[tptacek]

Certainly, don't use OpenVPN in 2023 if you can avoid it. WireGuard is much faster and more secure, and significantly easier to set up.

If you're a home user, the advantage to Tailscale is that it's going to "just work", with a couple clicks, on any supported device (of which there are lots). There's no configuration to get started and, for a lot of users, no configuration ever after that. The onboarding experience is spooky; it's upsettingly good.

If you're a corporate user, the advantages are drastically greater: you get SSO integration (this is historically one of the annoying pain points of corporate access VPNs, to the point where a significant fraction of pre-Tailscale netsec teams just punted on this problem and hand-provisioned VPN creds for people, which is a nightmare) and trivially simple group-based access control.

[mato]

The combination of 'it just works' and 'SSO integration' is a killer.

To be honest, in 20+ years of working in IT, I never understood the point of the latter until recently, on a gig salvaging systems for a client with ~650 users after their sole IT guy unexpectedly resigned after 20 years and left for the mountains.

IRL, SSO is gold. Many hackers, like me, underestimate it.

[moduspol]

And not just SSO, but OIDC. You don't even have to be an admin on your domain to set it up. If you have a Gmail or Office 365 e-mail address @mycorp.com, you can set up SSO for it on your tailnet in seconds. Your team members authenticating for the same domain will join your tailnet automatically.

And that's for the free and cheap tier. If you want the fancy stuff (like SAML and automatic user provisioning / filtering), they've apparently got that, too, but it's in the more expensive tiers.

[snotrockets]

SSO is basically tablestakes for compliance: customers would ask about your access control (or just if you have _that_ audit report, which has a lot of questions about it).

And trying to do access control without SSO is crazy: you need to keep track of application and users and their interactions. I wouldn't run any team with more than 10 people without it.

[0xbadcafebee]

Worth pointing out that "just use Wireguard" is way different than "just use Tailscale". The latter has solutions for common problems, the former is not even remotely comparable feature-wise to OpenVPN. If the only choice is between OpenVPN or Wireguard, often OpenVPN is the only acceptable option, because it has all the features you need.

[xor25519]

And if you are working for the military or a bigco you should use StrongSwan.