Looked at what actually replaces Tailscale on Linux when the issue is DNS/netfilter/CGNAT invasiveness, not WireGuard itself. Headscale, NetBird, Netmaker, Nebula, and Cloudflare Tunnel each solve a different slice. The real fix is separating private management access from public-facing APIs.
Six VPN protocols (ShadowSocks, V2Ray, SoftEther, WireGuard, OpenConnect, IKEv2) compared from someone who actually ran them inside China. As of 2026, most are detected by GFW machine-learning, including ShadowSocks and IPSec-based protocols. What still connects: VLESS+REALITY, Hysteria2, and WireGuard with obfuscation (udp2raw or wstunnel). Includes VPS region notes (avoid Tokyo, pick Singapore/Hong Kong).
