[ Switch to styled version → ]

← Docs index

Pilot Protocol vs Tailscale vs ZeroTier vs Nebula

Overlay networks compared. All create virtual addresses, encrypt traffic, and traverse NATs. The difference is who they are built for.

Overview

• Pilot Protocol - An overlay network built for autonomous AI agents. Provides virtual addresses, port-based services, a bilateral trust model, peer discovery with tags, and built-in application services (data exchange and pub/sub). No external Go dependencies.
• Tailscale - A VPN mesh built on WireGuard for connecting human users and servers. Manages device access through an admin console, integrates with SSO/OIDC, and provides Magic DNS.
• ZeroTier - A virtual Ethernet switch that creates flat L2 networks. Devices join a network ID and get an IP. Managed through a central controller.
• Nebula - Slack's overlay network for connecting servers at scale. Certificate-based identity, firewall rules in config files, designed for infrastructure teams.
• libp2p - A modular networking stack for peer-to-peer applications. Provides transport, discovery, and pubsub primitives. Used by IPFS, Ethereum, and Filecoin.

vs Tailscale

Tailscale is a WireGuard-based mesh VPN with strong NAT traversal and a polished admin experience, designed for connecting users and servers under centralized access control. Pilot Protocol is designed for autonomous agents that generate their own identity and negotiate trust without an admin.

• Designed for: Pilot = AI agents; Tailscale = users and servers
• Addressing: Pilot = 48-bit virtual (N:NNNN.HHHH.LLLL); Tailscale = 100.x.y.z (CGNAT range)
• Encryption: Pilot = X25519 + AES-256-GCM; Tailscale = WireGuard (ChaCha20-Poly1305)
• NAT traversal: Pilot = STUN + hole-punch + relay; Tailscale = DERP relay servers
• Trust model: Pilot = bilateral handshake (agent-initiated); Tailscale = centralized ACLs (admin console)
• Discovery: Pilot = registry + tags + hostnames; Tailscale = Magic DNS + admin console
• Identity: Pilot = Ed25519 key pair (self-generated); Tailscale = SSO/OIDC provider
• Application services: Pilot = echo, data exchange, pub/sub; Tailscale = Taildrop, Funnel, Serve
• Admin experience: Pilot = CLI + config files; Tailscale = polished admin console
• Account required: Pilot = No; Tailscale = Yes (Google, Microsoft, GitHub, etc.)
• Transport: Pilot = UDP with custom reliable transport; Tailscale = WireGuard (kernel or userspace)
• License: Pilot = AGPL-3.0; Tailscale = BSD-3 (client), proprietary (coordination)
• Self-hostable: Pilot = Yes (rendezvous server); Tailscale = Yes (Headscale, community project)

Key difference: Tailscale is built for human-managed networks - sign in with an identity provider, an admin defines ACL policies, and devices get IP addresses on a WireGuard mesh. Pilot Protocol is built for agent-managed networks - agents generate their own cryptographic identity, negotiate trust directly with peers, and get built-in services for data exchange and task delegation. If agents run on machines already on a Tailscale network, Pilot tunnels run over it.

vs ZeroTier

ZeroTier creates virtual Ethernet segments (L2). Any device can join a network by ID and get an IP. Pilot Protocol operates at L3/L4 with port-based service multiplexing and agent-native features.

• Layer: Pilot = L3/L4 (network + transport); ZeroTier = L2 (virtual Ethernet)
• Addressing: Pilot = 48-bit virtual addresses; ZeroTier = 10-character node ID + IP
• Ports: Pilot = 16-bit ports with well-known assignments; ZeroTier = standard IP ports
• Trust: Pilot = bilateral handshake; ZeroTier = network controller approval
• Discovery: Pilot = tags, hostnames, registry search; ZeroTier = network member list
• Application services: Pilot = echo, data exchange, pub/sub; ZeroTier = none
• Account required: Pilot = No; ZeroTier = Yes (for managed networks)
• Self-hosted: Pilot = Yes (rendezvous server); ZeroTier = Yes (controller)
• Free tier: Pilot = unlimited (open source); ZeroTier = 25 devices
• License: Pilot = AGPL-3.0; ZeroTier = BSL 1.1

Key difference: ZeroTier emulates Ethernet - it gives you a flat network and you build everything else on top. Pilot Protocol provides a complete agent networking stack: addressing, transport, discovery, trust, and application-layer services out of the box.

vs Nebula

Nebula is Slack's overlay network for infrastructure. It uses certificate-based identity and config-file firewall rules. Pilot Protocol uses dynamic trust negotiation and agent-driven discovery.

• Designed for: Pilot = AI agents; Nebula = server infrastructure
• Identity: Pilot = Ed25519 (self-generated); Nebula = X.509 certificates (CA-signed)
• Trust: Pilot = dynamic (runtime handshake); Nebula = static (certificate + config)
• Firewall: Pilot = per-port accept rules; Nebula = YAML config rules
• Discovery: Pilot = registry + tags + hostnames; Nebula = Lighthouse nodes + static hosts
• Configuration: Pilot = JSON config + CLI flags; Nebula = YAML files + CA PKI
• Application services: Pilot = echo, data exchange, pub/sub; Nebula = none
• PKI required: Pilot = No; Nebula = Yes (nebula-cert CA)
• NAT traversal: Pilot = STUN + hole-punch + relay; Nebula = Lighthouse + punch
• License: Pilot = AGPL-3.0; Nebula = MIT

Key difference: Nebula requires a PKI setup - run a certificate authority, sign certificates for each node, and distribute them manually. Pilot Protocol agents generate their own identity and negotiate trust at runtime. Pilot suits dynamic agent populations where nodes come and go; Nebula excels for static infrastructure with known hosts.

vs libp2p

libp2p is a modular networking toolkit used by IPFS, Ethereum, and Polkadot. It provides building blocks; Pilot Protocol provides a complete, opinionated stack.

• Approach: Pilot = complete stack (single binary); libp2p = modular toolkit (assemble yourself)
• Dependencies: Pilot = stdlib only; libp2p = heavy (multiple crates/modules)
• Addressing: Pilot = 48-bit virtual addresses; libp2p = Multiaddr + PeerID
• Transport: Pilot = UDP with reliable streams; libp2p = TCP, QUIC, WebSocket, WebRTC
• Discovery: Pilot = central registry + tags; libp2p = DHT (Kademlia) + mDNS
• Trust: Pilot = mutual handshake with approval; libp2p = connection-level (no trust model)
• Complexity: Pilot = one binary, one config file; libp2p = multiple protocols to configure
• Primary use case: Pilot = AI agent networking; libp2p = blockchain and decentralized apps
• Setup time: Pilot = minutes; libp2p = hours to days

Key difference: libp2p is a toolkit - choose transports, discovery mechanisms, and security protocols, then wire them together. Pilot Protocol is opinionated and complete: one binary, no external dependencies, built-in services, and a trust model designed for agents. Use libp2p for maximum flexibility in a blockchain or decentralized application; use Pilot for agents talking to each other in minutes.

Feature matrix

• Agent-native design: Pilot = Yes; Tailscale = No; ZeroTier = No; Nebula = No; libp2p = No
• Account required: Pilot = No; Tailscale = Yes; ZeroTier = Yes; Nebula = No; libp2p = No
• PKI/CA required: Pilot = No; Tailscale = No; ZeroTier = No; Nebula = Yes; libp2p = No
• Stdlib-only (no external deps): Pilot = Yes; Tailscale = No; ZeroTier = No; Nebula = No; libp2p = No
• NAT traversal: Pilot = STUN+relay; Tailscale = DERP relay; ZeroTier = root servers; Nebula = Lighthouse; libp2p = AutoNAT+relay
• E2E encryption: Pilot = AES-256-GCM; Tailscale = WireGuard; ZeroTier = ChaCha20; Nebula = AES-256-GCM; libp2p = Noise/TLS
• Trust model: Pilot = bilateral; Tailscale = central ACL; ZeroTier = controller; Nebula = certificates; libp2p = none
• Peer discovery: Pilot = registry+tags; Tailscale = Magic DNS; ZeroTier = controller; Nebula = Lighthouse; libp2p = DHT+mDNS
• Port multiplexing: Pilot = 16-bit ports; Tailscale = IP ports; ZeroTier = IP ports; Nebula = IP ports; libp2p = protocol IDs
• Built-in services: Pilot = echo, data exchange, event stream; Tailscale = none; ZeroTier = none; Nebula = none; libp2p = pubsub only
• Pub/Sub: Pilot = Yes; Tailscale = No; ZeroTier = No; Nebula = No; libp2p = Yes
• Self-hosted: Pilot = Yes; Tailscale = Headscale; ZeroTier = Yes; Nebula = Yes; libp2p = Yes
• License: Pilot = AGPL-3.0; Tailscale = BSD-3/Prop.; ZeroTier = BSL 1.1; Nebula = MIT; libp2p = MIT/Apache

When to use what

Use Pilot Protocol when:

• You are building with AI agents that need to find, trust, and communicate with each other
• You want lightweight networking with no accounts, no PKI, no cloud platform to manage
• You need built-in application services (data exchange and pub/sub) out of the box
• Agents need to dynamically discover peers by tags, hostnames, or capabilities
• You want agents to negotiate trust at runtime without a central authority

Use Tailscale when:

• You need a VPN mesh for human users and their devices
• You want SSO integration (Google, Microsoft, Okta)
• You need centralized access control managed by an admin
• You want an admin console and commercial support

Use ZeroTier when:

• You need a flat L2 network that "just works" for up to 25 devices (free tier)
• You want virtual Ethernet between devices across the internet
• You need broad platform support (runs on nearly everything)

Use Nebula when:

• You are connecting servers in a known, static infrastructure
• You already have a PKI or are comfortable running a certificate authority
• You need fine-grained firewall rules defined in config files
• You want MIT-licensed software with proven scale (50,000+ hosts at Slack)

Use libp2p when:

• You are building a blockchain, decentralized storage, or Web3 application
• You need maximum protocol flexibility and transport agnosticism
• You want DHT-based fully decentralized discovery (no central server at all)
• You are willing to invest time assembling and configuring the stack

The short version: Tailscale, ZeroTier, and Nebula give you a network. Pilot Protocol gives agents a network with identity, trust, discovery, and services built in. If your nodes are humans or servers, use a VPN. If your nodes are agents, use Pilot.

Related

• vs MCP / A2A / ACP
• Research