Someone here brought up that they were able to replace Cloudflare Tunnels with Tailscale - I can’t seem to find the post, as it was a comment and deeply buried in a thread I’ve since forgotten the title of. :)
Can anyone explain the process for doing this? I assume it’s through the use of their Funnel? I have three primary services I require to be accessible through Authentik (that’s one of them) via my domain name.
EDIT
To answer the question of why I want to leave Cloudflare Tunnels - is basically that I have several services behind it (I forgot one so make that 4 I wish to have exposed). Two password managers, Psono for my special needs daughter which finds it easier than Bitwarden and Vaultwarden for myself and my work logins. So, I can’t just set up a VPN or Tailscale at work to connect my work passwords to. :) I also have Authentik and Home Assistant tunneled at present. That doesn’t explain the reason why though so let me start here:
My step-daughter is learning video production and editing, we don’t want to share her videos on Youtube or other sites, but would like to keep it more local to home. With that said, Cloudflare may not notice it at first, bit it’s against their TOS to stream videos, not to mention their just over 100mb cap for file xfers which leads me to the next reason. Early in May of this year, we were in an auto accident, and we are frequently sending forms, accident photos and paperwork etc to the Attorneys, I want to have control of the ownership of the files and would prefer not to email them, but link them to my server, frequently, those files even zipped can be over 100mb.
I do have a private DDNS provider I have my domain CNAME pointed to so it resolves to the home IP that way, so the ultimate plan is to untie my site from Cloudflare’s DNS to a offload to a VPS or two for (NS1 and NS2) With a recent issue with Oracle Cloud, I’m not motivated to use them for this basic purpose.
And just a small part of me is starting to get tin hat against the idea that Cloudflare can decrypt the data before it hits my site before it encrypts it. Just just isn’t sitting well with me at the moment. I can’t verify this data yet, but I like to play it safe than sorry.
EDIT 2
So, I ran a funnel test and yes it works, but still have to use the ts.net like others said, so at best, I can figure this to be a good backup service. I can’t forward a CNAME to my TS DNS. I checked /r/tailscale (Duckduckgo sent me there), and about a month ago, someone asked if you could use your own domain, the answer was “not yet” but there seems to be some interest.
What I found pretty fascinating is the mobile app does work quite well on Android and is so far so good, I can at least feel better knowing that the phones are on WG full time now through Tailscale. I had issues with the official WG client and another one staying on with our phones full time, so this so far has been a good improvement.
Is there a reason to expose your services to the whole internet? That’s what CF tunnels and Tailscale Funnel do.
I can’t really recommend either of them, Funnel forces you to use a .ts.net subdomain you can’t use your own domain. CF allows it but forces you to use their DNS service. Both CF and Tailscale play MITM with your HTTPS connection, meaning they decrypt and reencrypt it on the fly, meaning they are able to look at your unencrypted traffic.
If you really must expose your services publicly then get a cheap VPS, point your domain
A
andAAAA
records at its public IPs, make a tunnel from your server to the VPS, and forward connections to port 443 on the VPS public interface through the tunnel to the reverse HTTP proxy running on your server (with mandatory TLS encryption and Let’s Encrypt certificates for your domain).This way you get an unbroken TLS connection all the way through, with nobody in the middle.
The tunnel that you use between your server and the VPS can work behind CGNAT because it’s outgoing.
Technically the tunnel doesn’t necessarily need to be encrypted because it will only carry TLS connections anyway, but then you have to deal with authorization. It’s probably simplest to do an SSH tunnel.
According to tailscale they do not decrypt just relay.
Also, you can host your own server: https://headscale.net/
deleted by creator
There’s still going to be a gap where traffic is unencrypted and under their software’s control. The gap takes place on your node rather then one of their servers but it still exists. You can’t avoid the TLS gap when you switch domain names mid-connection.
Whether having the gap on their node rather than on Tailscale’s server is more acceptable is up to OP to decide; but they have to understand that the gap exists. The solution I proposed doesn’t have a TLS gap.
deleted by creator
Only if that nginx is advertising the .ts.net domain, and using the certificates for the .ts.net domain, which means you have to export and renew them manually via
tailscale cert
. If you let Tailscale manage them you will have a TLS gap.deleted by creator
This method is perfect for fully controlling your traffic. As another option, you can run a wireguard VPN on the vps and route traffic back through the VPN. In my experience wireguard has better performance than an ssh tunnel and allows for actual network topology with subnets rather than just raw port forwarding.
Seconding wireguard. I just have PiVPN manage my configs on an RPi, port forwarding on my router, and a script to do dynamic DNS via API on IP change.
I don’t have CGNAT though and have full control over my work machine.
Should I install a reverse proxy on the VPS and link services on the local server, or should I install it directly on the local server?
Services and reverse proxy on your server. Tunnel host on the VPS.
Rather than a cheap VPS, what about hosting a reverse proxy on fly.io, something like this? https://github.com/AnimMouse/frp-flyapp