Some of the comments in this thread are saying it’s the same, some are saying it isn’t.
I started looking up tutorials today on how to set up a Tailscale, and it just looks the same as my Cloudflare tunnels I already have set up.
My Portainer has two factors of authentication before you can access it remotely. I was trying to set up Tailscale so I could remote into my dad’s Unraid administration page. So, what’s the difference between a Tailscale VPN and a Cloudflare tunnel? I want to know the difference is, so I know whether it’s safe to use Cloudflare for the Unraid and Portainer or not.
I frequently see people freak out about Cloudflare Tunnel without really understanding how it works when combined with Cloudflare Access applications and policies. Yes, if you simply set up Cloudflare Tunnel with no extra steps, your website is exposed to the public Internet for all to see. However, if you also create a “self-hosted” application in Cloudflare Access, you can lock the website behind policies that, for example, require SSO. If the requirements of these policies are not met, you cannot talk to the website whatsoever. If set up properly this is no less secure than a typical VPN. That’s the point of Cloudflare Zero Trust - to replace the old school VPN client paradigm. Cloudflare does offer the WARP client if you have particular needs that I won’t get in to.
So, think of it this way: you’ve got a building with a front door, and a shared door to the club next door.
You lock the front door, but leave the shared door unlocked, and tell a few friends that they can go in the club, through the shared door, and grab a snack from the kitchen l. The club’s bartender checks folks at the door for over 21 and no weapons, but anyone in the club can open said door.
That’s cloudflare tunnels.
Optionally, you can attach cloudflare access to that as well, which is like putting a pin pad or a badge reader on the shared door. Still gotta get passed the bouncer to get to the other way in.
VPN is like having a backdoor with a separate lock than the front. No bouncer, but more private. Maybe you also have inside doors with other access controls, so someone with kitchen access doesn’t get access to the bar too.
This would be a private VPN. Tailscale provides this as a service.
A public VPN would be like taking a bus to the building, so folks can’t look up the license plate and figure out where you live.
Cloudflare tunnel is a proxy service. All the data is sent to Cloudflare. Then they publish your apps and services on a domain.
Tailscale uses VPN for p2p connections. Tailscale servers tells nodes where to connect to, and does not handle your data.
Both services allow you to access your server without the need to open ports to the public. The difference is that Cloudflare lets everyone access your apps (so you are on the hook for setting up authentication). On the other hand, Tailscale is basically a VPN, so anyone who is not on your account cannot access your apps.
You want to use Cloudflare for apps that you want people to connect to, like a website or your Mastodon instance. You use Tailscale for everything else, but without the need to setup your own VPN.
Using a vpn you get an up address and you have access to everything that up address has access to. With zero trust networking, you get access to only what’s allowed, usually the minimal for that use case.
Well for 1 , tailscale makes sure you are not giving your access keys to a third party called cloudflare. You are the product if they offer things for free. And considering all the shady practices from bigger companies. You never know what happens unless you selfhost.
Biggest difference is that you have a data limit on cloudflare (100mb packets), and it’s open to the internet, so you can access from any device.
On tailscale, you need the app installed on every device you want connected to each other, and there’s no data limit.
I’ve used both, and I found tailscale to be the easiest to set-up and best for personal use.
I’ve also installed it on my gfs phone for immich backup using my account and it works great, I believe there’s a limit for 100 devices
It depends on the way you look at it. On a high level: yes you can describe it like that. It‘s a vpn between Cloudflare and your service. But on the technical side: it‘s definitely not a VPN and how dare you to say that?!
Cloudflare tunnel is one aspect and think of it as the connection aspect. But then there is Cloudflare Access policies, where you can lock down, as I do, where you have to authenticate somehow, like you enter in valid email addresses that are allowed to auth to your public services, then you enter that email in on the “login” page, it sends you a email, where you click that link. I use OIDC with my own Authentik instance, so that even if someone finds out one of my services, they are still blocked until they meet the access policies. These could also mean blocking countrys/allowing certain ones, or any of the options listed here
Tunnels and vpns are indeed the same thing (well, a tunnel can be made with a bunch of different technologies but here it is a VPN).
The difference is that with tailscale, wireguard, oven you create a tunnel between your home network and your device, and only your device.
Cloudflare’s solution creates a tunnel between your network and cloudflare’s servers, and then the servers open the service to everyone.
The first solution is used when you want to access your network as if you were inside it, and still be as secure as it was closed to the outside.
The second solution is used when you want to expose a service to the internet (e.g. a webpage), but don’t want to set up your router, or you don’t have a public static IP, or don’t want to be bothered with the https mess, certificates, and all that stuff. Cloudflare handles all that for you.
TL;DR: a tunnel is a secure connection, but where that connection goes is important. In cloudflare’s case, that connection ends in cloudflare’s hands and then it’s exposed to everyone.
Edit: you can use cloudflare as a “secure” connection to some web interface you want to reach from the outside, using cloudflare access! That way cloudflare blocks all access unless you authenticate (you can use Google’s login for example). I do this for a few things and it’s handy. You just need to configure it correctly.
You absolutely 100% do not need tailscale. It offers nothing over just using wireguard. Reddit, no idea why, jacks off to it but it just introduces another unknown variable.
Others have already explained the differences, so I won’t bother on that front.
Also, on another side note:
If you own a domain name (look into cheap .cc names and such is my advice. ~$5 a year or so for fairly unique, short names. I have a 5 letter, actual English word domain name for only ~$5 a year. It’s not this word, but imagine something like shorty(dot)cc (reddit weird censor stuff plus don’t wanna link to that site since I just made it up blah blah) then here’s some simple super easy advice:
use your own local DNS server (adguard, pihole, etc. have two of them in totally separate machines. I have one running in docker on my server and one running on a pihole)
use your domain name with a reverse proxy two ways: one jsut the domain name (example.com), second the domain name but for local access only (example.local.com)
using reverse proxy again, you make ANY domain name you wish available for ONLY local access by simply setting up reverse proxies to do, for example, 10.0.0.2 (local ip) is proxied as plex.local.example.com.
you setup the DNS servers to automatically redirect ALL *.local.example.com URLs to your local IP so when you type plex.local.example.com it goes directly to your local ip 10.0.0.2. Best part? If someone outside your network types plex.local.example.com it won’t resolve! They have no access without joining your network
external use for you only. When away from home you can have all your at-home stuff by simply having a router-based wireguard vpn running (or perhaps on a home server, up to you). You connect to the VPN, you’re “on your own home network” now, and you can access plex.local.example.com and all the others. But no one else can without joining your network or having your vpn information and permissions
Perhaps sounds complicated, but it’s actually incredibly easy and like 3 steps really. And once it’s done it’s done.
Just my advice. Requires zero fucking with companies like tailscale or cloudflare (CF maybe just for the domain registration and some other stuff but not their tunnels)
That’s not really the issue. The issue is access to that tunnel. A VPN requires authentication to connect, Cloudflare tunnel does not. So, any random person could try to log into your server, vs with a VPN you have a key pair and robust authentication that needs to happen before you can connect to the backend server.
Edit: Apparently, you can put Auth on CF Tunnel. TIL
VPN is the technology of creating a secure tunnel from one Network or Device to another Network or Device over an unsecured connection.
Classic VPN does that, by having the client connect to the public IP of your Firewall/VPN Server. You can specify which resources are accessible from VPN, if you set it up right.
Twingate, Cloudflare and other „zero trust tunnel“ provider. What happens here is, a device in your network connects to cloudflare/twingate. Your device will do the same. The provider will now route your packages between those two connections. You have to specify which resources you want accasible. Most of them can do some fancy stuff, like DNS rewrite/redirect which can be rather helpful.
It is essentialy the same technology, with „zero trust“ just having a broker inbetween. It is easier to setup, and easier to setup secure.
Classical VPN can be just as secure, but it is on you to build it so.
It’s not the same. With CZT you only have one specific service on one specific host available while with tailbacks or any other VPN you can access the whole network or if configured use it as exit to the internet itself for using it to protect your privacy in public WiFi’s.
An VPN is what it name say a Virtual Private Network while a CZT is just a tunnel through to a single service in a single host so you don’t need to open ports or can circumvent CGNAT.
And then there is also the difference between plain VPN and tailscale. Tailscale offers the NAT circumvention for VPN by having a negotiation server in between and building an overlay network so you don’t need a server and an open port in your destination network.
Cloudflare tunnel is public, Tailscale is not. Cloudflare literally publishes/uses DNS records that allow connection from anywhere (which is the point when you have a website or multi user application).
With the recent Cloudflare games they’ve been extorting businesses with lately I wouldn’t touch em. Lying, deceptive fraudulent possibly criminal business practices, yea nope
So I’m a idiot and I’m sure someone in here with as much knowledge as the comments I’ve been reading could help me here.
I have a firewalla gold + I set up a VPN server on it with wiregaurd. Is this the same as tailscale?
Setting up a CF tunnel and then running a keycloak server for auth is really great, kinda trick, but great. And those services that allow sso integration can also be linked. Does away with the multiple login screens.
It’s probably because setting up a vpn is way more beginner friendly than the cloudflare tunnels are. The tunnels require a lot more setup to function like a VPN would and if you don’t know what you are doing and miss a step or something you have a vulnerability. Pretty much if you mess up the vpn you just won’t be able to access it either hahaha
