Comparison Matrix, Decision Framework & Migration Paths

1. 10-person remote engineering team needs SSO-gated access to staging. Netbird with Authentik OIDC. Posture checks for managed laptops, exit node on the staging VPS for "looks like staging IP" outbound.
2. 200-node fleet across three providers, throughput sensitive. Netmaker with kernel WireGuard, EMQX tuned, PostgreSQL state, dedicated egress + ingress gateways per region.
3. Global infrastructure team that has been burned by SaaS outages. Nebula. Offline CA, two lighthouses on different RamNode regions, short cert lifetimes, in-tunnel firewall.
4. Hobbyist self-hoster exposing 6 web apps from a homelab. Pangolin on a small RamNode VPS, Newt agent at home, password or PIN auth per resource.
5. Game server (Minecraft, 25565/UDP) without a public IP at home. Pangolin with a raw UDP resource through Gerbil, or Chisel with a UDP reverse tunnel for a one-weekend trial.
6. CI runner on GitHub Actions needs to reach an internal staging Postgres. Chisel reverse tunnel from the runner, narrow auth secret, tear down at job end.
7. Mixed environment: team mesh + public web ingress. Netbird for the mesh, Pangolin separately for ingress. Different problems, different tools — do not try to make one do both.
8. Compliance requires no third-party network identity provider. Nebula — identity is your CA, no SaaS in the auth path. Optionally pair with Authentik on the same overlay for SSO into other apps.

1. Stand up Pangolin on a RamNode VPS in parallel — do not touch Cloudflare yet.
2. Install Newt on each origin host alongside the existing cloudflared agent.
3. Recreate each Cloudflare resource as a Pangolin resource on a parallel hostname (e.g. app-pang.example.com).
4. For each, smoke-test auth + TLS + origin reachability.
5. Cut DNS over per-hostname (lower TTL first). Watch logs for 24h.
6. Stop and uninstall cloudflared on each origin once its resource has been on Pangolin for a week.

Caveats: Cloudflare's edge network is the actual differentiator you are giving up. If your traffic profile genuinely needs a global anycast edge, Pangolin on one VPS is not equivalent — consider Pangolin behind a CDN or stay on Cloudflare Tunnel for that subset.

The hard part of leaving Tailscale is not the data plane — it is the ACL model and the muscle memory of tailscale up. Two patterns that work:

• • Tailscale → Netbird: closest 1:1 translation. Map Tailscale tags to Netbird groups, ACL JSON → Netbird policies, MagicDNS → Netbird's DNS. Run both clients on a few canary nodes for a week.
• • Tailscale → Nebula: bigger jump because there is no managed control plane. Build the CA + provisioning automation first, then migrate one host group at a time.

In both cases: never overlap subnets. Pick a fresh CIDR for the new overlay so dual-stack is unambiguous during cutover.

1. Pick non-overlapping overlay CIDRs.
2. Install both agents on every node. They co-exist — different UDP ports, different interfaces.
3. Update internal DNS / app configs to use the new overlay's hostnames.
4. Watch metrics for handshake counts on both meshes. When the old mesh sees no traffic for 7 days, uninstall its agent.
5. Decommission the old control plane only after agents are gone — never the other way around.

Realistic monthly footprint for the deployments in this series, using Standard Cloud VPS pricing:

Hobby / personal (≤ 10 nodes)
  1 × 2 GB VPS (control plane or lighthouse)             ~$5/mo

Small team (10–50 nodes, mesh + ingress)
  1 × 4 GB VPS (Netbird or Netmaker)                     ~$10/mo
  1 × 2 GB VPS (Pangolin)                                ~$5/mo
  Total                                                  ~$15/mo

Mid fleet (50–250 nodes, HA-ish)
  2 × 4 GB VPS (control plane + warm standby)            ~$20/mo
  1 × 2 GB VPS (Pangolin or second lighthouse)           ~$5/mo
  Total                                                  ~$25/mo

Large fleet (250+ nodes)
  Netmaker server + dedicated EMQX, PostgreSQL state, two regions.
  Budget $50-80/mo on RamNode for the control plane alone.

For exact specs and pricing see the Standard Cloud VPS and Premium Cloud VPS pages.

• • Pair the mesh with the Threat Intelligence Platform series — Wazuh agents over the overlay are how most production deployments ship endpoint telemetry.
• • Stand up Authentik on the same overlay so Netbird, Pangolin, and any other app can share one OIDC provider.
• • Run the single-server WireGuard guide alongside this series to compare the bare-metal baseline against the managed meshes.
• • Add Prometheus + Grafana from the monitoring guides to graph handshakes, MQTT message rate, and Newt tunnel state per site.

The honest summary of the series: there is no single best tool. There are five tools and a handful of workload shapes, and the right answer is almost always the smallest tool that solves the problem in front of you. If you are deciding between two of them, the deciding factor is usually operational, not technical — pick the one whose failure mode you would rather debug at 2am.