OpenBao Compatibility Check: Running Vault + Nomad Patterns with Minimal Changes
If you already run Nomad + Vault patterns in production, the first question about OpenBao is simple: will our existing workloads still run without a rewrite? In

Over the last two weeks we introduced three mesh VPN solutions one at a time: NetBird, Tailscale, and Headscale. Three posts, three products, one open question: If you had to decide today, which of these would you pick for your private cloud?
Anyone stepping into this space tends to compare along the wrong axis ("which one is the best?"). The more honest question is: Which one fits your constraints. Self-hosting, private cloud, license cost, client comfort, and EU sovereignty are the five axes that mesh VPNs are measured against today.
As of May 2026, based on the evaluation from posts 1 to 3 of this series. (Links to the posts further down.)
Update (June 2026): Following direct corrections from Tailscale (see the updated Tailscale post), Tailscale's control plane runs in the EU (Frankfurt) by default, not in the US. We have adjusted the Tailscale rows and sovereignty assessment below accordingly.
Before we line up the three solutions against each other, a quick word on the shared foundation. A mesh VPN is not "a classic VPN with a modern coat of paint". It is a fundamentally different topology: peer-to-peer instead of concentrator, identity instead of perimeter security, policy- instead of routing-driven.
All three solutions are built on three pillars:
The three solutions differ primarily in who runs the control plane and who owns the data.
Three short profiles, each linked to the detailed introduction:
NetBird: Berlin-based BSD-3 platform with its own WireGuard P2P architecture. EU headquarters, GDPR/ISO 27001/DORA certifications. Full cloud offering plus a fully equivalent self-hosted option. €8.5M Series A in January 2026.
Tailscale: Toronto-based SaaS, more than 5 million active users, BSD-3 clients but a proprietary control plane on AWS (EU/Frankfurt by default). The UX gold standard in the segment, with MagicDNS, Tailscale SSH, Funnel, and Serve. SOC 2 Type II.
Headscale: BSD-3 community reimplementation of the Tailscale control plane. Compatible with the official Tailscale clients, fully self-hostable, single-tailnet design. Our own stack for the Infralovers Cloud.
| Category | NetBird | Tailscale | Headscale |
|---|---|---|---|
| Vendor headquarters | Berlin, DE | Toronto, CA | Community (maintainers EU/INT) |
| License clients + server | BSD-3 (both) | BSD-3 clients, proprietary control plane | BSD-3 (server); clients via Tailscale BSD-3 |
| Control plane hosting | Cloud (EU option) or self-host | Cloud (AWS EU/Frankfurt, proprietary) | Self-hosted (you run it) |
| Self-hosting completeness | Complete, no feature gates | Not supported | Core use case |
| Cloud price (mid tier) | $5/user (Team) | $8/user (Standard) | $0 + VM cost |
| UX and mobile maturity | Solid | Gold standard | Functional, rough mobile login |
| EU sovereignty out of the box | Yes (EU vendor) | Partial (EU control plane by default; Toronto vendor, closed source) | Yes (you choose hosting) |
| NIS2 and DORA fitness | High (certified) | Medium (SOC 2 + EU control plane; vendor jurisdiction & cert gaps remain) | High (mapping = you) |
| Multi-tenant | Yes | Yes | No (single tailnet) |
| Admin UI | Own (cloud + self-host) | Excellent (cloud only) | None official, headscale-ui as third party |
NetBird offers the same platform when self-hosted as in its cloud. SSO, ACLs, posture checks, and event streaming work without artificial feature gates.
Tailscale does not officially support self-hosting the control plane. If you want that, you move to Headscale.
Headscale is built exactly for this. Single-tailnet scope, no official web UI, otherwise fully functional and compatible with the native Tailscale clients.
NetBird is a great fit. Self-host on Hetzner, IONOS, or OVH, or use the cloud variant with an EU region. You connect to your workloads with no third party in the data path.
Tailscale is limited here. You can reach workloads in your private cloud, but the control plane, though hosted in the EU (Frankfurt) by default, stays operated by Tailscale Inc.
Headscale is optimal. Full control, EU hosting of your choice, no vendor in the data path. That is exactly our setup for the Infralovers Cloud.
A second, focused table just for pricing:
| Setup size | NetBird Cloud | Tailscale Cloud | Headscale Self-Hosted |
|---|---|---|---|
| 5 users homelab/test | $0 (Free) | $0 (Personal) | $0 + ~5€/month VM |
| 30 users SMB | ~$150/month (Team) | ~$240/month (Standard) | ~10€/month VM + ops time |
| 100 users enterprise | $500 to $1000/month (Team/Business) | $800 to $1800/month (Standard/Premium) | ~20€/month VM + ops time |
Important: The Headscale row is missing a realistic line item for your own time. Patches, backups, TLS renewal, and IdP integration are operational work that should be priced in honestly. If you cannot carry that load, NetBird or Tailscale will serve you better, even though the table suggests otherwise.
A note on NetBird: Billing runs per active user per month. That looks fair on paper, but it can swing on teams with heavy fluctuation (consultants, seasonal workers).
NetBird delivers solid desktop and mobile apps, a MagicDNS-like resolution across an internal domain, and a usable web admin UI in the cloud setup.
Tailscale is unmatched. The first tailnet is up in under two minutes, the mobile apps are the most polished experience in the segment, and the admin UI is the industry standard.
Headscale is fully functional, but the mobile login flow is rougher (on iOS you need a browser step for the custom server override), and there is no official web UI. headscale-ui fills the gap as a third-party project.
NetBird is EU-sovereign out of the box. Berlin-based vendor, GDPR, ISO 27001, and DORA certified. On-premises deployment is a regular self-hosted variant, not an expensive enterprise add-on.
Tailscale is only partially EU-sovereign out of the box. Its control plane runs on AWS in the EU (Frankfurt) by default — so metadata does reside in the EU — but the vendor sits in Toronto (Five Eyes), the control plane is closed-source, and ISO 27001 / DORA are not actively advertised.
Headscale is EU-sovereign out of the box if you host it in the EU yourself. Full audit access, no default telemetry, you decide the data residency country.
Pick NetBird (cloud or self-hosted).
EU vendor, the relevant certifications, and an equivalent self-hosted variant cover vendor assessment with minimal effort. Tailscale is only defensible here with significant sourcing work. Headscale would also work, but the compliance burden then sits entirely on you.
Pick Tailscale.
Setup time, mobile apps, and MagicDNS are the reference in this genre. The sovereignty trade-offs need to be accepted consciously. For pure DevX and engineering setups without hard regulatory pressure, this is a very productive choice.
Pick Headscale.
This is exactly our setup for the Infralovers Cloud. With Terraform, Ansible, and Podman you build a GitOps-ready VPN stack on your own EU infrastructure and still use the official Tailscale clients.
NetBird Free tier (up to 5 users) or Tailscale Personal (up to 6 users) are friction-free. Headscale only pays off if you run your own VM anyway or want to practice the IaC stack.
Lean towards NetBird Self-Hosted or Headscale.
Both allow full on-premises or EU-cloud deployments with an auditable codebase. Tailscale without an additional on-prem variant will be hard to clear in a sourcing review.
Three short code sketches show how the same daily workflow looks in each tool.
NetBird (Self-Hosted in the EU):
1# on the admin laptop
2netbird up --management-url https://netbird.example.eu
3# SSH via NetBird hostname
4ssh user@server01
Tailscale (Cloud):
1tailscale up
2# SSH via Tailscale SSH (no separate key needed)
3tailscale ssh user@server01
Headscale (Self-Hosted):
1tailscale up --login-server=https://hs.example.eu
2# MagicDNS resolves the hostname, classic SSH
3ssh user@server01
Takeaway: The daily workflow itself is very similar. The real differences live behind those three command lines. Who runs the control plane? Where does key distribution happen? Who owns the metadata?
For teams in regulated environments, a compact overview:
If you treat the vendor as the product, you will naturally pick the one that best fits your compliance profile: NetBird for EU rigor, Tailscale for US tolerance.
If you treat the network itself as the product, you pick Headscale, because then you steer the control plane with your own IaC discipline.
Both are valid. Just do not accidentally mix the two philosophies. "Tailscale, fully EU-sovereign" still isn't a setup that exists today: even with the control plane in the EU, the vendor sits in Canada and the control plane stays closed-source. "Tailscale-grade comfort, but EU-sovereign", however, means Headscale.
NetBird is the strongest choice when you want an EU-sovereign mesh VPN with clear vendor compliance and the flexibility to switch between cloud and self-host as needed.
Tailscale is the strongest choice when you want the most polished UX and the broadest feature set, and the sovereignty trade-offs are acceptable.
Headscale is the strongest choice when you like Tailscale-grade comfort but want to keep the control plane and the connection data in your own hands. That is exactly how we run the Infralovers Cloud.
If you are currently making the concrete choice for your company, setting up a NIS2 or DORA program, building sovereign access into a private cloud, or planning a Headscale deployment, we at Infralovers are happy to support you. We share our own experience from the Infralovers Cloud architecture and combine that with our offerings on Sovereign Cloud, NIS2 Compliance, and Cloud Native Essentials.
You are interested in our courses or you simply have a question that needs answering? You can contact us at anytime! We will do our best to answer all your questions.
Contact us