deddit.petersanchez.com

Cloudflare or Tailscale?
from frosch@sh.itjust.works to selfhosted@lemmy.world on 30 Apr 18:33
https://sh.itjust.works/post/59405642

Which route did you go for your homeland, a tunnel to your services or setting up tail scale/wireguard and access them on your trailer?

#selfhosted

threaded - newest

tofu@lemmy.nocturnal.garden on 30 Apr 18:37 next collapse

I have wireguard, it’s supported by my router (Fritzbox).

androidul@lemmy.world on 30 Apr 18:42 next collapse

same here, took me 7m to set this up on OPNsense with FritzBox

frosch@sh.itjust.works on 01 May 08:46 collapse

Nice, I have to take a look if mine supports it, too!

Manodor@feddit.org on 30 Apr 18:41 next collapse

Funny thing, I use Tailscale to tunnel the access, but use cloudflare dns for device adress resolution.

prenatal_confusion@feddit.org on 30 Apr 19:06 next collapse

Pangolin on a vps.

fleem@piefed.zeromedia.vip on 30 Apr 19:50 next collapse

isn’t it awesome? i am scared to update it too far for an unknown reason

prenatal_confusion@feddit.org on 30 Apr 19:53 collapse

It’s opensoursrso we should be able to roll back.

frosch@sh.itjust.works on 01 May 08:48 collapse

When I looked into it first, Pangolin seemed a bit overwhelming.

Is it hard to set up?

prenatal_confusion@feddit.org on 01 May 08:52 collapse

No, ridiculously easy with docker.

Then it follows the same principles as cloud flare. Create a site (vpn endpoint), get a docker snippet for a newt (what they call the vpn connector), paste it in the docker compose on your Homeserver and see it come up in the Webinterface.

Then you create a public resource and point it to said site and give it a url.

Done.

Ask me if you have questions

frosch@sh.itjust.works on 01 May 09:01 collapse

Cool, do you get any auth and/or ingress protection?

With cloudflare, you get some auth options, can block AI crawlers (that get recognized…) etc for free

prenatal_confusion@feddit.org on 01 May 09:05 collapse

Yes there is auth on by default for resources. You can use real accounts that need to be created or passwords or pins. And I think some id providers.

187OnAnUndercoverCop@programming.dev on 30 Apr 19:08 next collapse

Temp stuff where I could care less about the free tier domain name or things that I just want to funnel to my existing devices: Tailscale

Widespread, prolonged services that will be more actively maintained for a longer amount of time and can just spin off of its own domain/subdomain: Cloudflare

Both are great.

30p87@feddit.org on 30 Apr 19:22 next collapse

Asked my ISP for a public IP, exposed all things that can handle that to the public. Custom Wireguard server for VPN

FlexibleToast@lemmy.world on 30 Apr 19:29 next collapse

Pangolin on a free Oracle VPS.

giacomo@lemmy.dbzer0.com on 30 Apr 23:53 collapse

is there a bandwidth/throughput limit on Oracle VPS?

german@pawb.social on 01 May 00:14 next collapse

Something like 10TB. I’m an incredibly heavy user and I’d have to quadruple all of my usage, including home, to hit it.

FlexibleToast@lemmy.world on 01 May 12:16 collapse

Not that I’ve noticed.

Decronym@lemmy.decronym.xyz on 30 Apr 19:30 next collapse

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

Fewer Letters	More Letters
DNS	Domain Name Service/System
IP	Internet Protocol
VPN	Virtual Private Network
VPS	Virtual Private Server (opposed to shared hosting)

4 acronyms in this thread; the most compressed thread commented on today has 7 acronyms.

[Thread #265 for this comm, first seen 30th Apr 2026, 19:30] [FAQ] [Full list] [Contact] [Source code]

jlow@slrpnk.net on 30 Apr 20:05 next collapse

Headscale on fly.io

hendrik@palaver.p3x.de on 30 Apr 20:15 next collapse

I have a port forwarding without any tunnel to third parties and Wireguard.

French75@slrpnk.net on 30 Apr 20:25 next collapse

I used wireguard, then switched to Pangolin. Wireguard was simpler and worked better with mobile apps though. I’ll prob switch back for most apps.

Evil_Incarnate@sopuli.xyz on 30 Apr 20:42 next collapse

Zerotier. I found it easy to set up and use. Free tier gives you one network and ten hosts, I think.

Illecors@lemmy.cafe on 30 Apr 20:55 next collapse

I do run wireguard on my router, but the main reason is ad blocking, not hiding services. Most services are publicly exposed.

frosch@sh.itjust.works on 01 May 08:45 collapse

Nice, I thought about using wireguard as a private VPN, too. Having my pihole block my mobile data on the go would be neat

uuj8za@piefed.social on 30 Apr 21:06 next collapse

option 3: self-host Netbird control plane
option 4: use Netbird’s reverse proxy

irmadlad@lemmy.world on 30 Apr 21:40 next collapse

How about both? I run the evil Cloudflare Tunnels/Zero Trust with Tailscale as an overlay on the server.

frosch@sh.itjust.works on 01 May 08:43 collapse

I’m a bit stumped, what do you gain from this setup?

Or do you mean just running some services through the tunnel for easy access and “hide” others behind tailscale?

irmadlad@lemmy.world on 01 May 12:00 collapse

what do you gain from this setup?

Defense in Depth
Network segmentation
Fallback

hexagonwin@lemmy.today on 30 Apr 23:45 next collapse

tailscale. works perfectly, the only problem is needing a google acc for login

FauxLiving@lemmy.world on 01 May 02:42 next collapse

the only problem is needing a google acc for login

You can use e-mail now.

hexagonwin@lemmy.today on 01 May 03:02 next collapse

is it possible to switch to email from my google acc tied account? or do i need to create a new one?

FauxLiving@lemmy.world on 01 May 03:05 collapse

I haven’t looked into it yet, I’m in the same position of using Google to login.

I just noticed that the login page changed.

ScytheDraven47@piefed.zip on 01 May 05:17 collapse

I believe registration is limited to a third party/OIDC. The login page is different to sign-up

FauxLiving@lemmy.world on 01 May 12:28 collapse

third party/OIDC.

Ah, that makes sense

potustheplant@feddit.nl on 01 May 07:49 collapse

No, you cannot. Putting in your emails just redirects to the identity provider you used when signing up. If you try to create an account you’ll see that email’s not a option.

BCsven@lemmy.ca on 01 May 05:48 next collapse

And that years back they moved their servers from Canada to the US. That’s when I dropped TS and just did wireguard by hand.

peskypry@lemmy.ml on 01 May 05:55 next collapse

You can use GitHub.

potustheplant@feddit.nl on 01 May 07:48 collapse

That’s not really a solution.

zeitverschreib@freundica.de on 01 May 08:05 collapse

@hexagonwin

I think Headscale gives you the option of using your own provider.

@frosch

frongt@lemmy.zip on 01 May 00:32 next collapse

Netbird via a free cloud VM. Works great.

skyline2@lemmy.dbzer0.com on 01 May 03:28 next collapse

This is the way

peskypry@lemmy.ml on 01 May 05:55 next collapse

Who provides free cloud VM?

frosch@sh.itjust.works on 01 May 08:40 collapse

Nice, I’ll look into that!

Atherel@lemmy.dbzer0.com on 01 May 06:01 next collapse

Wireguard

julianwgs@discuss.tchncs.de on 01 May 06:02 next collapse

I am very happy with Tailscale

mlg@lemmy.world on 01 May 08:19 next collapse

Wireguard.

Dunno if Cloudflare does effective auth for the tunnel or if you have to set that up yourself, but I don’t bother trying to expose services to the internet in any way because some of this stuff was just never designed for proper web security (cough Jellyfin).

It’s still worth setting up a wildcard cert with ACME so you get nice https and a real domain.

frosch@sh.itjust.works on 01 May 08:39 collapse

Cloudflare has some opt-in auth. Mail-OTP is a nice balance imo: You can allowlist mail addresses per service/subdomain and set expiry for each. Then for access, you first have to enter the mail address, get the OTP and then access the service.

So, nobody without access to allowed mail addresses even gets to knock on you door.

But yeah, that’s why I think about going tail scale: why bother having something exposed when not needed?

I just think, some services might be nice to provide to friends, too - and having them connect to my tailnet for this is a bit too much friction, I guess

utjebe@reddthat.com on 01 May 08:32 next collapse

Just Wireguard on a router, but I’m thinking Netbird.

WG can be a bit PITA to set up, but once you do, it just works. What I would to have is more fine grained control over who goes where if I were to expose some of the services to friends.

IratePirate@feddit.org on 01 May 10:46 collapse

wg-easy can greatly simplify your wireguard setup. Allows you to quickly generate access configs for friends and family on the fly (QR-codes, too). You still get access to post-up/-down hooks if you want tp create a more specialised deployment.

TheGreenWizard@lemmy.zip on 01 May 10:34 next collapse

I’m liking self hosted NetBird atm

HiTekRedNek@lemmy.world on 01 May 11:54 collapse

Both.

I have a free cheap vps providing me a public IPv4 address, connected to my opnsense router via tailscale, and use a simple port forward from the VPs to the router’s tailscale IP.

I have certain port/connections coming in either via the tailscale IP or my external IPv6 address all forwarded to my internal Caddy reverse proxy which itself is only running IPv4.

And I use cloudflare for my dynamic DNS resolution of my domain. A records are my public VPS IPv4 and AAAA are my own public IPv6 addresses respectively.

If/when I change to a service provider that doesn’t use CGnat for IPv4, I can stop doing the forwarding from my VPS.

That’s so we can stream music/video without needing to use the VPN.

But, I also run tailscale on my phone, so I can do admin stuff remotely from it, albeit painfully, on this small screen when things break. 🤣