Switching from Cloudflare to Tailscale: A Network Experiment

Recent testing of network solutions resulted in a clear preference for Cloudflare over Tailscale for managing public access services. The experiment involved migrating from Cloudflare Tunnels, a longstanding choice known for its ease of use within restrictive network conditions, to Tailscale, which is recognized for its secure private connectivity. Despite initial enthusiasm for Tailscale’s potential, the transition revealed significant challenges that ultimately reaffirmed the effectiveness of Cloudflare Tunnels in specific scenarios.

Understanding the Network Environment

The decision to switch was driven by the desire for improved functionality in a managed Wi-Fi environment that utilizes carrier-grade NAT (CGNAT). This setup limits direct access to the modem and router, preventing traditional port forwarding. Cloudflare Tunnels has effectively navigated these constraints by establishing an outbound connection from the server to Cloudflare’s network. In contrast, Tailscale, while adept at creating private connections between authenticated devices, struggled with the requirement for public service exposure.

The first service attempted for migration was Nextcloud, a crucial tool for remote access. While Tailscale provided satisfactory private access within its network, it fell short of delivering the necessary public service functionality. The Tailscale Funnel feature, intended to expose services publicly, is not universally available across all platforms, further complicating its use in restrictive environments.

Cloudflare’s Advantage in Public Access

Cloudflare Tunnels operates by opening an outbound connection via the cloudflared daemon on port 443, a configuration that works seamlessly across most networks. This method allows Cloudflare to accept incoming requests and route them securely to the server. As a result, the Nextcloud instance was readily accessible from outside the network without requiring special approvals or adjustments.

The ease of use and immediate accessibility provided by Cloudflare Tunnels is a crucial advantage, particularly for users like those in managed residences who do not have control over their network configurations. The ability to expose dashboards and self-hosted tools without the need for external users to authenticate or join a private network makes Cloudflare indispensable for public-facing services.

While Tailscale’s performance in private networking is commendable, providing fast and secure connections, it does not meet the requirements for public access under the current network restrictions. The limitations faced were not due to configuration errors but rather stemmed from the inherent design of Tailscale, which is optimized for private communication rather than broad public exposure.

Necessary Improvements for Tailscale

For Tailscale to become a viable alternative to Cloudflare in public service scenarios, several improvements would be necessary. First, broader availability of the Funnel feature across supported platforms is essential. Currently, its limited reach makes it a less reliable solution for users needing public access.

Additionally, Tailscale could benefit from a more flexible model that allows public access without requiring users to join a tailnet. This adjustment would significantly enhance its appeal for general internet reachability, particularly for users in environments with strict network limitations.

Lastly, Tailscale needs to strengthen its handling of CGNAT scenarios. A dedicated public-access mode designed to operate effectively under restrictive conditions would allow Tailscale to compete more effectively with Cloudflare’s established capabilities.

The findings from this experiment highlight that while Tailscale excels in private networking, Cloudflare Tunnels remains the superior choice for users needing reliable public access solutions. The inherent challenges of managing a service within the confines of CGNAT underscore the necessity of a tool adept at providing stable public entry points.

Ultimately, should the network conditions change—such as moving to an independent internet service provider—there may be potential for a more balanced competition between Tailscale and Cloudflare. The flexibility to control the network infrastructure could open new avenues for utilizing both services effectively, allowing for a more nuanced comparison of their respective strengths. Until then, Cloudflare continues to meet the specific needs of users relying on public service accessibility in restrictive environments.