I finally understand Cloudflare Zero Trust tunnels

(david.coffee)

311 points eustoria | 1 comments | 16 Nov 25 17:39 UTC | HN request time: 0.284s | source

Show context

jchw ◴[16 Nov 25 20:21 UTC] No.45948083[source]▶

One thing that makes Cloudflare worse for home usage is it acts as a termination point for TLS, whereas Tailscale does not. If you use a Tailscale Funnel, you get the TLS certificate on your endpoint. With Cloudflare, they get a TLS certificate for you, and then strip and optionally re-add TLS as traffic passes through them.

I actually have no idea how private networks with WARP are here, but that's a pretty big privacy downgrade for tunneling from the Internet.

I also consider P2P with relay fallback to be highly desirable over always relaying traffic through a third party, too. Firstly, less middlemen. Secondly, it continues working even if the coordination service is unavailable.

replies(11): >>45948135 #>>45948861 #>>45950399 #>>45950603 #>>45950673 #>>45950728 #>>45951628 #>>45951656 #>>45951950 #>>45957225 #>>45963338 #

jpdb ◴[16 Nov 25 22:06 UTC] No.45948861[source]▶

>>45948083 #

I generally prefer tailscale and trust them more than cloudflare to not rug-pull me on pricing, but the two features that push me towards cloudflared is the custom domains and client-less access. I could probably set it up with caddy and some plugins, but then I still need to expose the service and port forward.

replies(3): >>45949115 #>>45953064 #>>45955265 #

1. brendoelfrendo ◴[17 Nov 25 16:40 UTC] No.45955265[source]▶

>>45948861 #

> I could probably set it up with caddy and some plugins, but then I still need to expose the service and port forward.

Not so! I have custom domains on my Tailnet with Caddy. You just need to set up Caddy to perform the ACME DNS challenge to get certs for your domain (ironically I use Cloudflare for DNS because they make it very easy to set this up with just an API key). No plugins or open ports needed.

↑