Great question. I am in the process of creating some public documentation for the OpenZiti project vs [insert tech]. OpenZiti is more akin to Wireguard (i.e., open source), CloudZiti is more comparable to Tailscale (hosted SaaS)
Here are some shorted bullets vs Wireguard (with references to Tailscale).
- Rather than connecting machines, Ziti cares about connecting "services" with zero trust networking concepts. This can be surmised as Wireguard being 'default-open' whereas ZT is 'default-closed'. Wireguard is normally combined with a firewall to deliver ACLs and network segmentation controls.
- Whereas WireGuard securely encapsulates IP packets over UDP and uses hole punching, OpenZiti uses TCP and a mesh overlay (with the outbound only at source and destination). This is how Tailscale implements Wireguard to ensure it works easily in all situations. All of this is open-source and native to OpenZiti, not in Wireguard.
- Due to OpenZiti's uses of identity in the endpoints and fabric for routing, you also get private DNS, unique naming and outbound connections. No need to use floating or static IPs, easily handle overlapping, and have no need for port forwarding or NAT issues.
- While with OpenZiti you can start with "network-based zero trust" (installing a router in private IP space) and progress to "host-based zero trust" (using an agent/tunneller); it also has a suite of SDKs to embed in apps themselves for "application-based zero trust".
P.S., OpenZiti uses the Windows TUN (WinTun) that the Wireguard project made as (at least) part of our Windows tunneler. Thanks, Wireguard!
We keep working on actual benchmarking but it's somewhat tricky to get reliable numbers... We're working on it now. Sometimes it's 'favorable' sometimes it's not. That's kind of a non-committal answer from me, but that's the best I've got for you at this time.
I'd expect wireguard to often be faster due to its protocol/implementation. I've seen people complain about wireguard if you don't set the MTU. Maybe you'll try them both out and blog about it??? :) (that'd be pretty cool regardless of the outcome tbh).
What I usually tell people, is that I use OpenZiti/zrok all the time. As a human, I don't even notice it. Sorry we don't have better details at this time but hopefully that a reasonable answer
Here are some shorted bullets vs Wireguard (with references to Tailscale).
- Rather than connecting machines, Ziti cares about connecting "services" with zero trust networking concepts. This can be surmised as Wireguard being 'default-open' whereas ZT is 'default-closed'. Wireguard is normally combined with a firewall to deliver ACLs and network segmentation controls.
- Whereas WireGuard securely encapsulates IP packets over UDP and uses hole punching, OpenZiti uses TCP and a mesh overlay (with the outbound only at source and destination). This is how Tailscale implements Wireguard to ensure it works easily in all situations. All of this is open-source and native to OpenZiti, not in Wireguard.
- Due to OpenZiti's uses of identity in the endpoints and fabric for routing, you also get private DNS, unique naming and outbound connections. No need to use floating or static IPs, easily handle overlapping, and have no need for port forwarding or NAT issues.
- While with OpenZiti you can start with "network-based zero trust" (installing a router in private IP space) and progress to "host-based zero trust" (using an agent/tunneller); it also has a suite of SDKs to embed in apps themselves for "application-based zero trust".
P.S., OpenZiti uses the Windows TUN (WinTun) that the Wireguard project made as (at least) part of our Windows tunneler. Thanks, Wireguard!