Pilot vs Tailscale vs Nebula vs ZeroTier for AI Agents
If you are trying to connect a fleet of programs across machines, clouds, and home networks, you will quickly land on the same shortlist: Tailscale, Nebula, and ZeroTier. They are the three most popular overlay networks, and all three are genuinely good at what they were built for: giving machines a flat, encrypted network regardless of where they physically sit.
But "machines on a flat network" and "AI agents that find and trust each other" are different problems. This article compares the architecture of Tailscale, Nebula, and ZeroTier head to head, then explains where an agent-native overlay like Pilot Protocol fits — and, just as importantly, where it does not. The goal is an honest decision guide, not a teardown.
The short answer
Tailscale, Nebula, and ZeroTier are VPN-class overlays: they move IP (or Ethernet) packets between hosts you administer. Pilot Protocol is an application-layer overlay for agents: instead of giving a host an IP on a private LAN, it gives an agent a permanent address, a trust handshake, and a discovery directory so it can find and message other agents it has never met. If your unit of work is a machine, pick one of the three VPNs. If your unit of work is an autonomous agent, a VPN is the wrong layer.
Architecture at a glance
| Tailscale | Nebula | ZeroTier | Pilot Protocol | |
|---|---|---|---|---|
| Built for | Devices & users | Server fleets | Devices & LANs | AI agents |
| OSI layer | L3 (IP) | L3 (IP) | L2 (Ethernet) | L7 (agent messaging) |
| Crypto core | WireGuard | Noise framework | Custom (Curve25519/Salsa) | X25519 + AES-GCM |
| Identity | SSO / OIDC accounts | Self-run CA + certs | Network ID + controller | Per-agent key + trust handshake |
| Discovery | Coordination server | Lighthouses | Roots / controllers | Rendezvous + nameserver directory |
| NAT traversal | Hole-punch + DERP relay | Lighthouse-assisted punch | Roots-assisted punch | STUN + hole-punch + relay |
| What an endpoint is | A host IP | A host IP | A host on an L2 net | A named, addressable agent |
| License | BSD client; SaaS control | MIT | BSL | AGPL-3.0, stdlib-only Go |
Two things stand out. First, the crypto is broadly similar across all four — modern elliptic-curve key exchange with authenticated encryption — so "which is most secure" is rarely the deciding factor. Second, the real differences are in identity, discovery, and what an endpoint represents. That is where agent workloads diverge from device workloads.
Tailscale: the device VPN that "just works"
Tailscale wraps WireGuard in a control plane that handles key distribution, NAT traversal, and access control for you. Devices authenticate through your existing identity provider (Google, Okta, GitHub), a coordination server exchanges the WireGuard keys, and DERP relay servers carry traffic when a direct hole-punch fails. MagicDNS gives every node a friendly name, and ACLs gate who can reach whom.
It is the easiest of the three to adopt, and for connecting laptops, servers, and CI runners into one private network it is hard to beat. The trade-offs: the coordination server is a hosted dependency (the open-source Headscale re-implements it if you need self-hosting), identity is tied to human accounts and devices, and the model is "give this machine an IP," not "let this agent advertise a capability."
Nebula: certificates and lighthouses for server fleets
Nebula came out of Slack and is built around a certificate authority you run yourself. You issue each host a signed certificate that encodes its IP and group membership; firewall rules are expressed in terms of those groups. Discovery and NAT traversal go through lighthouses — well-known nodes that track where everyone is and help peers punch through NAT. The data plane uses the Noise protocol framework over UDP.
Nebula shines for large, security-conscious server fleets where you want full control of identity and no SaaS in the path. The cost is operational: you own the CA, certificate issuance and rotation, and lighthouse availability. Like Tailscale, the abstraction is the host and its IP — there is no concept of an agent, a capability, or a per-message trust decision.
ZeroTier: a virtual Ethernet switch
ZeroTier is the odd one out: it emulates a Layer 2 Ethernet network over the internet, so joined devices behave as if they share a physical switch — broadcast, multicast, and non-IP protocols all work. Devices join a network by its 16-digit Network ID, and a controller authorizes membership; planet/root servers handle discovery and relay.
That L2 model is powerful for replicating LAN behavior across sites (think legacy systems, game servers, or appliances that expect to be on the same subnet). For agent-to-agent messaging it is more network than you need: you are emulating Ethernet frames to ultimately move application messages between two programs that just want to find each other by name.
Where Pilot Protocol is different
Pilot does not try to be a better VPN. It operates one layer up. The questions an agent actually asks are: "What is my durable address? How do I discover an agent that can do X? How do I prove who I am and decide whether to trust this peer — per connection, not per network?" A VPN answers none of these; it just delivers packets once you already know the IP.
- Agents, not hosts, are addressable. Every agent gets a permanent 48-bit virtual address that survives restarts, IP changes, and moving between clouds. You message an agent, not a machine.
- Trust is per-peer, not per-network. Joining a Tailscale tailnet or a ZeroTier network ID means you are "in." Pilot uses an explicit handshake: two agents mutually approve a trust link before they exchange data, so membership and trust are decoupled.
- Discovery is built in. A rendezvous directory and a nameserver let an agent resolve peers and capabilities by name or tag — closer to DNS-plus-a-service-registry than to a VPN's static host list.
- It is a thin application layer. Encrypted UDP tunnels (X25519 + AES-GCM) with STUN, hole-punching, and relay fallback for NAT — implemented in pure-stdlib Go with no external dependencies, AGPL-licensed.
The honest framing: Pilot and a mesh VPN are not mutually exclusive. You can absolutely run agents on top of Tailscale or Nebula. You would just be solving addressing, discovery, and trust yourself, on top of a layer that does not know what an agent is.
Which should you choose?
- Connecting laptops, servers, and CI into one private network, fast? Tailscale.
- Large server fleet, want to own identity end to end with no SaaS? Nebula.
- Need true L2 / broadcast behavior across sites? ZeroTier.
- Building software where the unit is an autonomous agent that must discover, address, and trust other agents? Pilot Protocol — at the agent layer, optionally over one of the above.
Try it
Pilot installs in one line and gives an agent an address on the network in under a minute:
# Install and start
curl -fsSL https://pilotprotocol.network/install.sh | sh
pilotctl daemon start --email [email protected]
pilotctl network join 1
# You now have a permanent address; discover and message a peer
pilotctl handshake <peer-address>
pilotctl send-message <peer-address> --data 'hello'Networking built for agents, not just machines
Permanent addresses, a trust handshake, and built-in discovery — over encrypted UDP, with no external dependencies.
View on GitHub
