Hello I’ve been using cloudflare to get remote access for the couple apps I selfhost, but lately I’ve been hearing about the wonders of tailscale.
It seems that the free tier is enough for my use. Which would be a safe option to have remote access for my 3D printer? Also how are both in terms of privacy?
You can just self-host Wireguard on an always-free Oracle cloud machine (or of course any other cloud host). It’s quite easy to set up and there are open source Wireguard UIs and clients for any OS. I will never rely on a company like Tailscale or Cloudflare for something like this.
That wouldn’t help with accessing their home network.
I would use wireguard at home for this, but we have CGNAT so that is impossible/hard so I just use tailscale, which uses WireGuard anyways.
Yes it would. If wireguard is hosted in a vps, they can setup a client on their home network and mobile device, bypassing their home and isp nat.
WireGuard wouldn’t work with CGNAT. The two servers can’t connect. I can’t get it to work anyways.
If it weren’t for CGNAT, are you saying that OP could connect all their servers to the VPS using WireGuard and then OP could connect to the VPS? In that case it seems easier to just host a wireguard on one of the servers at home and I highly recommend doing that if you don’t need to deal with CGNAT.
I think you could host your own Tailscale server on a VPS and then use tailscale on the servers and your client computers/mobile to bypass CGNAT. That’s basically what I am doing right now, except I haven’t hosted my own Tailscale server.
I think you have a misunderstanding about wireguard clients.
As long as the server isn’t behind a cgnat, a connection from the client to the server can be made. It does not matter if the client is behind a cgnat or not. If that were true, privacy vpns like proton and mullvad would not work.
That said, tailscale is easy to setup compared to a wireguard tunnel, but wireguard has potentially more performance because tailscale uses wireguard-go rather than wireguard kernel.
I haven’t tried reversing it like that, but I was under the impression that there were no specific servers or clients in WireGuard land and that both devices had to connect to each other and authenticate.
I have never really thought about how the servers of VPN providers are supposed to work if this was the case.
I guess I just got confused when I tried setting it up someday.
I haven’t benchmarked it personally but apparently tailscale and WireGuard are very similar in performance due to optimization done by tailscale. I think they wanted to push the improvements upstream but I am not sure if that happened or if it’s still waiting.
I believe performance is situationally dependent, so it may or may not be faster, but it theoretically is. I personally choose wireguard over tailscale because it’s one less 3rd party involved, not for potential performance increases.
That’s fair. I use Wireguard somewhere else for the same reason.
What I enjoy with tailscale is that the traffic goes directly from the host to the client.
Since there is no cloud relay I can connect to all my services via tailscale, even on local network and it’s not going to impact the speed.
This way I only have one setup that works the same way on local network or remotely but still have the local network speed when I am at home.
That’s amazing I thought it would slow down on lan. Since myy upload speed is really slow.
discovered tailscale from this post and after reading their “how tailscale works” I was hoping to get some clarification from an activer user (you).
CF tunnels setup an outbound-only tunnel from my private network via
cloudflared
, I have no ingress holes in my firewall to access my services.cloudflared
does all the proxying. Plus my IP changes monthly as I don’t pay for a static one from my ISP. This “outbound-only” connection is resilient to that.Tailscale is point-to-point (for data plane) connection and only the control plane is “hub and spoke”. This sounds like I need to allow ingress rules on my private network so my server can be connected to? Is this true or where did I misunderstand?
You may want to check this out. This articles also explains TLS-termination and TLS-passthrough.
Definitely Tailscale
Neither, I setup a VPS and wireguard. I also use netbird for some things that aren’t publicly accessible
Do you mean Wireguard? I couldn’t find anything called Fireguard.
Yes
If it’s just you, and you’re willing to install it on all your devices, Tailscale is the best option IMO. If you need to share things with others, use CF Tunnels.
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
Fewer Letters More Letters CF CloudFlare CGNAT Carrier-Grade NAT DNS Domain Name Service/System HTTP Hypertext Transfer Protocol, the Web HTTPS HTTP over SSL IP Internet Protocol NAT Network Address Translation SSH Secure Shell for remote terminal access SSL Secure Sockets Layer, for transparent encryption TLS Transport Layer Security, supersedes SSL VPN Virtual Private Network VPS Virtual Private Server (opposed to shared hosting)
[Thread #262 for this sub, first seen 5th Nov 2023, 06:50] [FAQ] [Full list] [Contact] [Source code]
Tailscale server can also be self-hosted, look into headscale.
From my own experience, I still can’t setup headscale on my Android phone, I think latest tailscale APP fucked up setting custom server function.Don’t install from Google PlayCloudflare hates VPNs, so when it comes to privacy, it’s not really a contest.
Cloudflare ironically has a VPN-ish service that no one talks about called Cloudflare Warp.
WARP (a client) just connects you to CF’s network.
If your server is running
cloudflared
(an outbound-only tunnel) then you can enroll your WARP client to reach your server, while your server is never accessible on the public web. That’s the principal behind Zero Trust.While techinically yes, WARP can be considered as a VPN, it is just a secure tunnel to an endpoint. In which case you can argue any point-to-point tunnel is a VPN.
I sometimes use it to access piratebay since it’t ban where I live.