|
| 1 | +--- |
| 2 | +title: "Cloudflare Tunnel vs Tailscale: Which one for Secure Homelab Remote Access ?" |
| 3 | +date: 2026-02-08 18:00:00 +0100 |
| 4 | +categories: [Homelab, Security] |
| 5 | +tags: [cloudflare-tunnel, tailscale, zero-trust, self-hosting, homelab] |
| 6 | +description: Stop being afraid of exposing your services (as always if you do it right) |
| 7 | +author: sofianlak |
| 8 | +image: |
| 9 | + path: /assets/img/headers/cloudflare-vs-tailscale.png |
| 10 | +--- |
| 11 | + |
| 12 | + |
| 13 | +## **The Remote Access Dilemma** |
| 14 | + |
| 15 | +When you start self-hosting services (Home Assistant, Dashboards, Web Apps), the inevitable question arises: |
| 16 | +<br> |
| 17 | +> *"How do I access this when I'm not at home?"* |
| 18 | +
|
| 19 | +For a long time, the default answer in the homelab community has been the VPN (WireGuard, [Tailscale](https://tailscale.com){:target="\_blank"} and more). The dogma is simple: **"Never expose anything to the public internet; it's too dangerous."** |
| 20 | + |
| 21 | +However, I often prefer using [Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/){:target="\_blank"}. Am I being reckless? No. I would argue that for certain use cases, it is actually more secure than a traditional VPN. Let me explain why using a simple analogy. |
| 22 | + |
| 23 | +## **The Analogy: The Nightclub vs. The Backdoor** |
| 24 | + |
| 25 | +To understand the fundamental architectural difference, let's imagine your local network (your home server) is a private building. |
| 26 | + |
| 27 | +### **The VPN Approach (Tailscale): The Hidden Backdoor** |
| 28 | + |
| 29 | +{: width="972" height="363" style="border-radius: 20px;"} |
| 30 | + |
| 31 | +Using a VPN like Tailscale is like having a discrete backdoor that only you have the key to. |
| 32 | + |
| 33 | +- **The advantage:** No one knows this door exists. It is invisible from the street. |
| 34 | +- **The risk:** If someone steals your key (or your unlocked phone), they walk right into the building. Once inside, they have access to the living room, the kitchen, and the bedrooms. In cybersecurity terms, this is the risk of lateral movement. |
| 35 | + |
| 36 | +### **The Cloudflare Tunnel Approach: The Private Club** |
| 37 | + |
| 38 | +{: width="972" height="363" style="border-radius: 20px;"} |
| 39 | + |
| 40 | +Using Cloudflare Tunnel is like transforming your building into a private club with a main entrance visible from the street. |
| 41 | + |
| 42 | +> "But everyone can see the entrance!" (This is your public domain name). |
| 43 | +
|
| 44 | +- **The reality:** You have placed a bouncer ([Cloudflare Access/Zero Trust](https://www.cloudflare.com/fr-fr/zero-trust/products/access/){:target="\_blank"}) right in front of the door. The bouncer checks every single person's ID before they even touch the door handle. If you are not on the VIP list (your email, geo-location, a bot), you don't get in. |
| 45 | +- **The security:** Even better, the bouncer guides the guest only to the specific room they asked for (the specific app) and forbids access to the rest of the building (VIP room). |
| 46 | + |
| 47 | +## **Why Cloudflare Tunnel Wins on User Experience** |
| 48 | + |
| 49 | +Security is crucial, but daily usability is king. |
| 50 | +<br> |
| 51 | +Here is why Cloudflare often wins points over Tailscale for web services: |
| 52 | + |
| 53 | +- **The "clientless" experience**: With Tailscale, you must install the app on every device. Have you ever tried explaining to your family how to "turn on the VPN" just to view vacation photos? [It's friction](https://www.xda-developers.com/switching-from-cloudflare-tunnels-tailscale-hated-it/){:target="\_blank"}. With Cloudflare Tunnel, you just need a web browser. It works everywhere, on any device, instantly. |
| 54 | + |
| 55 | + |
| 56 | +- **Active protection (WAF)**: By routing traffic through Cloudflare, your connection is filtered. Malicious bots, vulnerability scanners, and DDoS attacks are blocked in the cloud before they ever reach your home internet connection. Your server only receives "clean" traffic. |
| 57 | + |
| 58 | + |
| 59 | +- **Granular access control**: This is the power of Zero Trust. I can decide that: |
| 60 | + - `admin.sofianlak.fr` is accessible only by me. |
| 61 | + - `plex.sofianlak.fr` is accessible by me and my family. |
| 62 | + |
| 63 | +With a standard VPN, it is often "all or nothing": once connected, you have network access. |
| 64 | + |
| 65 | +## **The Elephant in the Room: Privacy vs. Security** |
| 66 | + |
| 67 | +{: width="972" height="589" style="border-radius: 20px;"} |
| 68 | + |
| 69 | +We must be **honest**, there is a major difference between the two solutions regarding [data privacy](https://www.privacyguides.org/en/basics/why-privacy-matters/){:target="\_blank"}. |
| 70 | + |
| 71 | +- **Tailscale** = total privacy. |
| 72 | +<br> |
| 73 | +The encryption is end-to-end. No one, not even Tailscale, can see your data. It is mathematical. |
| 74 | +- **Cloudflare** = managed security. |
| 75 | +<br> |
| 76 | +To inspect traffic for attacks and apply authentication rules, Cloudflare must technically decrypt the traffic (this is TLS termination). |
| 77 | + |
| 78 | +**So my verdict**: |
| 79 | + |
| 80 | +Do I trust Cloudflare with my Home Assistant dashboard or my Uptime Kuma status page ? **Yes**. |
| 81 | +<br> |
| 82 | +Would I trust them with my admin console or my financial app? **No** (for that, I use Tailscale). |
| 83 | + |
| 84 | +## **When to Use Which? (The Hybrid Approach)** |
| 85 | + |
| 86 | +**Don't be dogmatic.** |
| 87 | +<br> |
| 88 | +The best solution is often to <u>use both</u>, but for different purposes. |
| 89 | + |
| 90 | +| Use Case | Recommended Tool | Why? | |
| 91 | +| --- | --- | --- | |
| 92 | +| Admin Access (SSH, Proxmox) | Tailscale | *Critical access, requires total privacy* | |
| 93 | +| Streaming (Plex, Jellyfin) | Tailscale | *Direct connection (P2P), no buffering, no ToS issues* | |
| 94 | +| Personal finance app (Sure )| Tailscale | *Cloudflare often throttles uploads on the free tier* | |
| 95 | +| Web Apps (Home Assistant, FluxRSS) | Cloudflare Tunnel | *Easy access, WAF protection, no app install required* | |
| 96 | +| Sharing with Friends/Family | Cloudflare Tunnel | *Secure via email/SSO without giving access to your LAN* | |
| 97 | + |
| 98 | +## **Conclusion** |
| 99 | + |
| 100 | +Having a public URL does not mean you are <mark>"wide open to the wind"</mark> |
| 101 | + |
| 102 | +If you correctly configure [Cloudflare Access (Zero Trust policies)](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/){:target="\_blank"}, you achieve an enterprise-grade level of security with the comfort of standard web usage. It is the difference between leaving your front door open and having a professional security team at the entrance. |
| 103 | + |
| 104 | +For my homelab, I have chosen ease of use for daily tasks (Cloudflare), and discretion for administration (Tailscale). |
0 commit comments