Cloudflare launches private mesh VPN (Tailscale-like) offering
(blog.cloudflare.com)
from dabe@lemmy.zip to selfhosted@lemmy.world on 15 Apr 12:17
https://lemmy.zip/post/62590684
from dabe@lemmy.zip to selfhosted@lemmy.world on 15 Apr 12:17
https://lemmy.zip/post/62590684
It’s a 10 minute read when it should probably be a 2 minute read, likely due to LLMs fluffing it up (I got that vibe from skimming it). But what do you all think, is there anything in here that would compel you to switch from your current VPN solution to this?
threaded - newest
This could have been you, Mozilla.
sniff
I wanted so much to believe in you
Is it still too late technically? I dont want to quit on Mozilla
TBH I still donate $5/mo to Mozilla. But only because someone has to fund the upstream development of the browser I actually use (and which arguably is the browser Mozilla was supposed to be)
There’s nothing I’d like to do more than let the US internet-monopolizing company handle all my vpn traffic /s But without being snarky, for homelabbing purposes just use wireguard directly, it’s fun and not that hard to handle. Automate peer configurations using Ansible or some other automation tool if it gets hard to manage manually.
Finally a reasonable person around here.
I tried, but I don’t understand how to bypass a cgnat. With Tailscale it just works. Also, I tried Netbird, it’s very similar, and it works well too. I’d love to simplify this, but I have no knowledge at the moment. Would love someone pointing into the right direction.
CGNAT and changing IPs make this harder. What I’d consider in this scenario is renting a small vps at a local provider (a tiny/cheap machine is enough). Then use this one as a hop to your network, basically homelab->vps<-client. Here is a post that talks about something like that: taggart-tech.com/wireguard/
I haven’t used this method personally, but I’ve done something similar for incoming web traffic before, when you want to host things behind a CGNAT. You can actually keep all the traffic confidential by having just an L4 proxy on the vps, then the http traffic is still end-to-end encrypted between the client and the service, so you don’t even have to trust the vps provider when it comes to them snooping. They still get some metadata, but not significntly more than the ISPs.
Thanks. It’s still much more work than I’d
likecan afford to have at the moment, so I’d stay with what I have for a while. But I have an obsolete Intel Atom machine as a server at work. It’s my personal web and file server, plus Syncthing node. The sysadmin thinks that’s for our website to work. (It’s not used for that at the moment.) I can emulate some for-work things if/when needed, but at this point nobody cares.Nobody else, including the boss is aware. But I don’t do anything sketchy there. Just a separate offsite node, plus they have some decent power backup system. We did have massive blackouts in winter (I live in Ukraine), and not a single time the server went offline! Bonus thing, they have a static IP.
I’m hesitant to move to something bigger there though, as the future of me with the company is not very clear. I can get a higher position at some point and also replace the sysadmin (he plans to retire at some point). If so, I may move the entire company to completely self-hosted everything. And add a couple of servers to myself. But if not, I don’t know. Perhaps I could use that server till it would die its natural death, even if I’d part with the company. I’d still visit them sometimes.
I wonder whether that’s much better than a cheap VPS. Power wise, I guess it’s the same, it’s really underpowered, two cores, a gigabyte or two of ram, nothing fancy at all.
But Tailscale is free, works very easily and reliable and it is set up in minutes. I will only be motivated to look into all that when tailscale isn’t free and reliable anymore… I guess that will eventually happen at sometime in the future.
I’m trying to set up the same at some point. How do you solve the changing IP address problem?
The simplest would be renting a VPS I think.
I grabbed an Oracle free-tier many moons ago. The x86 one with 4 gig of memory I think? The arm have a much more core and memory but unless you go with Pay As You Go (PAYG) account ( need a one time refundable $100 credit) it’s virtually impossible to grab it.
My free tier account is sufficient as pure VPN for accessing stuff, you get 10 TB/month egress traffic. The downside is it’s Oracle, and you are at their mercy ( they can purge it without notice )
I never tried it because CGNAT but maybe Dynamic DNS could also solve this.
Other than that, Tailscale / CF tunnel are a fine solution ( for now )
If you’re not dealing with CGNAT, Dynamic DNS (DDNS) is relatively easy to set up, doesn’t require a VPS and is designed specifically for dealing with changing IP address endpoints.
Instead of connecting using your (sometimes changing) IP address, you use a URL that dynamically updates when your IP changes. For instance, with DDNS you would access your home network using mynetwork.ddnsservice.com. The DDNS service returns your current IP and your connection can complete. Most routers have built DDNS clients that update the DDNS service when your home IP changes.
There are various DDNS services out there, but I like DuckDNS. It’s free (or you can choose to donate), easy to set up and has worked flawlessly for me for years.
Yeah, you can't just use wireguard directly on a home network depending on provider (CGNAT) and you can't just switch providers as most providers are in a non-compete with other providers. So, Cloudflare Mesh or Tailscale is the best option for those.
See my comment here, infosec.pub/comment/21363677
I’ve been using Cloudflare’s Tunnel/Zero Trust for a while now and I find it does the job just jammy. I’m not sure I need Mesh, but I will at least familiarize myself with it.
The only thing I like about this is the pressure it might put on tailscale to make their offering better.
How would you improve Tailscale?
Off the top of my head: - Bring your own domain for homelab - Gateway/httproute support in Kubernetes operator - allow connecting tailnets to each other - allow connecting to multiple tailnets simultaneously without ridiculous workarounds
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
[Thread #238 for this comm, first seen 15th Apr 2026, 13:10] [FAQ] [Full list] [Contact] [Source code]
Nope. I’m trying to move further away from US proprietary tech, not towards it. I’m currently using Tailscale, but I’m looking at moving to Netbird because it’s open source and European.
Tailscale is Canadian
Ah, nice. I actually didn’t realize that. They are also open source friendly https://tailscale.com/opensource I don’t hate Tailscale, btw. They seem nice.
But, I like Netbird lets you self-host the server components. And, an important feature for me, is that Netbird doesn’t require me to create an account with Big Tech to use the service. Right now I created a dummy account with GitHub just to use Tailscale, Netbird just allows me to create a username and password. E-Z P-Z. No extra hoops to jump through.
After switching to Netbird, I’ll be able to get completely off of GitHub.
headscale, an open-source reimplementation of the tailscale control server, exists. I haven’t tried it myself yet, but it claims to be an option for a fully selfhosted tailscale-compatible network.
As interesting as this is, users are still subject to the whims of a corporation that can completely change their policies each time a new executive is hired.
There’s a graveyard somewhere for apps and services that were free or low cost (and without ads) until the company decided to change their model to restrict or eliminate free usage. Teamviewer, Dropbox, RealVNC, Google Drive, Amazon Prime (ad free) Videos, Duolingo, Youtube, Zoom and Evernote are examples that lots of individuals use.
I’ve personally been bitten by this often enough to avoid any corporation’s “free” service whenever possible.