tailscale vs cloudflare tunnel? which is better a homelab
tailscale vs cloudflare tunnel? which is better a homelab
Hello I've been using cloudflare to get remote access for the couple apps I selfhost, but lately I've been hearing about the wonders of tailscale.
It seems that the free tier is enough for my use. Which would be a safe option to have remote access for my 3D printer? Also how are both in terms of privacy?
A VPN is going to offer better security. I would only use cloudflare if you need something to be open to the public. This is useful when you have non-technical users that aren't going to understand using a VPN.
Just use CF with host restrictions. You can easily add which hosts should have access of you want to limit access further
Tailscale. Because it can do both. It functions as a mesh VPN for private access, but it also has Tailscale Funnel which does the same thing as Cloudflare tunnels but you don’t give all your traffic to Cloudflare
Is there a specific reason tailscale having all the same traffic opposed to cloudflare is a better option? I use cloudflare tunnels right now and figured them handling some of the data is better than me by myself.
Tailscale shouldn't be getting your data anyway. It's a mesh VPN that directly connects devices after their auth server gives out certs and let's clients know where to find another. If you're not comfortable with using their server for this I'd suggest you look into the open source headscale server. I do remember it routing through their server in the rare case NAT punching doesn't work
Tailscale server can also be self-hosted, look into headscale.
From my own experience, I still can't setup headscale on my Android phone, I think latest tailscale APP fucked up setting custom server function.Don't install from Google Playbeen using headscale + android ts app for a few months now, no issues. i get the app via fdroid.
Installed from F-Droid and it works without issue, thanks
Thanks! That sounds exactly what I've been looking for. Will try it out and if it's too complicated I will use Tailscale.
If it's just you, and you're willing to install it on all your devices, Tailscale is the best option IMO. If you need to share things with others, use CF Tunnels.
It's mainly just for me and my wife, I guess I can set it up for her.
I like tailscale and have been testing it for a few months. I'm also using headscale as the control plane.
Unfortunately the android client is somewhat unreliable. It works most of the time but once in a while, connections to your tailnet will fail for a bit and require retries. If you ping a machine in your tailnet during this problem, it will show packet loss and then start working after a few pings. This unfortunately makes it difficult to have a reliable split DNS setup.
I've done everything to try and understand what happens without success. It seems like state is lost somewhere and a few packets flowing will fix it. Running a constant ping from Android to my tailnet "fixes" the problem, but is not a great workaround.
Just something to keep in mind before you jump headfirst.
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:
Fewer Letters More Letters CF CloudFlare CGNAT Carrier-Grade NAT DNS Domain Name Service/System HTTP Hypertext Transfer Protocol, the Web HTTPS HTTP over SSL IP Internet Protocol NAS Network-Attached Storage NAT Network Address Translation SSH Secure Shell for remote terminal access SSL Secure Sockets Layer, for transparent encryption TCP Transmission Control Protocol, most often over IP TLS Transport Layer Security, supersedes SSL VPN Virtual Private Network VPS Virtual Private Server (opposed to shared hosting)
13 acronyms in this thread; the most compressed thread commented on today has 8 acronyms.
[Thread #262 for this sub, first seen 5th Nov 2023, 06:50] [FAQ] [Full list] [Contact] [Source code]
Cloudflare hates VPNs, so when it comes to privacy, it's not really a contest.
Cloudflare ironically has a VPN-ish service that no one talks about called Cloudflare Warp.
I sometimes use it to access piratebay since it't ban where I live.
WARP (a client) just connects you to CF's network.
If your server is running
cloudflared(an outbound-only tunnel) then you can enroll your WARP client to reach your server, while your server is never accessible on the public web. That's the principal behind Zero Trust.While techinically yes, WARP can be considered as a VPN, it is just a secure tunnel to an endpoint. In which case you can argue any point-to-point tunnel is a VPN.
Wait, what’s this about them hating VPNs?
I guess they mean that you get to solve many Captchas if you access Cloudflare-protected sites through a VPN.
Definitely Tailscale
You can just self-host Wireguard on an always-free Oracle cloud machine (or of course any other cloud host). It's quite easy to set up and there are open source Wireguard UIs and clients for any OS. I will never rely on a company like Tailscale or Cloudflare for something like this.
That wouldn't help with accessing their home network.
I would use wireguard at home for this, but we have CGNAT so that is impossible/hard so I just use tailscale, which uses WireGuard anyways.
Tailscale also has the advantage that you easily access udp services, the last time I checked this was not really possible with cloudflare tunnels
Why not both?
I use tailscale for full access to network and cloudflare tunnels to specific access to a service
Tailscale Funnel and Serve will also let you point services to the public. I only use tailscale for all of my access needs and it's perfect and easy to handle 👌
What I enjoy with tailscale is that the traffic goes directly from the host to the client.
Since there is no cloud relay I can connect to all my services via tailscale, even on local network and it's not going to impact the speed.
This way I only have one setup that works the same way on local network or remotely but still have the local network speed when I am at home.
discovered tailscale from this post and after reading their "how tailscale works" I was hoping to get some clarification from an activer user (you).
CF tunnels setup an outbound-only tunnel from my private network via
cloudflared, I have no ingress holes in my firewall to access my services.cloudflareddoes all the proxying. Plus my IP changes monthly as I don't pay for a static one from my ISP. This "outbound-only" connection is resilient to that.Tailscale is point-to-point (for data plane) connection and only the control plane is "hub and spoke". This sounds like I need to allow ingress rules on my private network so my server can be connected to? Is this true or where did I misunderstand?
I'm probably not the beat person to answer to you about the technical aspect and I'm not sure if I fully understand your question.
However I can tell you that there is no need to change anything at network level for tailscale to work.
I've installed and used tailscale on desktops, VM, raspberry, NAS or smartphone on plenty of different network, I've also remotely guided people to install tailscale on their machine at home and it always just worked. No issue at all and nothing to change on the network for it to work.
That's amazing I thought it would slow down on lan. Since myy upload speed is really slow.
You may want to check this out. This articles also explains TLS-termination and TLS-passthrough.
Neither, I setup a VPS and wireguard. I also use netbird for some things that aren't publicly accessible
Do you mean Wireguard? I couldn't find anything called Fireguard.
Yes
I'm suprised nobody mentioned nebula: A scalable overlay networking tool with a focus on performance, simplicity and security.
I've been running it for about two years on multiple machines and it worked flawlessly so far. Even connecting two hosts, both behind mullvad-vpn tunnels.
The only downside is, that you have to host your own discovery server (callled "lighthouses"). One is fine, but running at least two removes the single point of failure from the network.