3 min read

Tailscale vs NordVPN, Mullvad, etc

There's a lot of confusion around the differences between services like Tailscale and ZeroTier (VPN's), and services like NordVPN or Mullvad (Proxies). While these two types of services both technically use VPN technology, they accomplish very different things.
This was originally posted as a reply to a reddit question. After having written something similar many times, I thought it might be useful to have a blog post which I can point people towards.

There's a lot of confusion around the differences between services like Tailscale and ZeroTier (VPN's), and services like NordVPN or Mullvad (Proxies). While these two types of services both technically use VPN technology, they accomplish very different things.

This is a topic people seem to trip over all the time, and it's really unfortunate that proxies have decided to go with the "VPN" language. I will admit, they do use a VPN under the hood, but the the actual functionality they offer is really just proxying traffic.

Virtual Private Networks

A VPN is a Virtual Private Network. The original use case, and still very much in use, is to create some sort of private network sitting on top of another physical network. The clearest cast for this is the Corporate VPN. You setup a Virtual Private Network ontop of the internet using a tool like Wireguard or OpenVPN. The Corporate VPN lets a remote device connect to one in the physical office, or maybe some cloud server running in AWS or what have you. This VPN service requires you to have a certificate or credentials provided by the corporation. It can give three things, depending on the needs and configuration:

  1. Authentication that identifies you as an employee of the company
  2. Authorisation which will determine what you can access
  3. Encrypted data transport which lets data be transported over physical networks like the internet without being readable by others.

As a minor implementation note, many of these kinds of VPN's will only put traffic destined for the private network over the VPN transport. This makes the load on the VPN lower. It basically means your traffic destined for netflix goes over your normal non-VPN connection, but your traffic for database access to an internal application goes via the VPN tunnel.

Tailscale is this, with a beautiful interface (both command line, and web wise) and some additional features built on top, such as MagicDNS. Tailscale uses Wireguard under the hood which is an open source VPN tunnel which you could use on it's own if you wished.


NordVPN, Mullvad, and all the others are more like traffic proxies, which use VPN technology. The goal here isn't to provide secure access to private resources, if you tried to do this you'd more likely open security flaws in your system than anything. Instead you're joining a VPN with loads of other users from around the world. Typically these VPN's take all of your traffic and send it through their servers, before it then exits to the wider world.

When you have thousands of random people from across the globe accessing services via a cluster of VPN exit points, you get the potential for anonyminity (huge asteriks here). In this case your ISP sees you're sending encrypted packets (via something like wireguard) to an IP address and nothing else. They don't know what the traffic is though because the destination is just one of the VPN's entry points, not a server with an IP owned by netflix.com.

On top of this, these proxies can then choose where your traffic exists. This gives you the fabled ability to "appear from anywhere in the globe", and access content that's region locked.

NordVPN and Mullvad are there to help you blend into the crowd, and appear as if your data is coming from somewhere you're not. It's very much a privacy tool, at least from your ISP. Netflix still know how you are, because you're logged in with an email and password. The VPN also knows who you are because you're logged into them, and they know what you're accessing because you're sending data via them for netflix. HTTPS and DoH both help you a bit here, but it's not perfect and outside the scope of this already massive response.

What about Tailscale's "Exit Node" feature?

Tailscale has an exit-node functionality. This is brilliant if you need to have all your traffic appear as if it's coming from a device you own. An example would be if you're travelling to a country your bank block access from. If you've setup an exit node before hand, you can proxy your traffic over your tailscale network and have it exit at, for example, your home desktop. Now your bank think you're accessing your account from home, even though you're in another country. But this exit node is a private one for you, it does not give you any ability to "blend into the crowd". It also doesn't hide traffic from your ISP if your exit node is at home of course.

In summary...

Tailscale is a VPN, but very much focused on giving you a private network of your own. Mullvad, NordVPN and co are also VPN's, but you're joing a giant network with the aim of becoming somewhat anonymous to outside eyes (again, huge asterisks here).

Both have their uses, they do overlap to some degree, and Tailscale even lets you use Mullvad as an exit node to get all of the above at once. But that said, you may not always want or need them all.