Both of these systems can achieve the same thing, but the difference is more how you think about them. Tailscale is meant to connect multiple devices together over a secure network. OpenVPN is a direct tunnel to one machine. Anything with a single purpose, built for that one thing and nothing else, is almost always going to be more efficient. Tailscale on the other hand has a bit of overhead because it needs to contact a main server to find out where your network is, and can connect directly to your server or if it can’t, it’ll use a proxy server to make the connection. This means that Tailscale will always find a device in it’s network under any network condition. But you can see there is a lot more overhead than a direct OpenVPN connection.
My personal opinion is that a direct OpenVPN connection is always better if you’re only connecting to one device/network. It is device to device with nothing in between. Tailscale becomes magical when you have multiple machines on multiple networks that it connects together as if they were all on the same network. Tailscale can act like a VPN, but that isn’t its real purpose. Linking together multiple servers within its own secure network is really where it shines.
There is one case where Tailscale is the better option for VPN and that is if your ISP/router isn’t capable of opening ports or you’re behind CGNAT. Tailscale can get right through that stuff where it’s impossible to use OpenVPN.
Also if you’re using Synology’s built-in OpenVPN I would advise against it. I don’t have specifics but it seems very out of date and doesn’t support modern ciphers. You should be running the newest version in a docker container if at all possible. Also, don’t worry about open ports. As long as you use appropriate passwords/keys it should be fine. If you’re paranoid about opening ports, then Tailscale becomes a good option.
Tailscale is much easier for non techie people to setup and use.
Openvpn is faster and has more configuration options. Depending on your use case, this can be a benefit or a hinderance.
OpenVPN is completely self hosted whereas Tailscale relies on a middle component and an external login. Some people have issues with this middle component.
Honestly, I’d recommend most newcomers use Tailscale but if you’re happy with openvpn and supporting those components and config, there may not be a good enough reason to move.
Perhaps the one really neat thing about Tailscale is how you can build a private secure mesh across multiple different devices and accounts and “it just works”.
Tailscale uses a multi point-to-point Wireguard ‘meshed’ VPN matrix, cleverly configured via Tailscale in their cloud. It is free for small networks at least it was for me. The clients on Windows, Linux and Android, as of the months ago, super stable and reliable. You can self host the cleverness of Tailscale too, outside your subnet, if you are paranoid.
Worked for me within an hour using their free level cloud.
Certainly better than having any ports exposed publicly to the internet. Zerotier, I hear anecdotally, is similar yet significantly different in architecture.
Only problem I had is it is difficult/impossible to configure Android to have more than one VPN active at the same time, but you can route any other traffic via your Synology NAS running any compatible VPN, if that is a significant problem, albeit with added latency.
Tailscale is easier to set up, which is important to many people.
But it has about 30% less performance than OpenVPN so use OpenVPN when you need to transfer large files or do remote backups and want the best possible speed.
I would recommend Tailscale, since it’s more secure and easier to setup.
OpenVPN has many vulnerabilities discovered in the past and Synology didn’t always patch them punctually. Besides, you need to open ports to access it outside the network, which enables malicious actors to scan or attack you (you can check logs in /var/log to see how many IPs have accessed your network). Before I switched to Tailscale, I saw many IP addresses tried to access my L2TP server (mostly bots in China and Mexico), but those failed login attempts didn’t show up in the Log Center.
Tailscale uses a more secure approach, you can enable 2FA authentication or authorize your login with Google. Besides, you can even send files across devices and easily switch between "hybrid VPN "or “full routing VPN”.