←back to thread

I finally understand Cloudflare Zero Trust tunnels

(david.coffee)
311 points eustoria | 1 comments | 16 Nov 25 17:39 UTC | HN request time: 0s | source
Show context
jchw ◴[16 Nov 25 20:21 UTC] No.45948083[source]
One thing that makes Cloudflare worse for home usage is it acts as a termination point for TLS, whereas Tailscale does not. If you use a Tailscale Funnel, you get the TLS certificate on your endpoint. With Cloudflare, they get a TLS certificate for you, and then strip and optionally re-add TLS as traffic passes through them.

I actually have no idea how private networks with WARP are here, but that's a pretty big privacy downgrade for tunneling from the Internet.

I also consider P2P with relay fallback to be highly desirable over always relaying traffic through a third party, too. Firstly, less middlemen. Secondly, it continues working even if the coordination service is unavailable.

replies(11): >>45948135 #>>45948861 #>>45950399 #>>45950603 #>>45950673 #>>45950728 #>>45951628 #>>45951656 #>>45951950 #>>45957225 #>>45963338 #
jpdb ◴[16 Nov 25 22:06 UTC] No.45948861[source]
I generally prefer tailscale and trust them more than cloudflare to not rug-pull me on pricing, but the two features that push me towards cloudflared is the custom domains and client-less access. I could probably set it up with caddy and some plugins, but then I still need to expose the service and port forward.
replies(3): >>45949115 #>>45953064 #>>45955265 #
jchw ◴[16 Nov 25 22:38 UTC] No.45949115[source]
I'm definitely not trying to dissuade anyone from using Cloudflare, just making sure people realize the potential privacy implications of doing so. It isn't always obvious, even though some of the features pretty much require it (at least to be handled entirely on Cloudflare's side. You could implement similar features that are split between the endpoint and the coordination server without requiring full TLS stripping. Maybe Tailscale will support some of those as features of the `serve` server?)

> client-less access

JFYI, Tailscale Funnels also work for this, though depending on your use case it may not be ideal. Ultimately, Cloudflare does handle this use case a bit better.

replies(1): >>45950545 #
jpdb ◴[17 Nov 25 03:08 UTC] No.45950545[source]
Tailscale funnels do work, but it's public only. No auth.
replies(2): >>45950702 #>>45956303 #
1. jchw ◴[17 Nov 25 03:50 UTC] No.45950702[source]
Yeah, because the auth can't be done on Tailscale's end if they don't terminate the TLS connection. However, it is still possible to use an authentication proxy in this situation. Many homelab and small to medium size company setups use OAuth2 Proxy, often with Dex. If you wanted to get fancier, you could use Tailscale for identity when behind the firewall and OAuth2 Proxy when outside the firewall.

This may seem like a lot of effort and it is definitely not nothing, but Cloudflare Tunnels also has a decent number of moving parts and frankly their authentication gateway leaves a bit to be desired for home users.