WireGuard primitives vs. commercial VPN providers
A pragmatic comparison from running both for a small team over the last year. Neither is universally "better" — they solve overlapping but distinct problems.
What WireGuard does well
Site-to-site, server-to-server, developer laptop to internal network — these are WireGuard's sweet spot. Tiny config, very fast handshake, kernel-level performance on Linux, surprisingly good Windows and macOS clients. Tailscale wraps it nicely for teams that don't want to manage keys themselves.
Audit trail is straightforward: you provisioned the keys, you know who has access, revocation is a config push.
What commercial providers do well
Geographic egress, identity hiding for traveling employees, and (importantly) maintained infrastructure in regions where renting your own VPS is awkward.
For the "I'm in a coffee shop and don't want the network sniffing my traffic" use case, a commercial provider is faster to set up and the SLA is someone else's problem.
The overlap that's actually painful
Engineers want one tool. They don't want to remember "WireGuard for the office VPC, the vendor app for coffee shops". We tried having both running concurrently — the routing-table fights between two tunnel managers caused at least two debugging sessions that took longer than they should have.
What we settled on
Tailscale for everything internal. Vendor VPN only for traveling employees in specific regions where we don't have our own egress. About 60% of laptops use one tunnel total, ever.
Net: less stack diversity, fewer routing bugs, slightly worse coffee-shop experience for the engineers who haven't traveled in months.