←back to thread

I finally understand Cloudflare Zero Trust tunnels

(david.coffee)
311 points eustoria | 5 comments | 16 Nov 25 17:39 UTC | HN request time: 0s | source
Show context
jchw ◴[16 Nov 25 20:21 UTC] No.45948083[source]
One thing that makes Cloudflare worse for home usage is it acts as a termination point for TLS, whereas Tailscale does not. If you use a Tailscale Funnel, you get the TLS certificate on your endpoint. With Cloudflare, they get a TLS certificate for you, and then strip and optionally re-add TLS as traffic passes through them.

I actually have no idea how private networks with WARP are here, but that's a pretty big privacy downgrade for tunneling from the Internet.

I also consider P2P with relay fallback to be highly desirable over always relaying traffic through a third party, too. Firstly, less middlemen. Secondly, it continues working even if the coordination service is unavailable.

replies(11): >>45948135 #>>45948861 #>>45950399 #>>45950603 #>>45950673 #>>45950728 #>>45951628 #>>45951656 #>>45951950 #>>45957225 #>>45963338 #
1. keehun ◴[16 Nov 25 20:30 UTC] No.45948135[source]
TLS termination is neither required nor enabled by default, right?
replies(2): >>45948171 #>>45948618 #
2. crimsonnoodle58 ◴[16 Nov 25 20:34 UTC] No.45948171[source]
Correct. We run it without it and just use the DNS filtering aspect.
replies(1): >>45948321 #
3. philipwhiuk ◴[16 Nov 25 20:54 UTC] No.45948321[source]
How does it do DNS filtering without TLS interception - takeover for DNS resolution?
replies(1): >>45950381 #
4. jchw ◴[16 Nov 25 21:34 UTC] No.45948618[source]
For tunnels many of the features basically have to work this way, so I'd be surprised if you could avoid it. It's also impossible to avoid if you use normal Cloudflare "protected" DNS entries. You can use Cloudflare as just a DNS server but it's not the default, by default it will proxy everything through Cloudflare, since that's kind of the point. You can't cache HTTP requests you can't see.
5. arcfour ◴[17 Nov 25 02:32 UTC] No.45950381{3}[source]
In what way are DNS resolution and TLS related except for the little-used DoT?