Introduction: The Evolution of Remote Access

Remember the days when “going to work” meant physically sitting in an office? Those days feel like ancient history now. As remote work exploded and cloud infrastructure became the norm, the way we think about network security had to evolve—fast.

For decades, Virtual Private Networks (VPNs) were the gold standard for secure remote access. But today, they’re facing serious competition from newer technologies like Tailscale and Zero Trust Network Access (ZTNA). The question isn’t just “which one is better?”—it’s “which one is right for your specific needs?”

In this deep dive, we’ll explore all three technologies from the ground up, compare their strengths and weaknesses, and help you make an informed decision for your organization.

Part 1: Understanding the Basics

What is a VPN?

A Virtual Private Network (VPN) creates an encrypted tunnel between your device and a private network. Think of it as a secure highway that connects you to your company’s resources, even when you’re sipping coffee at a café thousands of miles away.

How VPNs Work:

1. You launch your VPN client
2. Your device authenticates with the VPN server
3. An encrypted tunnel is established
4. All your traffic routes through this tunnel to the corporate network
5. From there, it accesses the internet or internal resources

Real-World Example:

Imagine Sarah, a sales executive, needs to access her company’s CRM system from a hotel in Tokyo. She connects to her company’s VPN, which routes her connection through the corporate network in San Francisco. To the CRM system, it looks like Sarah is sitting in the office.

What is Tailscale?

Tailscale is a modern mesh VPN built on WireGuard that creates secure, peer-to-peer connections between devices. Instead of routing all traffic through a central server, Tailscale establishes direct connections between devices when possible.

How Tailscale Works:

1. Install Tailscale on each device
2. Devices register with Tailscale’s coordination server
3. The coordination server helps devices discover each other
4. Direct, encrypted connections form between devices (when possible)
5. Traffic flows peer-to-peer, not through a central chokepoint

Real-World Example:

Marcus, a developer, needs to SSH into his development server at the office while working from home. With Tailscale installed on both his laptop and the server, they establish a direct encrypted connection. His laptop talks directly to the server—no corporate VPN gateway required.

What is ZTNA (Zero Trust Network Access)?

ZTNA represents a paradigm shift in network security. Instead of trusting anyone inside the network perimeter, ZTNA operates on the principle: “never trust, always verify.”

How ZTNA Works:

1. User requests access to a specific application
2. Identity provider verifies user identity (often with MFA)
3. Policy engine checks user context: device health, location, time, etc.
4. If approved, a secure connection to only that application is established
5. User never gets access to the broader network

Real-World Example:

Elena, a contractor, needs access to the project management tool but nothing else. With ZTNA, she authenticates, the system verifies her device is secure, and grants her access only to that specific application. She never touches the broader network, can’t see other resources, and her access is continuously monitored.

Part 2: Deep Technical Comparison

Architecture: How They Differ Fundamentally

Traditional VPN Architecture:

[User Device] → [VPN Client] → [Internet] → [VPN Gateway] → [Corporate Network] → [Resources]

Everything flows through a central gateway, creating a single point of entry (and potential failure).

Tailscale Architecture:

[Device A] ←→ [Coordination Server] ←→ [Device B]
           ↓                           ↓
           └───── Direct Connection ────┘

The coordination server helps devices find each other, but data flows peer-to-peer.

ZTNA Architecture:

[User] → [Identity Provider] → [Policy Engine] → [ZTNA Broker] → [Specific App]

Each application access is individually verified and broker-mediated.

Security Models: Trust vs. Zero Trust

VPN Security Model:

• Castle-and-moat approach: Once you’re inside the VPN, you’re “trusted”
• Authentication happens once at connection time
• Often provides broad network access
• Lateral movement is possible if compromised

Tailscale Security Model:

• Perimeter-less approach: Each device is individually authenticated
• Uses modern cryptography (WireGuard)
• Supports Access Control Lists (ACLs) for granular permissions
• Reduces attack surface by eliminating central gateways

ZTNA Security Model:

• Zero trust principle: Never trust, always verify
• Continuous authentication and authorization
• Application-level access only
• Context-aware policies (device posture, location, behavior)
• Microsegmentation by default

Performance Comparison

VPN Performance:

• Latency: Adds significant latency due to traffic hairpinning through central gateway
• Bandwidth: Limited by gateway capacity; often becomes bottleneck
• Scalability: Requires hardware upgrades to support more users

Example: A user in Singapore accessing a resource in Singapore must route through VPN gateway in California—adding 300-400ms of latency.

Tailscale Performance:

• Latency: Minimal when direct connections are possible
• Bandwidth: Uses your full internet bandwidth for peer connections
• Scalability: Grows naturally as you add devices

Example: Same Singapore scenario—direct peer connection means <50ms latency.

ZTNA Performance:

• Latency: Moderate—typically routes through provider’s network
• Bandwidth: Depends on provider’s infrastructure
• Scalability: Cloud-native, scales elastically

Example: Provider’s Singapore point of presence means ~100ms latency—better than VPN, potentially not as good as Tailscale.

Part 3: Advanced Concepts

Split Tunneling vs. Full Tunneling

VPNs offer both options:

• Full tunnel: All traffic goes through VPN (more secure, slower)
• Split tunnel: Only corporate traffic uses VPN (faster, less secure)

Tailscale uses intelligent routing:

• Only traffic destined for Tailscale network uses the mesh
• Regular internet traffic flows normally
• Best of both worlds

ZTNA is application-specific by design:

• Only application traffic is brokered
• Everything else flows normally
• Zero trust applies regardless

Access Control and Policy Management

VPN Access Control:

User → VPN Group → Network Segments
John → "Engineering VPN" → Engineering VLAN (10.0.1.0/24)

Coarse-grained, network-level control.

Tailscale Access Control (ACL Example):

{
  "acls": [
    {
      "action": "accept",
      "src": ["group:developers"],
      "dst": ["tag:databases:5432"]
    },
    {
      "action": "accept",
      "src": ["group:ops"],
      "dst": ["*:22"]
    }
  ]
}

Granular, declarative, device-and-port level control.

ZTNA Policy Engine:

IF user.role == "contractor" 
   AND device.compliant == true 
   AND time.between(9am, 5pm)
   AND location.country == "US"
THEN grant access to app.jira
     with session.timeout = 8 hours

Context-aware, dynamic, application-level control.

Part 4: Real-World Use Cases

Use Case 1: Small Startup (10-50 employees)

Scenario: A SaaS startup with developers, designers, and sales team. Infrastructure on AWS. Limited IT staff.

VPN Solution:

• AWS Client VPN or OpenVPN
• Pros: Familiar, simple to start
• Cons: Management overhead grows quickly, performance issues at scale
• Cost: $500-2000/month

Tailscale Solution:

• Tailscale on all devices and servers
• Pros: Zero maintenance, excellent performance, scales effortlessly
• Cons: Less familiar to traditional IT
• Cost: $0-500/month (free for <100 devices)

ZTNA Solution:

• Cloudflare Access or Zscaler
• Pros: Modern security posture, good for compliance
• Cons: Overkill for size, steeper learning curve
• Cost: $3000-5000/month

Recommendation: Tailscale wins here—minimal overhead, great performance, cost-effective.

Use Case 2: Enterprise with Compliance Requirements

Scenario: Financial services company, 5000 employees, strict compliance (SOC 2, PCI-DSS), audit requirements.

VPN Solution:

• Enterprise VPN (Cisco, Palo Alto)
• Pros: Mature logging, familiar to auditors, extensive documentation
• Cons: Poor user experience, expensive, performance issues
• Cost: $50,000-200,000/year

Tailscale Solution:

• Tailscale Enterprise
• Pros: Better performance, modern audit logs, good compliance features
• Cons: May require auditor education, newer to compliance space
• Cost: $30,000-60,000/year

ZTNA Solution:

• Zscaler Private Access or Palo Alto Prisma Access
• Pros: Built for compliance, comprehensive logging, zero trust architecture
• Cons: Complex implementation, user training required
• Cost: $100,000-300,000/year

Recommendation: ZTNA for maximum compliance assurance, Tailscale for balance of security and user experience.

Use Case 3: Development Team Collaboration

Scenario: Distributed development team needs to access staging environments, databases, and each other’s machines.

VPN Solution:

• Self-hosted OpenVPN
• Pros: Full network access for debugging
• Cons: Slow for international teams, complex setup
• Cost: Infrastructure costs only

Tailscale Solution:

• Tailscale with ACLs
• Pros: Fast peer-to-peer, SSH everywhere, simple ACLs per environment
• Cons: Requires buy-in from entire team
• Cost: Free or low

ZTNA Solution:

• Not ideal—too restrictive for development workflows
• Pros: High security
• Cons: Breaks development workflows, SSH/RDP issues
• Cost: Varies

Recommendation: Tailscale is purpose-built for this use case.

Use Case 4: Contractor and Third-Party Access

Scenario: Need to grant temporary access to contractors and partners for specific applications.

VPN Solution:

• Separate VPN for contractors with limited network access
• Pros: Isolated from main network
• Cons: Still grants network-level access, difficult to scope precisely
• Cost: Additional infrastructure

Tailscale Solution:

• Tagged devices with restricted ACLs
• Pros: Granular per-device/per-port control
• Cons: Requires Tailscale installation on contractor devices
• Cost: Minimal

ZTNA Solution:

• Application-specific access with time-limited policies
• Pros: Perfect for this—zero network access, application-only, auto-expiring
• Cons: More setup per application
• Cost: Depends on number of applications

Recommendation: ZTNA is ideal here—precisely scoped access with no network exposure.

Part 5: Implementation Guide

Setting Up a Traditional VPN (OpenVPN Example)

Step 1: Server Setup

# Install OpenVPN on Ubuntu server
sudo apt update
sudo apt install openvpn easy-rsa

# Initialize PKI
make-cadir ~/openvpn-ca
cd ~/openvpn-ca
./easyrsa init-pki
./easyrsa build-ca
./easyrsa gen-dh

Step 2: Generate Server Certificate

./easyrsa build-server-full server nopass
openvpn --genkey --secret ta.key

Step 3: Configure Server

# /etc/openvpn/server.conf
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun

Step 4: Client Configuration (similar certificate generation process)

Complexity Score: 8/10
Time to Production: 2-4 hours for basic setup
Ongoing Maintenance: High

Setting Up Tailscale

Step 1: Install Tailscale

# On Ubuntu/Debian
curl -fsSL https://tailscale.com/install.sh | sh

# On macOS
brew install tailscale

# On Windows
# Download and run installer from tailscale.com

Step 2: Authenticate

sudo tailscale up
# Opens browser for authentication

Step 3: Configure ACLs (Optional)

{
  "groups": {
    "group:developers": ["alice@company.com", "bob@company.com"],
    "group:ops": ["charlie@company.com"]
  },
  "acls": [
    {
      "action": "accept",
      "src": ["group:developers"],
      "dst": ["tag:dev-servers:*"]
    }
  ]
}

Step 4: Done!

Each device that installs Tailscale automatically joins your network.

Complexity Score: 2/10
Time to Production: 15 minutes
Ongoing Maintenance: Minimal

Setting Up ZTNA (Cloudflare Access Example)

Step 1: Add Application

# Using Cloudflare CLI
cloudflare-access login

# Create application
cloudflare-access applications create \
  --name "Internal CRM" \
  --domain "crm.company.com" \
  --type self_hosted

Step 2: Configure Identity Provider

# Link to Okta, Azure AD, Google Workspace, etc.
identity_providers:
  - type: okta
    config:
      client_id: your_client_id
      client_secret: your_client_secret
      okta_account: company.okta.com

Step 3: Create Access Policy

policies:
  - name: "Sales Team Access"
    decision: allow
    rules:
      - email_domain: company.com
      - group: sales
      - device_posture: compliant

Step 4: Install Connector

# On the server hosting your application
cloudflared tunnel create crm-tunnel
cloudflared tunnel route dns crm-tunnel crm.company.com
cloudflared tunnel run crm-tunnel

Complexity Score: 6/10
Time to Production: 2-3 hours per application
Ongoing Maintenance: Moderate

Part 6: Decision Framework

When to Choose VPN

Choose VPN if:

• ✅ You need broad network access for many applications
• ✅ Your organization is heavily invested in VPN infrastructure
• ✅ Compliance frameworks explicitly require VPN
• ✅ You have legacy applications that require network-level access
• ✅ Budget is extremely tight and you can self-host

Avoid VPN if:

• ❌ You have remote users worldwide (performance suffers)
• ❌ You’re starting fresh (modern alternatives are better)
• ❌ You want zero trust security
• ❌ You need frequent contractor access

When to Choose Tailscale

Choose Tailscale if:

• ✅ You want simple, hassle-free networking
• ✅ Performance is critical (low latency, high bandwidth)
• ✅ You have distributed teams or infrastructure
• ✅ You want granular access control without complexity
• ✅ You’re developer-focused or tech-savvy
• ✅ You want to connect devices directly (peer-to-peer)

Avoid Tailscale if:

• ❌ You can’t install software on endpoint devices
• ❌ You need auditor-familiar compliance documentation
• ❌ You require application-layer security controls
• ❌ You have non-technical users who need hand-holding

When to Choose ZTNA

Choose ZTNA if:

• ✅ Security and compliance are top priorities
• ✅ You want true zero trust architecture
• ✅ You have many contractors or third-party users
• ✅ You need application-level access control
• ✅ You want context-aware access (device posture, location, etc.)
• ✅ You’re moving to cloud-first infrastructure

Avoid ZTNA if:

• ❌ You have legacy applications that need network-level access
• ❌ Budget is constrained (ZTNA can be expensive)
• ❌ You need development workflows with extensive SSH/RDP
• ❌ Your team isn’t ready for a security model shift

Part 7: The Future of Network Access

Convergence and Hybrid Approaches

The future isn’t about choosing one technology exclusively—it’s about intelligent combinations:

Emerging Pattern:

• ZTNA for business applications and contractor access
• Tailscale for infrastructure, development, and IT operations
• VPN phased out or relegated to legacy systems

The Rise of SASE (Secure Access Service Edge)

SASE combines ZTNA with other security services:

• Zero trust network access
• Cloud access security broker (CASB)
• Firewall as a service (FWaaS)
• Secure web gateway (SWG)

Vendors like Cloudflare, Zscaler, and Palo Alto are positioning ZTNA as part of a broader SASE strategy.

WireGuard’s Impact

WireGuard—the protocol Tailscale is built on—is being adopted widely:

• Linux kernel inclusion (2020)
• Performance 4-5x better than OpenVPN
• Simpler codebase (4,000 lines vs. 400,000 for OpenVPN)

Expect more solutions leveraging WireGuard, including VPN and ZTNA providers.

Conclusion: Making Your Choice

There’s no universal “best” solution—only the best solution for your specific context.

Quick Decision Matrix:

Your Priority	Recommendation
Maximum Security	ZTNA
Best Performance	Tailscale
Simplicity	Tailscale
Compliance	ZTNA > VPN > Tailscale
Budget	Tailscale > VPN > ZTNA
Legacy Support	VPN
Developer Experience	Tailscale
Contractor Access	ZTNA
Hybrid Cloud	Tailscale or ZTNA

My Personal Take:

If I were starting a company today, I’d use Tailscale for internal infrastructure and operations, and ZTNA (Cloudflare Access) for business applications. This hybrid approach delivers security, performance, and simplicity.

For most organizations still running traditional VPNs: it’s time to evaluate alternatives. The world has changed, and so should your network access strategy.

Additional Resources

Try These:

• Tailscale: tailscale.com (free for personal use)
• WireGuard: wireguard.com
• Cloudflare Access: cloudflare.com/zero-trust
• Zscaler: zscaler.com

Further Reading:

• “Zero Trust Networks” by Evan Gilman and Doug Barth
• NIST Zero Trust Architecture (SP 800-207)
• Google’s BeyondCorp papers

---

What’s your experience with these technologies? Have you made the switch from VPN to modern alternatives? Share your story in the comments below!