Here is one I am working on looking at Wireguard and OpenZiti (comments very appreciated):

Wireguard is a better VPN. It is more secure, easier to use and set up, and delivers much better performance than many other VPNs. Its design principles make it easy to set up full mesh networks of connected machines by being ‘default-open’. Wireguard is also fully open source and self-hosted. Wireguard creates P2P connections using UDP and STUN, so inbound firewall ports are not needed. Wireguard can be tricky to manage at scale due to key management and the large amount of P2P tunnels that need to be maintained, and UDP sometimes being blocked. For this reason, many companies have created their own SaaS implementations of Wireguard, including Tailscale, Netbird, Netmaker and more. These are a mixture of proprietary and open source.

OpenZiti can be a better VPN while being designed to do much more. Rather than connecting machines, it cares about connecting "services" with zero trust networking concepts, including least privilege, micro-segmentation, and attribute-based access (though you can also set up a whole CIDR if you want). OpenZiti also uses the embedded identity to build outbound-only connections into a mesh (think Cloudflare tunnels), so we can close all inbound ports. This can all be surmised as Wireguard being 'default-open' whereas ZT is 'default-closed'. Wireguard is normally combined with a firewall to deliver ACLs and network segmentation controls.

Whereas Wireguard uses UDP and hole punching, OpenZiti uses TCP and a mesh overlay (with the outbound only at source and destination). This is how Tailscale implements Wireguard to ensure it works easily in all situations. It also allows you to control the internet routing and provide higher redundancy, resiliency, and control for routing traffic according to policy (e.g., low latency or geo-restrictions). All of this is open-source and native to OpenZiti, not in Wireguard.

Due to OpenZiti's uses of identity in the endpoints and fabric for routing, you also get a private DNS and unique naming (e.g., send from IoT endpoint service to IoT server rather than from 192.xxx.xxx.xx to 100.xxx.xxx.xx). This also means we do not need to use floating or static IPs, easily handle overlapping, no need for port forwarding.

Finally, where it really differentiates is that with OpenZiti you can start with "network-based zero trust" (installing a router in private IP space) and progress to "host-based zero trust" (using an agent/tunneller); it also has a suite of SDKs to embed in apps themselves for "application-based zero trust". This allows it to run in clientless, serverless, confidential computing, unikernel and more. It also means an application does not even need to trust the underlying host network or know the port/IP.

P.S., Wireguard get a lot of well-deserved love! OpenZiti uses the Windows TUN (WinTun) that the Wireguard project made as (at least) part of our Windows tunneler. Thanks, Wireguard!