←back to thread

I finally understand Cloudflare Zero Trust tunnels

(david.coffee)
311 points eustoria | 1 comments | 16 Nov 25 17:39 UTC | HN request time: 0.201s | source
Show context
jorams ◴[16 Nov 25 23:38 UTC] No.45949508[source]
> after frustration with Tailscale in environments where it couldn’t properly penetrate NAT/firewall and get a p2p connection, I decided to invest some time into learning something new: Cloudflare Zero Trust + Warp

...which doesn't even try to get a p2p connection. Instead you always get the thing you didn't want. If you're okay with that you could've just ignored how Tailscale connected those devices, that's kind of the point. You've also in the process converted your entire security model to Cloudflare's idea of "Zero Trust" which involves 100% trusting Cloudflare.

The rest of the blog post is fine, but the motivation is honestly baffling.

replies(2): >>45949670 #>>45950123 #
1. rainsford ◴[17 Nov 25 00:00 UTC] No.45949670[source]
Is the connection through Cloudflare still encrypted between the two peers, as it would be going through a Tailscale relay? If not, that's definitely a downgrade using the Cloudflare approach. But if not, I'm not sure the trust model is significantly different with maybe the added benefit of the fact that Cloudflare's relay performance is likely better given that relaying traffic is kind of their main thing rather than a very secondary function like it is for Tailscale.

On the other hand, my experience with Tailscale is that they're very, very good at NAT hole punching and I'd rather have a direct connection where possible from a latency standpoint.