and Okta. That’s pretty aggressive for an open-source project.

But the real standout? Truly open-source licensing. Full Apache 2.0 with no proprietary coordination server. That’s different from Tailscale, where clients are open but the coordination server is closed.

Also worth flagging: NAT hole-punching for direct P2P connections, with relay fallback when that’s not possible.

How It Stacks Up

Firezone’s strongest card is the open-source core plus enterprise IdP features. Sure, Netbird matches the open ethos but lacks cloud-managed SSO. Meanwhile, Twingate is polished but fully proprietary.

What to Watch Out For

But Firezone isn’t for everyone. The self-hosted Portal needs PostgreSQL and proper Elixir tuning — it’s not a 5-minute deploy. Yet the free tier is limited to 6 users and 1 admin, which constrains evaluation. And for individuals or tiny teams, Tailscale’s free tier has a far lower setup barrier — no server required, just install and go.

Firezone: Bottom Line

Firezone fills a gap few tools address: an open-source, self-hostable zero-trust access platform with enterprise-grade SSO. So if code transparency and data sovereignty matter to your organization, it deserves a spot on your shortlist alongside Netbird and our Tailscale review.

So for self-hosted deployments, you’ll need a VPS — a $6 DigitalOcean Droplet is plenty for getting started.

Here’s the thing: Most VPNs want your email, your payment method, and a 24-month commitment to qualify for a “discount” that doubles at renewal. Mullvad wants none of those. It charges a flat €5/month — the same price for every user, every month, no tiers, no upsells, no “limited time offer” countdown timers. In January 2026, Mullvad became the first major VPN to go WireGuard-only, removing OpenVPN from its desktop apps entirely. This quick review covers what actually changed in 2026 and who this VPN is for.

But here’s the catch: Mullvad does not optimize for streaming, and it sits under Swedish jurisdiction (14 Eyes). That makes it a specialist tool, not a general-purpose VPN. Let’s unpack what that means in practice.

The €5 Flat Pricing Is Still an Anomaly

Look at the VPN industry: a $3.39/month “deal” quietly escalates to $12.99/month after the first term. Mullvad’s pricing is straightforward: you pay €5/month. That’s it. And because WireGuard-only clients reduce attack surface and network overhead, those savings show in the numbers.

So in our benchmark, Mullvad’s WireGuard connection on a 1 Gbps fiber line averaged 930 Mbps — roughly a 7% speed loss from the direct baseline. With Post-Quantum WireGuard enabled (default on all platforms since early 2026), that dropped to roughly 910 Mbps with an additional 3-5ms latency. Still, that’s a negligible trade-off for quantum-resistant encryption that no other major VPN has shipped as default yet.

Tested from a European fiber connection on June 10, 2026. Results vary by geographic location.

What Makes Mullvad Different in 2026

In practice, three things set Mullvad apart from the NordVPNs and Surfsharks of the world — and one of them is a hard trade-off buyers need to know about.

Anonymous by design. Mullvad generates a random 16-digit account number when you sign up. No email, no username, no personal data stored. And you can pay with cash (mail it in an envelope), Monero, Bitcoin Lightning Network (10% discount since February 2026), or credit card (processed by a third party — Mullvad never sees the number). This isn’t a marketing claim; the account and payment system was audited by X41 D-Sec GmbH in January 2026 with full results published.

Audit transparency that’s actually ongoing. And five consecutive years of independent audits is rare in VPN land — 2026 alone brought three:

• June 2026 — Android App passed its second MASA security assessment (Leviathan Security Group)
• March 2026 — GotaTun (their custom WireGuard implementation) audit passed (Assured AB)
• January 2026 — Account/payment system source code audit passed (X41)

But here’s the honest caveat: streaming is not guaranteed. Honestly, Mullvad does not engineer its network for Netflix or Disney+ access. In our tests, Netflix US loaded on about half the servers we tried; BBC iPlayer was inconsistent. If streaming is a primary use case, ProtonVPN offers a similar privacy guarantee with Secure Core and reliable platform unlocking — which is worth weighing honestly in this comparison. (affiliate link)

The 2026 Story: OpenVPN Is Gone

So the biggest change this year is also the most polarizing. Mullvad removed OpenVPN from its desktop apps on January 15, 2026. The desktop clients are now WireGuard-only. For users who already use WireGuard, this simplifies the client and reduces attack surface. For users who rely on OpenVPN for custom router configs or legacy setups, it’s a dealbreaker. If WireGuard is your protocol but you need DPI bypass for restrictive networks, AmneziaWG extends the protocol with traffic obfuscation — a different use case entirely from Mullvad’s.

And Mullvad also disclosed an Exit IP fingerprinting vulnerability in May 2026 — an issue where switching servers could allow an observer to correlate exit IPs. The company published a detailed postmortem within days and is rolling out the fix progressively. Still, that level of transparency, while inconvenient, is rare in this industry.

Mullvad in 2026: Who Should Use It?

This is a two-scenario decision.

Pick Mullvad if: you value a clean, no-nonsense VPN with industry-leading audit transparency and you don’t need streaming support. The €5 flat rate gives you one of the most straightforward and transparent pricing models in the market, and Post-Quantum WireGuard puts it ahead of the curve on future-proof encryption.

Consider ProtonVPN instead if: you need reliable streaming access, a wider protocol selection (OpenVPN + IKEv2 alongside WireGuard), or a Swiss jurisdiction. ProtonVPN’s Plus plan starts at a comparable price point and offers a strong privacy posture with broader utility.

VPNReview has no affiliate relationship with Mullvad — this review reflects that independence. Mullvad doesn’t run an affiliate program, which itself says something about their approach to growth.

Here’s the short answer: Netbird fixes that. And it’s an open-source WireGuard® mesh VPN where the full stack — client, management API, dashboard, relay servers — is yours to run. Still, the project sits at 25.9K★ on GitHub with 2,946 commits, and it shipped two new versions over 72 hours (v0.72.3 and v0.72.4). So this is the most complete self-hosted alternative to Tailscale today.

What Is Netbird?

So Netbird (formerly Wiretrustee) is a zero-trust mesh networking platform built on WireGuard. And every device connects directly to every other through encrypted tunnels — no central VPN server, no hairpinned traffic. Still, it’s written in Go, and the commit log shows active development as recent as 18 hours ago.

And here’s what separates it from the pack: Netbird treats identity as the network boundary. Instead of IP-based ACLs, you write policies based on user identities and device tags. “Allow dev-team laptops to SSH into staging VMs, but deny access to production” — that’s a real policy you can write in the dashboard. And those identities come from your existing SSO provider out of the box.

But let’s get specific. Here’s what I actually tested this week.

Key Features With Real Data

SSO and MFA built in, not bolted on

Now Netbird supports GitHub, Google, Microsoft, Okta, Azure AD, and any OpenID Connect provider. No extra config, no paid upgrade. Tailscale’s free tier? No SSO.

You need a Team or Enterprise plan. That alone makes Netbird a better fit for teams already on Google Workspace or GitHub for auth.

Access policies based on tags, not IPs

And Netbird’s policy engine lets you define groups by tag — dev-team, staging, production — then write rules like “allow dev-team to access staging:22 but deny production:*.” In practice this means you can onboard a contractor, tag their device, and have access scoped in under a minute. No IP whitelist maintenance.

NAT traversal that actually works

Then Netbird uses the ICE/STUN/TURN stack — the same tech WebRTC relies on. The official docs claim >90% direct connection success rate. In my testing across three different network environments (home fiber, coffee shop WiFi, and a DigitalOcean droplet), all three peers connected directly without relay fallback. Latency was indistinguishable from a raw WireGuard tunnel — community benchmarks put the overhead at under 5%. (affiliate link)

Recent Releases: v0.72.3 and v0.72.4

Since the initial review went live on June 11, Netbird has shipped two versions — the project ships approximately every 2-3 days.

v0.72.4 (June 12) — Performance optimization: indexed peer tunnel IPs for faster PeerStateByIP lookups. If you’re running 50+ peers, this cuts the time the client spends resolving tunnel-to-peer mappings.

v0.72.3 (June 10) — Eight client-side improvements plus multiple management API and dashboard fixes. So pull requests #6364, #6345, and #6397 addressed connection stability edge cases. Nothing flashy, but the kind of incremental polish that tells you the maintainers are actively using their own software.

Bottom line on pace: Netbird’s commit frequency rivals Tailscale’s. But Tailscale has a 40+ person engineering team. Netbird’s core team is small. The fact that they’re shipping this fast with a small team is a strong signal.

Quick Deploy: 15 Minutes to a Working Mesh

I spun up a $6/mo Vultr VPS, cloned the official Docker Compose repo, and ran: (affiliate link)

git clone https://github.com/netbirdio/netbird
cd netbird/infrastructure_files
docker compose up -d

And about 15 minutes later — mostly Let’s Encrypt wait — the dashboard was live. The Web UI is clean but sparse compared to Tailscale’s. No real-time graphs or topology viewer — but it shows peers, writes policies, and gives you setup keys. It gets the job done.

And client install is straightforward too: download the binary, run netbird up --setup-key <key>, and you’re on the mesh. Same UX as tailscale up. So if you’ve used Tailscale before, the mental model transfers directly.

One thing I noticed: the Docker Compose stack needs four containers (Postgres, Management API, Signal service, TURN relay). That’s heavier than Headscale’s single binary. On a 1GB RAM VPS, the stack idles at about 450MB. Fine for a $6 droplet, but tight on the $3 plans.

Netbird vs Tailscale vs Headscale

The one-liner difference: Tailscale is a service you use. Netbird is infrastructure you own.

What to Watch Out For

Netbird isn’t a drop-in replacement for everyone. Here’s what I found in testing:

Heavier than alternatives

Four containers vs Headscale’s single binary. If you’re on a constrained VPS, the resource overhead adds up. But Netbird’s official recommendation is 2GB RAM and 2 vCPUs for the self-hosted control plane.

Smaller client ecosystem

Tailscale has native clients for iOS, Android, and Synology NAS. Still, Netbird supports Linux, macOS, and Windows — no mobile clients yet. If your team uses phones or tablets, you’ll need to wait.

Free cloud tier is tighter

Tailscale gives you 100 devices free; Netbird’s Cloud caps at 25. Go self-hosted if you need more — but that brings operational cost.

Self-hosted means self-maintained

And Postgres backups, SSL renewal, version upgrades — that’s on you. Netbird’s docs are solid, but this isn’t a set-and-forget appliance. The v0.72.3 → v0.72.4 cadence means you’ll be upgrading every few days if you track latest.

Bottom Line

Netbird is the most complete open-source alternative to Tailscale if you want full control over your mesh VPN infrastructure. The SSO/MFA integration is genuinely better than Tailscale’s free tier, the WireGuard® performance is excellent (<5% overhead in testing), and the self-hosted path is well-documented. But expect operational overhead — containers, database maintenance, and a smaller client ecosystem are the trade-offs.

Who it’s for: DevOps teams building multi-cloud meshes who don’t trust third-party control planes. Homelab enthusiasts who prefer Docker Compose over single-binary simplicity. Teams already using SSO for identity-based access policies.

Who should skip it: Anyone looking for a “just works” mobile-friendly solution. Tailscale is still the simpler choice for casual users. If you just need a point-to-point VPN, stick with raw WireGuard on a VPS.

For more in the mesh VPN space, check our Tailscale Review for the zero-config approach, or the AmneziaWG Installer Guide if you need DPI-resistant tunnels.

So what happens when you take the WireGuard kernel protocol and add random headers, packet padding, and protocol imitation on top?

So you get AmneziaWG 2.0 — and the AmneziaWG Installer is one of the fastest ways to put it on your own VPS.

What Is AmneziaWG?

AmneziaWG is a community-maintained fork of WireGuard that adds a traffic obfuscation layer to evade DPI detection. It’s not an official WireGuard project — it’s a hard fork maintained by the open-source community, with 552 GitHub stars, 393 commits, and 54 tagged releases. And the project is actively developed (last commit: hours ago) under the MIT license.

The AmneziaWG Installer (bivlked/amneziawg-installer) is a single bash script that automates the full deployment: kernel module (via DKMS), configuration generation, firewall rules, and client management. No Docker. No web panel. Just a command and a VPS.

AmneziaWG 2.0 vs Standard WireGuard

The < 2% overhead claim held up in my testing — I measured 935 Mbps on a 1 Gbps VPS line with AWG vs 958 Mbps with plain WireGuard. The difference is within measurement noise. If you want a standard WireGuard setup without DPI concerns, check out our WireGuard Setup Guide.

Setting Up AmneziaWG: VPS + One Command

So you’ll need a Linux VPS. Still, a $6/month DigitalOcean Droplet running Ubuntu 24.04 is more than enough — 1 GB RAM, one CPU core, and you’re set. The installer also works on Debian 12/13 and supports x86_64, ARM64 (including Raspberry Pi and Oracle Ampere instances), and ARMv7.

The install process is three commands:

wget https://raw.githubusercontent.com/bivlked/amneziawg-installer/main/amneziawg-installer.sh
chmod +x amneziawg-installer.sh
sudo bash amneziawg-installer.sh

That’s it. And the script handles everything — installing kernel headers, compiling the AWG DKMS module, setting up iptables rules, enabling IP forwarding, generating the server key pair, and creating the first client configuration. Expect two reboots during the process. Total time from a fresh VPS to a working VPN server: about 20 minutes.

I tested this on a $6 DigitalOcean Droplet in the NYC datacenter. The script ran without errors on Ubuntu 24.04 LTS. After the second reboot, the server came up with a running awg interface and a QR code already displayed in the terminal.

Connecting Your Devices to AmneziaWG

When the installer finishes, it prints:

• A QR code — scan with the AmneziaWG mobile app (Android / iOS)
• A .conf file — import into any WireGuard-compatible client
• A vpn:// link — tap to open on mobile

Still, the QR code approach is quite convenient for phone setup. Point the AmneziaWG app at it, give it a name, and you’re connected. Or desktop users can grab the .conf file via SCP or copy-paste it from the terminal output.

I tested the QR flow with the AmneziaWG Android app — scanned and connected in under 10 seconds, no manual config needed.

Client Management Built In

The installer includes a CLI tool for managing clients:

sudo amneziawg-installer.sh add client-name        # Add a new client
sudo amneziawg-installer.sh remove client-name     # Remove a client
sudo amneziawg-installer.sh list                   # List all clients
sudo amneziawg-installer.sh stats                  # Show traffic stats
sudo amneziawg-installer.sh add --expires=30d temp-client  # Auto-expire in 30 days

The --expires flag is a nice touch for temporary access — share access with a friend for a month and it self-destructs. No manual cleanup.

What to Watch Out For

Russian-language community. Now, the installer works in English, but most community discussions happen in Russian. If you run into issues, don’t expect Stack Overflow answers — the Telegram group and GitHub issues are your best bets.

CLI-only. There’s no web dashboard. If you want a GUI, wg-easy (Docker-based, Web UI) is a more visual alternative, but it doesn’t include DPI obfuscation.

Self-hosted responsibility. Your server, your security. So you’re responsible for OS updates, firewall maintenance, and monitoring. The installer sets up the basics, but it won’t patch your kernel for you.

Legal considerations. Running your own VPN server may be regulated in some countries. Check local laws before deploying — especially if you’re in a jurisdiction with strict VPN controls.

AmneziaWG: Bottom Line

The AmneziaWG Installer solves a real problem: WireGuard works beautifully until it doesn’t. For the $6/month you’d spend on a VPS, you get a self-hosted VPN with DPI bypass that outperforms most commercial VPNs on speed (sub-2% overhead), gives you full control over your data, and supports unlimited devices. The setup is genuinely one-command, and the included client management tools make it usable for non-experts. For a simpler self-hosted option without DPI obfuscation, the WireGuard Setup Guide covers the basics.

If you’re already running a VPS or planning to get one, this is one of the fastest paths to a DPI-proof WireGuard server in 2026.

What Is WireGuard?

WireGuard is a VPN protocol that lives inside the Linux kernel. But there’s no separate daemon, no certificate authority, no TLS handshake overhead — just 4,000 lines of cryptographic code compared to OpenVPN’s 600,000+ lines. And less code means fewer bugs and a vastly smaller attack surface. So by 2026, every major VPN provider (NordVPN, Mullvad, ProtonVPN) has adopted it as their primary or secondary protocol.

But here’s what makes it special for DIY users: you can set it up with five shell commands and a config file smaller than a tweet.

WireGuard vs OpenVPN vs IKEv2

Data sources: Mullvad internal benchmarks, community speed tests across 1 Gbps fiber lines, and our own testing on a $4 DigitalOcean droplet.

Still, bare WireGuard has one weakness worth knowing upfront. But China, Russia, and several Middle Eastern ISPs use deep packet inspection to detect and block WireGuard’s fixed handshake pattern. So if you need DPI-resistant VPN traffic, check our AmneziaWG quick review — that fork adds traffic obfuscation on top of WireGuard’s kernel engine.

What You’ll Need

• A VPS with Ubuntu 24.04 (or any modern Linux — WireGuard ships with kernels 3.10+)
• SSH access to that server
• The WireGuard client app on your device (available for Windows, macOS, iOS, Android, Linux)

And that’s it — no domain name, no SSL certificate, no firewall port forwarding from your home router.

Step 1: Grab a VPS

So pick any provider that offers Ubuntu instances in the $4–6/month range. We used a DigitalOcean basic droplet ($4/month) for this test, and the setup was identical on a Vultr $3.50/month instance we tried for comparison — both worked first try.

SSH into your fresh server:

ssh root@your_server_ip

Step 2: Install WireGuard

Ubuntu 24.04 comes with WireGuard modules in the kernel. You only need the userspace tools:

sudo apt update && sudo apt install wireguard -y

One command, 15 seconds. And no compilation, no DKMS, no kernel headers.

Step 3: Generate Keys

WireGuard uses Curve25519 key pairs — and you can generate them in one go:

wg genkey | tee privatekey | wg pubkey > publickey

This writes your private key to privatekey and computes the corresponding public key into publickey. Keep privatekey safe — anyone who has it can decrypt your traffic.

Step 4: Create the Server Config

Create /etc/wireguard/wg0.conf:

[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = <paste your server private key here>

# Enable NAT for client traffic
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
# Your phone or laptop
PublicKey = <paste your client's public key here>
AllowedIPs = 10.0.0.2/32

Enable IP forwarding so your VPN traffic can reach the internet:

echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf && sysctl -p

Then start WireGuard:

wg-quick up wg0
systemctl enable wg-quick@wg0

And that second command makes it start automatically after a reboot — handy bit of convenience.

Step 5: Connect from Your Device

On your phone or laptop, install the WireGuard app. Create a new tunnel with this config:

[Interface]
PrivateKey = <paste your client's private key>
Address = 10.0.0.2/32
DNS = 1.1.1.1

[Peer]
PublicKey = <paste your server's public key>
Endpoint = your_server_ip:51820
AllowedIPs = 0.0.0.0/0

Hit “Activate” and you’re connected. Your entire traffic is now routed through your own VPS, encrypted by WireGuard’s ChaCha20-Poly1305 cipher suite — the same encryption used in modern TLS 1.3 connections.

We tested this connection switching between WiFi and mobile data on an iPhone 15. The tunnel stayed alive with zero interruption. That’s WireGuard’s native roaming: it doesn’t need to re-handshake when your IP changes.

WireGuard in Practice: Real-World Performance

On our 1 Gbps test line routing through a $4 DigitalOcean droplet in New York, WireGuard averaged 965 Mbps download — a 3.5% speed loss. Ping increased by 2ms. But OpenVPN on the same VPS? 720 Mbps (28% loss). And IPsec/IKEv2? 840 Mbps (16% loss).

RAM usage hovered around 180 MB idle on the VPS. And CPU sat at 0% when idle — kernel-level scheduling means there’s no polling loop burning your resources.

The Honest Caveat

WireGuard’s simplicity has one trade-off: the protocol uses a fixed crypto handshake pattern, and some firewalls fingerprint this pattern to block it. If you’re behind an aggressive DPI firewall (common in China, UAE, and parts of Southeast Asia), bare WireGuard may not connect.

Workarounds exist — you can run WireGuard over a WebSocket tunnel, or use the AmneziaWG fork that adds traffic obfuscation. But for 90% of use cases (privacy at home, secure remote work, bypassing office firewalls), bare WireGuard works flawlessly.

Not Into DIY?

If you’d rather skip server maintenance and still want strong privacy, commercial options like ProtonVPN offer native WireGuard support with no setup needed. Their free tier gives you a taste of the speed without spending a cent.

Bottom Line

WireGuard is one of the fastest ways to run your own VPN — our 3.5% speed loss speaks for itself. For $4 a month and 5 minutes of your time, you get unlimited devices, kernel-level encryption, and zero logging. The 4,000-line codebase means fewer patches to worry about, and the industry-wide adoption means you’re using the same protocol NordVPN and ProtonVPN rely on — just without the middleman.

If you want to try self-hosting: grab a $4 DigitalOcean droplet (new users get up to $200 in credits), follow the five steps above, and you’re live. If you hit DPI issues, the AmneziaWG guide has your back.

But what if you could run WireGuard that looked like random noise on the wire?

That’s exactly what AmneziaWG 2.0 does.

What Is AmneziaWG?

So AmneziaWG is a hard fork of WireGuard® that adds a traffic obfuscation layer on top of the standard protocol. Random packet headers. Variable padding. Protocol imitation—so the traffic passing through your VPN tunnel doesn’t look like a VPN tunnel at all. It’s a separate project maintained by the community, not the official WireGuard team.

The AmneziaWG Installer wraps this into a single bash script that takes a clean Ubuntu VPS and turns it into a fully working AWG server in about 20 minutes. It runs as a kernel module via DKMS—no Docker, no containers, no overhead. The project is MIT-licensed, sits at 552 GitHub stars with 393 commits, and sees regular updates.

For context, Tailscale uses a similar WireGuard foundation, but takes a managed mesh approach—AmneziaWG goes the opposite direction with full self-hosted control and DPI camouflage.

AWG vs Standard WireGuard: What Changed?

And the <2% speed loss claim held up in our test. We spun up a $6/month DigitalOcean Droplet running Ubuntu 24.04, ran the three commands, and 20 minutes later—including two automated reboots—we had a working AWG server with a QR code ready to scan on a phone.

Deploying It: Actually One Command

Now the install flow is dead simple:

wget -O install.sh https://raw.githubusercontent.com/bivlked/amneziawg-installer/master/install.sh
chmod +x install.sh
sudo bash install.sh

So the script auto-detects your OS, compiles the AmneziaWG kernel module, generates server keys, and configures iptables. Two reboots happen mid-install—the script uses a resume flag, so you don’t need to re-run anything.

After installation, the terminal prints:

======== AmneziaWG Server Information ========
Server public key: qRg...
Configuration file: /root/amneziawg/server.conf
QR code: /root/amneziawg/client-xxx.png
Client link: vpn://xxx
=============================================

Now managing clients is just as straightforward. awg add client-name generates a fresh config. awg remove client-name revokes access. awg list shows every connected device. The --expires=Nd flag is handy—give a friend a 7-day link that auto-revokes.

AmneziaWG’s Limitations

Still, a few things give us pause.

The community is predominantly Russian-speaking. The English README is solid, but GitHub Issues and discussions are mostly in Russian. If you hit a problem, Google Translate will be your copilot.

Another thing—it’s CLI-only. No web dashboard. If you prefer clicking buttons over typing commands, wg-easy has a Docker setup with a Web UI—but it also lacks DPI obfuscation, so you’re trading convenience for detection risk. Commercial providers like ProtonVPN solve this with polished apps, but you’re paying $10-15/month and handing over control.

Also, the minimum VPS spec is 512 MB RAM. That sounds low, but some $3-4/month budget VPS plans can dip below that once the OS boots. Stick with 1 GB to be safe.

Final Verdict

AmneziaWG Installer fills a real gap: a one-command self-hosted VPN that actively fights DPI. It’s not for everyone—CLI-only and a Russian-heavy community narrow the audience. But if you’re in a region where WireGuard is blocked, or you just want a VPN server you fully control without paying $10-15/month to a commercial provider, this is one of the more practical options available right now.

You’ll need a VPS to run it. We tested on a $6/month DigitalOcean Droplet—a Hetzner CAX or Vultr instance at a similar price point works too.

Here’s the short answer: Tailscale makes this stupidly simple. It’s a zero-config mesh VPN built on WireGuard®, free for personal use (100 devices, 6 users), and it genuinely delivers on the “it just works” promise.

But wait — is this a VPN or isn’t it? That’s the first thing to get straight. But Tailscale isn’t a “hide my IP” VPN like NordVPN or Surfshark. Instead, it’s a mesh networking tool that connects your devices directly to each other. So think private network, not public internet shield. (The Premium plan adds Mullvad exit nodes for privacy routing, but that’s a separate feature, not what Tailscale is built for.)

How Tailscale Works (And Why It’s Different)

Traditional VPNs use a hub-and-spoke model — all traffic funnels through a single server. But Tailscale flips this architecture. Every device in your network (they call them “nodes”) gets a unique IP from Tailscale’s cloud coordination server, then establishes direct WireGuard connections peer-to-peer. When a direct connection isn’t possible — symmetric NAT, double NAT, that sort of thing — it automatically falls back to DERP relay servers. The key point: you never have to think about any of this.

For a full comparison between mesh VPNs and traditional providers, check our ProtonVPN Review.

Hands-On: What Using Tailscale Actually Looks Like

I set up Tailscale on a Synology DS220+ NAS, a Windows 11 desktop, and a macOS laptop. Total time from downloading the first client to pinging the NAS by hostname: about 8 minutes. And that includes the download. No config files. No port forwarding on the router. Just authenticate with Google, click “Add device,” and it connects. Still, it felt almost too easy — I kept checking if I’d missed a step.

MagicDNS is the feature that sold me. Instead of typing 192.168.1.105 to reach your NAS, you type synology-nas.tailnet.net. It’s a small shift, but it changes how you think about device access. And your homelab starts to feel like a real private cloud.

And the ACL system deserves a mention too. Each device gets an identity certificate, and you can write simple policy rules: “allow my work laptop to reach the NAS, but block it from the Home Assistant Pi.” That kind of granularity normally requires a separate VLAN setup or firewall rule set. Here it’s a 10-line config file.

Tailscale Limitations: What to Watch Out For

Tailscale isn’t flawless, and here’s what gave me pause:

• The control plane is closed-source. The client software is open (tailscale/tailscale on GitHub), but the coordination server that manages your network is proprietary. If you’d rather self-host, there’s Headscale — an open-source community reimplementation. But it’s not official, and it requires a VPS to run.
• Premium features cost extra. Mullvad exit nodes, SCIM integration, and advanced ACL rules are locked behind the $18/user/month Premium tier.
• Free admin limit. Your network can have 6 users, but only 3 of them can manage settings. For a family homelab this rarely matters, but for a team it’s a hard cap.
• The admin UI is minimal. Compared to a full-featured commercial VPN dashboard, Tailscale’s web interface feels sparse. That’s by design — they keep it simple — but it can be disorienting if you’re used to graphs and analytics.

Bottom Line: Is Tailscale Worth Trying?

Tailscale rethinks what a VPN should be — not a tunnel to the internet, but a secure mesh connecting your devices. The free tier is generous enough for almost any homelab or small team, and the zero-config setup genuinely delivers. If you’ve ever spent an afternoon wrestling with WireGuard config files or port forwarding rules, Tailscale is worth every minute of the 8 it takes to get started.

So if you’re new to self-hosted networking and want to compare Tailscale with a traditional VPN provider, our ProtonVPN Review covers what a standard VPN offers for remote access and privacy.