What are the benefits of Tailscale vs using a reverse proxy with a domain name?

I currently use a reverse proxy with a subdomain to access my self hosted services like Plex, Komga, Kavita, Audiobookshelf, etc.

What would running TailScale allow me to do that I couldn’t with a reverse proxy? It doesn’t seem worth it because you have to install the TailScale app on all the client devices you want to connect to your network with. Whereas with a reverse proxy, I can just type in the domain name and have access

Tailscale and reverse proxy are completely different tools that have some overlap of functionality (access stuff remotely). You don’t have to choose… if you need both, you could have both.

You have services on your network that you want to expose to the internet? Set up port forwarding on your router.

You have services on your network that you want to expose to the internet but your IP address keeps changing? Set up port forwarding and dynamic DNS.

You have web (read: HTTP) services on your network that you want to expose to the internet but don’t have a publicly routable IP or your ISP blocks your desired ports? Try Cloudflare Tunnel (or DIY with a publicly-accessible VPS).

You have multiple web services that you want to expose to the internet through the same port? Use a reverse proxy and forward that port to the reverse proxy.

You have multiple web services that you want to expose to the internet but you only want to set up SSL/TLS once? Use a reverse proxy and terminate the SSL/TLS at the reverse proxy.

You have services on your network that you want to access remotely but not expose to the internet? Use SSH tunneling (ssh -L).

You want to access your entire network (arbitrary hosts and ports) remotely but not expose your entire network to the internet? SSH works but VPN is better; try OpenVPN. Edit: try WireGuard, because it’s waaaay better :slight_smile:

You want to bridge multiple networks so they work together as a single virtual network? Use a VPN.

You want to bridge multiple networks but don’t want to bottleneck all your traffic through a single server? Try Tinc VPN for some decentralized mesh action.

You want a mesh VPN but want easier discovery and key distribution? Try ZeroTier, Tailscale, etc.

You like Tailscale but want to host it yourself? Try Headscale.

You like Tailscale but want something faster that you could host yourself? Try Netmaker.

You want to access region-locked web content without physically moving? Use a forward proxy hosted in the desired region.

You want to access region-locked content that might not be HTTP? Use a SOCKS proxy hosted in the desired region.

You want a SOCKS proxy but you want to encrypt all traffic between you and the proxy? Use SSH as a SOCKS5 proxy (ssh -D).

You want to access region-locked content but your client doesn’t know how to use proxy servers? Use a VPN hosted in the desired region, but route your internet-bound traffic through the VPN (remember to make an exception for the VPN server itself).

You want to access region-locked content in multiple regions but don’t want to manage multiple VPNs? Have someone else do it for you; try Mullvad, NordVPN, Windscribe, PIA, etc (I don’t work for any of these; do your own research and take your pick).

What are the security requirements for your setup? Do you share content to friends and family? If so, then a reverse proxy is probably better. If not, and you control all the client devices, then TailScale may be better because it may offer better security. (I don’t know if it does; I’m just suggesting the kind of questions you should consider).

I personally use the Traefik reverse proxy that I’ve configured with Oauth which proxies user authentication to Google. If Google authenticates the user then my proxy grants access to that the user (identified by their gmail address) if they are in a white list of authorized users.

This gives me strong two-factor authentication (via google) with a simple white list where I can add or remove users that have access to my self-hosted apps. No need to manage VPN software on every client…

https://tailscale.com/kb/1223/tailscale-funnel/

Can I run tailscale and a reverse proxy (cloudflare) and cloudflare tunnle on the same server (unraid) at the same time?

It depends on your use case. If you don’t see the need to add it to your setup then why go adding complexity to something that already is working?

Personally I use both Tailscale and a reverse proxy because I found a need to add Tailscale. However I imagine my setup is a bit more over-the-top than most.

Great post! One suggestion though: instead of “try OpenVPN” it should read wireguard. It’s waaaay better. (Yes, I used OpenVPN until the day that I finally tried wireguard. It’s day and night…)

Thank you for an actually thorough explanation of use cases

You want to access region-locked web content without physically moving? Use a forward proxy hosted in the desired region.

Can you tell me how to do this?

Your post is truly awesome. Cheers for the work mate!

def one of the top helpful comments on Reddit.

I have Cloudflare set up as my DNS with my domain so I’m not exposing my public IP

No point in using this honestly when Cloudflare Tunnel exists

WireGuard is amazing! It’s fast, secure, and efficient. Once you start using it, there’s no going back to the old way of doing things.

Squid is the old standby, packaged for many distributions, even with a Docker image. Tinyproxy and Privoxy could also be options, depending on your needs. And, the ever-popular reverse proxy Nginx could be configured to work as a forward proxy. Run that stuff on your remote server…

… and configure your browser or client to use the proxy. The procedure is different for each client. If your client doesn’t support proxies, you could try a proxifier program. Failing that, you could try forcing a transparent proxy by way of your router/firewall. If you’re this far down the rabbit hole, you might want to consider using a VPN :slight_smile:

I have vague understanding for this matter, but AFAIK Cloudflare Tunnels has some TOS that forbids using it for certain cases (streaming, for example). Before choosing it, make sure you are in the clear.

Downvoted for the truth

This sub is so weird

Yeah it’s exposed to Cloudflare but so what?

I’m sure Funnel will have that limitation at some point too. You also can’t use your own domain with Funnel

Bandwidth ain’t free

I didn’t downvote you, but there is clearly a reason to use Funnel over Cloudflare Tunnels, even if you fail to see one.