Comment on tailscale vs cloudflare tunnel? which is better a homelab
EncryptKeeper@lemmy.world 1 year agoLook man I get that you’re not very tech literate and as a hobbyist that’s perfectly ok but just because you don’t know much about technology doesn’t mean the technology doesn’t make sense. You wanted to know what’s different and I told you, you wanted to know how and I told you. If you still don’t understand something then you need to articulate that and ask an actual question. It took me years to earn a degree in network engineering I can’t just distill all of that into a single comment for you, you have to be specific on what it is specifically that you’re not getting.
I will indulge you again here under what might be a false assumption that you genuinely want to know the answer.
Cloudflare MITMs your traffic because that’s how it was designed. Your traffic is encrypted to their servers, de encrypted, then reencrypted between Cloudflare and your server. They can see and modify any data you send through them. All your passwords, tokens, and personal information are readable by Cloudflare. Therefore there’s an incredible amount of trust you need to put in Cloudflare, and the security of their systems.
Tailscale on the other hand has a service called funnel, which is a direct replacement to Cloudflare tunnels, however they differ in that Tailscale is a company with privacy and security as a priority and they accomplish the same goal as CF tunnels but their solution is designed to keep your data encrypted end to tend, from your client to your server. You therefore don’t need to place all that trust with Tailscale because they can’t see or modify your data even if they wanted to.
Both services accomplish the task of proxying public traffic to your backend server, however CF opens up all your data, and Tailscale doesn’t. Think of them both like a postal service, except Cloudflare opens up all your mail and puts it into new envelopes before giving it to the carrier for delivery to your mailbox. A lot of us prefer the postal service that just leaves your mail sealed from origin to destination.
varsock@programming.dev 1 year ago
what’s funny about your self proclaimed tech-literacy comment is, if you have encrypted traffic between you and your endpoint/server (TLS/HTTPS, SSH) then Cloudflare cannot MiTM your traffic.
That’s like saying your ISP MiTMs your traffic when you visit a website so don’t use an ISP. You can stop using the ISP and thus not reaching the web (what you’re suggesting) OR you can encrypt your HTTP traffic and then no one can MiTM you.
We should not behave so brashly toward users who are new and learning or perhaps just brief in their comments. This cultivates a toxic community.
EncryptKeeper@lemmy.world 1 year ago
Thats not how Cloudflare tunnels work. Your data is encrypted to Cloudflare’s network then decrypted. Then they encrypt a second connection between their server and yours via a connector service running in your server. It does matter if CF tries to inspect your packets because there is one layer of encryption over the internet, then briefly zero layers of encryption, then one layer of encryption while traversing CF network.
varsock@programming.dev 1 year ago
hmm, I’m not sure I agree - or perhaps I didn’t explain myself well previously and caused confusion between us.
Yes I agree with you in your description of how cloudflare encrypts -> decrypts -> encrypts; they are allowing you to ride over their network. If you remove cloudflare from the picture entirely, then you just have the internet facing server.
What I’m saying is, if the client and endpoint (server) talk in an encrypted protocol, then cloudflare cannot MiTM the data, only the IP headers. This is similar if you were to connect to any ol’ website over an ISP’s network. If your session is not HTTPS, then your application data can be read. You can have encrypted sessions inside of CF tunnel-network-tunnel.
If your services support encryption, great. But you can also expose a wireguard endpoint so you have the following
wg client --(tunnel to CF)–> CF network --(tunnel to your server)–> wireguard server
the real advantage to CF tunnel is hiding your IP from the public internet, not poking any holes in your firewall for ingress traffic, and cloudflare can apply firewall rules to those clients trying to reach your server by DNS hostname.
EncryptKeeper@lemmy.world 1 year ago
You’re explaining yourself fine, you’re just mistaken about the way Cloudflare tunnels work.
This is not the case. You are under the mistaken impression that CF tunnels work like a L4 tunnel, proxying a TCP stream from client to server, allowing you to maintain an encrypted TLS session from client to server. That would be closer to what Tailscale Funnel does (Which I’d advocate for). CF tunnels do not work this way. Cf tunnels work more like a L7 proxy. Your client and your server never talk, so there is no encrypted protocol between them. There is only encryption between you and Cloudflare, and then Cloudflare and your backend server. Cloudflare can and does MitM the data AND the IP headers.
You cannot establish an HTTPS connection with your application from your client. You establish an HTTPS connection with Cloudflare, which gives them plaintext access to all the data you send through them.
To be clear, no you can’t. This is your misunderstanding. At least, you can’t with Cloudflare tunnels. Cloudflare may offer a TCP proxy service, which is what you’re confusing CF tunnels with, if you sign up for an enterprise plan, but you don’t get that functionality in their free plan which OP, and self hosters in general would be using.