Comment on Replacing Cloudflare Tunnels with Tailscale?
lemmyvore@feddit.nl 1 year agoThe Tailscale server on your node terminates the Transport Layer Security (TLS) and passes the request to the local service you’ve exposed through Funnel.
There’s still going to be a gap where traffic is unencrypted and under their software’s control. The gap takes place on your node rather then one of their servers but it still exists. You can’t avoid the TLS gap when you switch domain names mid-connection.
Whether having the gap on their node rather than on Tailscale’s server is more acceptable is up to OP to decide; but they have to understand that the gap exists. The solution I proposed doesn’t have a TLS gap.
ck_@discuss.tchncs.de 1 year ago
That’s just not true. When you run an nginx proxy on a tailscale node, that nginx will terminate the TLS. There is no “gap” between your browser and that server.
lemmyvore@feddit.nl 1 year ago
Only if that nginx is advertising the .ts.net domain, and using the certificates for the .ts.net domain, which means you have to export and renew them manually via
tailscale cert. If you let Tailscale manage them you will have a TLS gap.ck_@discuss.tchncs.de 1 year ago
Precisely. Except there is no “Tailscale manage them for you”.
So you could summarize your answer as " Tailscale certificates work like let encrypt".