←back to thread

I finally understand Cloudflare Zero Trust tunnels

(david.coffee)

311 points eustoria | 1 comments | 16 Nov 25 17:39 UTC | HN request time: 0s | source

Show context

jchw ◴[16 Nov 25 20:21 UTC] No.45948083[source]▶

>>45946865 (OP) #

One thing that makes Cloudflare worse for home usage is it acts as a termination point for TLS, whereas Tailscale does not. If you use a Tailscale Funnel, you get the TLS certificate on your endpoint. With Cloudflare, they get a TLS certificate for you, and then strip and optionally re-add TLS as traffic passes through them.

I actually have no idea how private networks with WARP are here, but that's a pretty big privacy downgrade for tunneling from the Internet.

I also consider P2P with relay fallback to be highly desirable over always relaying traffic through a third party, too. Firstly, less middlemen. Secondly, it continues working even if the coordination service is unavailable.

replies(11): >>45948135 #>>45948861 #>>45950399 #>>45950603 #>>45950673 #>>45950728 #>>45951628 #>>45951656 #>>45951950 #>>45957225 #>>45963338 #

keehun ◴[16 Nov 25 20:30 UTC] No.45948135[source]▶

TLS termination is neither required nor enabled by default, right?

replies(2): >>45948171 #>>45948618 #

crimsonnoodle58 ◴[16 Nov 25 20:34 UTC] No.45948171[source]▶

Correct. We run it without it and just use the DNS filtering aspect.

replies(1): >>45948321 #

philipwhiuk ◴[16 Nov 25 20:54 UTC] No.45948321{3}[source]▶

How does it do DNS filtering without TLS interception - takeover for DNS resolution?

replies(1): >>45950381 #

1. arcfour ◴[17 Nov 25 02:32 UTC] No.45950381{4}[source]▶

In what way are DNS resolution and TLS related except for the little-used DoT?