Hello I’ve been using cloudflare to get remote access for the couple apps I selfhost, but lately I’ve been hearing about the wonders of tailscale.

It seems that the free tier is enough for my use. Which would be a safe option to have remote access for my 3D printer? Also how are both in terms of privacy?

  • monkeyman512@lemmy.world
    link
    fedilink
    English
    arrow-up
    18
    ·
    1 year ago

    A VPN is going to offer better security. I would only use cloudflare if you need something to be open to the public. This is useful when you have non-technical users that aren’t going to understand using a VPN.

    • Evotech@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Just use CF with host restrictions. You can easily add which hosts should have access of you want to limit access further

  • Encrypt-Keeper@lemmy.world
    link
    fedilink
    English
    arrow-up
    15
    arrow-down
    1
    ·
    1 year ago

    Tailscale. Because it can do both. It functions as a mesh VPN for private access, but it also has Tailscale Funnel which does the same thing as Cloudflare tunnels but you don’t give all your traffic to Cloudflare

    • keyez@lemmy.world
      link
      fedilink
      English
      arrow-up
      4
      arrow-down
      1
      ·
      1 year ago

      Is there a specific reason tailscale having all the same traffic opposed to cloudflare is a better option? I use cloudflare tunnels right now and figured them handling some of the data is better than me by myself.

      • brakenium@lemm.ee
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 year ago

        Tailscale shouldn’t be getting your data anyway. It’s a mesh VPN that directly connects devices after their auth server gives out certs and let’s clients know where to find another. If you’re not comfortable with using their server for this I’d suggest you look into the open source headscale server. I do remember it routing through their server in the rare case NAT punching doesn’t work

        • keyez@lemmy.world
          link
          fedilink
          English
          arrow-up
          2
          arrow-down
          1
          ·
          1 year ago

          Thanks for the info. Though I fail to see how it’s much different than cloudflare tunnels, I’ll probably stick with that for the near future but will try out tailscale funnel in the future.

          • Encrypt-Keeper@lemmy.world
            link
            fedilink
            English
            arrow-up
            2
            arrow-down
            1
            ·
            1 year ago

            It’s not functionally different from Cloudflare tunnels, that’s the point. You get the same functionality without giving all your data to a corporation.

            • keyez@lemmy.world
              link
              fedilink
              English
              arrow-up
              4
              arrow-down
              1
              ·
              1 year ago

              I’m curious how if they’re functionally the same, one has all the data and the other “shouldn’t be getting your data anyway”. Was mostly curious to hear about informed differences in the products but clearly not going to get that, cheers.

              • brakenium@lemm.ee
                link
                fedilink
                English
                arrow-up
                1
                ·
                1 year ago

                You can selfhosted tailscale so that they don’t have any access. You can’t with cloudflare tunnels as far as I know. Tailscale’s client is open source, so is their Headscale server which originally was developed by a 3rd party. You can look into the code for that. Not sure what you’d want me to say. If you really want to be informed I’d inspect the code yourself

                • keyez@lemmy.world
                  link
                  fedilink
                  English
                  arrow-up
                  2
                  ·
                  1 year ago

                  I’m self hosting cloudflared right now, the TLS from cloudflare terminates in a container in my network and then goes to my reverse proxy container for my local network. I’m definitely going to poke around tailscale and their funnels for the future, I’m just playing devils advocate for those replying not knowing anything about cloudflare tunnels yet saying they’re the wrong choice.

              • Encrypt-Keeper@lemmy.world
                link
                fedilink
                English
                arrow-up
                1
                ·
                1 year ago

                Because Cloudflare decrypts all your traffic, and Tailscale doesn’t. It’s still functionally the same though because you accomplish the game goal in a similar manner, but one is privacy respecting and one isn’t.

      • Encrypt-Keeper@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        arrow-down
        1
        ·
        1 year ago

        Well like… if you’d rather put your data in the hands of a company instead of your own when you could easily do the same thing yourself, why are you self hosting in the first place?

        • keyez@lemmy.world
          link
          fedilink
          English
          arrow-up
          4
          arrow-down
          1
          ·
          1 year ago

          Just my two cents I’d prefer my traffic going through Cloudflare vs Tailscale if it’s all the same, since I’ve heard a lot about Tailscale but know nothing. I’ve interacted on Github threads with people from cloudflare and they’re all super nice and their blog posts and post-mortems are very insightful. Was curious to see if people had actual insight but appears it’s just auto cloudflare = bad.

          • Encrypt-Keeper@lemmy.world
            link
            fedilink
            English
            arrow-up
            2
            ·
            1 year ago

            That’s the beauty of Tailscale, you don’t have to trust them, because they don’t MITM your data, unlike with Cloudflare. I’m sure the employees of Cloudflare are nice, but so are the employees of any company, good or bad. It’s not that Cloudflare is necessarily bad, but you’re putting them in a position of trust over the content of your data you send through them, as opposed to trusting no one.

            I’m sure most of the people who work for Google are very nice people, but people still switch to self hosting for the privacy and control over their own data, and the same goes for Cloudflare.

            • keyez@lemmy.world
              link
              fedilink
              English
              arrow-up
              3
              arrow-down
              2
              ·
              1 year ago

              Got any info on how cloudflare MITM and decrypts all traffic but tailscale doesn’t? Playing devils advocate and pointing out how not much you’re saying is making sense.

              • Encrypt-Keeper@lemmy.world
                link
                fedilink
                English
                arrow-up
                1
                ·
                edit-2
                1 year ago

                Look man I get that you’re not very tech literate and as a hobbyist that’s perfectly ok but just because you don’t know much about technology doesn’t mean the technology doesn’t make sense. You wanted to know what’s different and I told you, you wanted to know how and I told you. If you still don’t understand something then you need to articulate that and ask an actual question. It took me years to earn a degree in network engineering I can’t just distill all of that knowledge into a single comment for you to cover every possible dependent piece of knowledge that you’re lacking because all you can communicate is “I don’t get it”. You have to be specific on what it is specifically that you’re not getting.

                I will indulge you again here under what might be a false assumption that you genuinely want to know the answer.

                Cloudflare MITMs your traffic because that’s how it was designed. Your traffic is encrypted to their servers, de encrypted, then reencrypted between Cloudflare and your server. They can see and modify any data you send through them. All your passwords, tokens, and personal information are readable by Cloudflare. Therefore there’s an incredible amount of trust you need to put in Cloudflare, and the security of their systems.

                Tailscale on the other hand has a service called funnel, which is a direct replacement to Cloudflare tunnels, however they differ in that Tailscale is a company with privacy and security as a priority and they accomplish the same goal as CF tunnels but their solution is designed to keep your data encrypted end to tend, from your client to your server. You therefore don’t need to place all that trust with Tailscale because they can’t see or modify your data even if they wanted to.

                Both services accomplish the task of proxying public traffic to your backend server, however CF opens up all your data, and Tailscale doesn’t. Think of them both like a postal service, except Cloudflare opens up all your mail and puts it into new envelopes before giving it to the carrier for delivery to your mailbox. A lot of us prefer the postal service that just leaves your mail sealed from origin to destination.

                • varsock@programming.dev
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  arrow-down
                  1
                  ·
                  edit-2
                  1 year ago

                  I apologize, I misread the chain of comments. Your explanation is perfectly adequate for someone who has a basic grasp on networking and VPN and tunnels and encryption.

                  I would just like to add that if your endpoints communicate via an encrypted transport (HTTPS, SSH, etc) then doesn’t matter if cloudflare tries to inspect your packets. There would be 2 layers of encryption while traversing the public web, then 1 layer when traversing CF’s network.

                  And to some, packet inspection is not a downside since they can offer more protection - but that is totally up to your attack vector tollerence

              • milkjug@lemmy.wildfyre.dev
                link
                fedilink
                English
                arrow-up
                1
                ·
                1 year ago

                EncryptKeeper’s explanation is perfectly concise and informative if you have a cursory grasp of self hosting and networking.

                If it’s not making sense to you, I would suggest revisiting some of the technical fundamentals of self-hosting, which admittedly is quite an advanced topic that most people don’t, and do not need to care about.

                You would be equally well-served, perhaps more so (if you don’t really care about privacy or terms of service) by sticking to regular cloud services. The road to self-hosting is arduous and if done wrongly, causes you more harm than good. Especially if your technical foundation is not yet strong. Which your posts suggest is the case.

                • keyez@lemmy.world
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  ·
                  1 year ago

                  I appreciate the thoughtful reply but my issue with their explanation is not in the concepts or how it operates but in the fact they stated that Cloudflare tunnels were not an option to choose despite proving they have no knowledge in how they are used or operate.

  • axzxc1236@lemm.ee
    link
    fedilink
    English
    arrow-up
    13
    ·
    edit-2
    1 year ago

    Tailscale server can also be self-hosted, look into headscale.

    From my own experience, I still can’t setup headscale on my Android phone, I think latest tailscale APP fucked up setting custom server function. Don’t install from Google Play

  • PeachMan@lemmy.world
    link
    fedilink
    English
    arrow-up
    11
    ·
    1 year ago

    If it’s just you, and you’re willing to install it on all your devices, Tailscale is the best option IMO. If you need to share things with others, use CF Tunnels.

  • Zoidberg@lemm.ee
    link
    fedilink
    English
    arrow-up
    8
    ·
    1 year ago

    I like tailscale and have been testing it for a few months. I’m also using headscale as the control plane.

    Unfortunately the android client is somewhat unreliable. It works most of the time but once in a while, connections to your tailnet will fail for a bit and require retries. If you ping a machine in your tailnet during this problem, it will show packet loss and then start working after a few pings. This unfortunately makes it difficult to have a reliable split DNS setup.

    I’ve done everything to try and understand what happens without success. It seems like state is lost somewhere and a few packets flowing will fix it. Running a constant ping from Android to my tailnet “fixes” the problem, but is not a great workaround.

    Just something to keep in mind before you jump headfirst.

  • Decronym@lemmy.decronym.xyzB
    link
    fedilink
    English
    arrow-up
    7
    ·
    edit-2
    1 year ago

    Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

    Fewer Letters More Letters
    CF CloudFlare
    CGNAT Carrier-Grade NAT
    DNS Domain Name Service/System
    HTTP Hypertext Transfer Protocol, the Web
    HTTPS HTTP over SSL
    IP Internet Protocol
    NAS Network-Attached Storage
    NAT Network Address Translation
    SSH Secure Shell for remote terminal access
    SSL Secure Sockets Layer, for transparent encryption
    TCP Transmission Control Protocol, most often over IP
    TLS Transport Layer Security, supersedes SSL
    VPN Virtual Private Network
    VPS Virtual Private Server (opposed to shared hosting)

    13 acronyms in this thread; the most compressed thread commented on today has 8 acronyms.

    [Thread #262 for this sub, first seen 5th Nov 2023, 06:50] [FAQ] [Full list] [Contact] [Source code]

  • state_electrician@discuss.tchncs.de
    link
    fedilink
    English
    arrow-up
    7
    ·
    1 year ago

    You can just self-host Wireguard on an always-free Oracle cloud machine (or of course any other cloud host). It’s quite easy to set up and there are open source Wireguard UIs and clients for any OS. I will never rely on a company like Tailscale or Cloudflare for something like this.

    • lud@lemm.ee
      link
      fedilink
      English
      arrow-up
      2
      arrow-down
      2
      ·
      1 year ago

      That wouldn’t help with accessing their home network.

      I would use wireguard at home for this, but we have CGNAT so that is impossible/hard so I just use tailscale, which uses WireGuard anyways.

      • RaisinBrand@lemmy.dbzer0.com
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        Yes it would. If wireguard is hosted in a vps, they can setup a client on their home network and mobile device, bypassing their home and isp nat.

        • lud@lemm.ee
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          WireGuard wouldn’t work with CGNAT. The two servers can’t connect. I can’t get it to work anyways.

          If it weren’t for CGNAT, are you saying that OP could connect all their servers to the VPS using WireGuard and then OP could connect to the VPS? In that case it seems easier to just host a wireguard on one of the servers at home and I highly recommend doing that if you don’t need to deal with CGNAT.

          I think you could host your own Tailscale server on a VPS and then use tailscale on the servers and your client computers/mobile to bypass CGNAT. That’s basically what I am doing right now, except I haven’t hosted my own Tailscale server.

          • RaisinBrand@lemmy.dbzer0.com
            link
            fedilink
            English
            arrow-up
            1
            ·
            1 year ago

            I think you have a misunderstanding about wireguard clients.

            As long as the server isn’t behind a cgnat, a connection from the client to the server can be made. It does not matter if the client is behind a cgnat or not. If that were true, privacy vpns like proton and mullvad would not work.

            That said, tailscale is easy to setup compared to a wireguard tunnel, but wireguard has potentially more performance because tailscale uses wireguard-go rather than wireguard kernel.

            • lud@lemm.ee
              link
              fedilink
              English
              arrow-up
              1
              ·
              1 year ago

              I haven’t tried reversing it like that, but I was under the impression that there were no specific servers or clients in WireGuard land and that both devices had to connect to each other and authenticate.

              I have never really thought about how the servers of VPN providers are supposed to work if this was the case.

              I guess I just got confused when I tried setting it up someday.

              I haven’t benchmarked it personally but apparently tailscale and WireGuard are very similar in performance due to optimization done by tailscale. I think they wanted to push the improvements upstream but I am not sure if that happened or if it’s still waiting.

              • RaisinBrand@lemmy.dbzer0.com
                link
                fedilink
                English
                arrow-up
                1
                ·
                1 year ago

                I believe performance is situationally dependent, so it may or may not be faster, but it theoretically is. I personally choose wireguard over tailscale because it’s one less 3rd party involved, not for potential performance increases.

                • lud@lemm.ee
                  link
                  fedilink
                  English
                  arrow-up
                  2
                  ·
                  1 year ago

                  That’s fair. I use Wireguard somewhere else for the same reason.

  • flappy@lemm.ee
    link
    fedilink
    English
    arrow-up
    7
    arrow-down
    1
    ·
    1 year ago

    Cloudflare hates VPNs, so when it comes to privacy, it’s not really a contest.

    • hottari@lemmy.ml
      link
      fedilink
      English
      arrow-up
      5
      arrow-down
      1
      ·
      1 year ago

      Cloudflare ironically has a VPN-ish service that no one talks about called Cloudflare Warp.

      • varsock@programming.dev
        link
        fedilink
        English
        arrow-up
        1
        ·
        edit-2
        1 year ago

        WARP (a client) just connects you to CF’s network.

        If your server is running cloudflared (an outbound-only tunnel) then you can enroll your WARP client to reach your server, while your server is never accessible on the public web. That’s the principal behind Zero Trust.

        While techinically yes, WARP can be considered as a VPN, it is just a secure tunnel to an endpoint. In which case you can argue any point-to-point tunnel is a VPN.

        • hottari@lemmy.ml
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          Warp is 2 products. A wireguard-go VPN that changes your IP and uses cloudflare’s network instead of your ISP. This service doesn’t necessarily require the 1.1.1.1 app (desktop app is called cloudflared) since it’s just Wireguard under the hood.

          And Warp is also a VPN tunnel that allows you to reach services hosted on Cloudflare’s network with their client cloudflared as you just described. This allows you to make any service available on the internet and further manage its access using Cloudflare’s firewall options or Zero Trust for secure private applications.

          The latter use is more popular than the former in my observance since not many people I know aside from the Chinese use it as a VPN. (mainly for circumventing their national firewall).

  • BastingChemina@slrpnk.net
    link
    fedilink
    English
    arrow-up
    4
    ·
    1 year ago

    What I enjoy with tailscale is that the traffic goes directly from the host to the client.

    Since there is no cloud relay I can connect to all my services via tailscale, even on local network and it’s not going to impact the speed.

    This way I only have one setup that works the same way on local network or remotely but still have the local network speed when I am at home.

    • varsock@programming.dev
      link
      fedilink
      English
      arrow-up
      1
      ·
      edit-2
      1 year ago

      discovered tailscale from this post and after reading their “how tailscale works” I was hoping to get some clarification from an activer user (you).

      CF tunnels setup an outbound-only tunnel from my private network via cloudflared, I have no ingress holes in my firewall to access my services. cloudflared does all the proxying. Plus my IP changes monthly as I don’t pay for a static one from my ISP. This “outbound-only” connection is resilient to that.

      Tailscale is point-to-point (for data plane) connection and only the control plane is “hub and spoke”. This sounds like I need to allow ingress rules on my private network so my server can be connected to? Is this true or where did I misunderstand?

      • BastingChemina@slrpnk.net
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        I’m probably not the beat person to answer to you about the technical aspect and I’m not sure if I fully understand your question.

        However I can tell you that there is no need to change anything at network level for tailscale to work.

        I’ve installed and used tailscale on desktops, VM, raspberry, NAS or smartphone on plenty of different network, I’ve also remotely guided people to install tailscale on their machine at home and it always just worked. No issue at all and nothing to change on the network for it to work.

        • varsock@programming.dev
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          interesting, I’ll have to read about this some more then. thanks for pointing me in the right direction

  • Moonrise2473@feddit.it
    link
    fedilink
    English
    arrow-up
    4
    arrow-down
    1
    ·
    1 year ago

    Why not both?

    I use tailscale for full access to network and cloudflare tunnels to specific access to a service

  • Lunch@lemmy.world
    link
    fedilink
    English
    arrow-up
    4
    arrow-down
    1
    ·
    1 year ago

    Tailscale Funnel and Serve will also let you point services to the public. I only use tailscale for all of my access needs and it’s perfect and easy to handle 👌

  • sntx@lemm.ee
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    I’m suprised nobody mentioned nebula: A scalable overlay networking tool with a focus on performance, simplicity and security.

    I’ve been running it for about two years on multiple machines and it worked flawlessly so far. Even connecting two hosts, both behind mullvad-vpn tunnels.

    The only downside is, that you have to host your own discovery server (callled “lighthouses”). One is fine, but running at least two removes the single point of failure from the network.