I appreciate the attempt, but I think this is just making me more confused.
Part of this may be my own fragmented knowledge; I really only started trying to learn Tailscale today.
The bouncer analogy makes sense. That’s Cloudflare making sure that no one DDOSes me. The pin pad/badge pad makes sense, that’s Cloudflare making sure only authorized IP addresses and authorized IP addresses can get through (or whatever Zero Trust protocols you set). The internal doors with access controls makes sense, that’s Nginx/Wordpress/Portainer/etc. blocking access via their own password management.
What confuses me is how Tailscale would be more private than Cloudflare. My Cloudflare tunnel is accessed by going to subdomain.mydomain.com. From what I can tell, a Tailscale VPN is accessed via a something.something.ts.net URL. I hadn’t really thought about it until reading your comment, but that feels a lot more public than some random unknown domain.
What did you mean by the “more private” thing? And did I get the rest of that right?
Traffic between Cloudflare and your server over a tunnel is always encrypted. There is no plaintext option, and no port open on your firewall. A typical config is to have the tunnel reach your server over localhost. The tunnel always reaches out to CF, so it works behind NAT/firewall, dynamic IPs, etc. without specifying an IP address.
Traffic between Cloudflare and your user is via a proxy that adds SSO authentication. Once authenticated traffic is proxied to your server via the tunnel.
I mean you can add auth steps on the CF Tunnel connection, and it’s very easy to do so.
If you want to expose a webpage you may want to do so (if it’s an admin panel or something similar) otherwise you can just not add the auth requirements and it will be public.
Hell, you can set up google authentication, 2fa with keys and anywhere in between, it depends on what your security requirements are.
Some like to manage at the firewall level if their firewall supports that. Not every firewall does (most do now).
You can run tailscale/head scale on a docker container and punch out to the WAN. Now anyone that’s on the tail net can have an ACL rule placed on them to what they can access. For example, you run a Plex server and want to share with family and friends. Apple TV has a tailscale app so now they have access to your Plex server with minimal setup. But you can also deny them access to your NAS but you can allow yourself to access the NAS while on the road.
If you run your VPN on your firewall you can do the essentially the same thing by setting your family/friends up with VPN access then assign them a static IP and only allow that static IP to the Plex server and deny everything else.
More than one way to get the same solution. Also depends how powerful your firewall and what your network traffic is like to handle the extra load and if your box that runs the tailscale container handle that load. I doubt most of us are serving enough clients to make a large difference in load percentage in our home lab but I’m sure someone is running these services on a toaster somewhere.
People recommend Tailscale for one major reason. You can install it, and have it running, in just two steps on the machine itself. Zero configuration required. Wireguard doesn’t have that.
Cloudflare tunnel can 100% require auth. Use cloudflare access which locks access to the pages behind authentication first. So many enterprises use this and other proxy solutions from Microsoft.
I use something similar to tailscale. It’s really a dashboard to configure each clients access to all services. A VPN doesn’t do that on it’s own. You could create a lot of firewall rules yourself. These products just make that a little easier to administer.
With twin gate they facilitate punch through connections so you don’t need any port forwarding or static ips. A very nice perk you can’t do without a 3p.
Setting up a wireguard server yourself is mostly the same idea but tailscale provides some nice-to-haves like a UI for managing it, DERP relay servers to help when the routing is challenging, and a bunch of other addon features like tailscale ssh, etc.
It’s not that much more and unlike a lot of vpns getting mfa access on cloudfkare is easier. I have a lot less maintenance with vloudflare tunnels and even have 2 endpoints in my network to get in if one is down or being patched.
The difference here is that the .ts.net address doesn’t resolve when you’re not on the Tailscale VPN.
If you have plex.ts1234.ts.net, you have to be on the ts1234 VPN to reach it at all. And when you’re on that, you can’t reach torrent.ts5678.ts.net unless they explicitly give you access via the Tailscale access sharing system.
Cloudflare tunnel is a zero trust connector and it’s more secure than a vpn generally speaking. If you run a web app like portainer on 10.0.0.100:5001 on your private network, Cloudflare tunnel will only allow access to that application on your domain. Let’s say you set it up on portainer.pulpkinhead.com If you don’t have security on that application then anyone who knows your address can get into your portainer. You can get a zero trust app that requires authentication before connecting to the tunnel but that’s typically used for enterprises that want employees to only access what they need. A vpn will give you complete access to your home network. If a bad actor gets access to your vpn they have access to your full home network. If a bad actor gets access to your zero trust tunnel they only have access to what you allowed.
You can get the similar setup with a vpn, static client addresses, and firewalls but a zero trust network setup can combine all of that. I’m a bit new with them myself, but I’d guess a vulnerability in a zero trust network would give someone full access to the network , where in a vpn with firewall rules they would be a bit more restricted.