this post was submitted on 05 Nov 2023
59 points (95.4% liked)

Selfhosted

41361 readers
808 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
 

Hello I've been using cloudflare to get remote access for the couple apps I selfhost, but lately I've been hearing about the wonders of tailscale.

It seems that the free tier is enough for my use. Which would be a safe option to have remote access for my 3D printer? Also how are both in terms of privacy?

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 13 points 1 year ago (1 children)

Tailscale. Because it can do both. It functions as a mesh VPN for private access, but it also has Tailscale Funnel which does the same thing as Cloudflare tunnels but you don’t give all your traffic to Cloudflare

[–] [email protected] 3 points 1 year ago (2 children)

Is there a specific reason tailscale having all the same traffic opposed to cloudflare is a better option? I use cloudflare tunnels right now and figured them handling some of the data is better than me by myself.

[–] [email protected] 2 points 1 year ago (1 children)

Tailscale shouldn't be getting your data anyway. It's a mesh VPN that directly connects devices after their auth server gives out certs and let's clients know where to find another. If you're not comfortable with using their server for this I'd suggest you look into the open source headscale server. I do remember it routing through their server in the rare case NAT punching doesn't work

[–] [email protected] 1 points 1 year ago (1 children)

Thanks for the info. Though I fail to see how it's much different than cloudflare tunnels, I'll probably stick with that for the near future but will try out tailscale funnel in the future.

[–] [email protected] 1 points 1 year ago (1 children)

It’s not functionally different from Cloudflare tunnels, that’s the point. You get the same functionality without giving all your data to a corporation.

[–] [email protected] 3 points 1 year ago (2 children)

I'm curious how if they're functionally the same, one has all the data and the other "shouldn't be getting your data anyway". Was mostly curious to hear about informed differences in the products but clearly not going to get that, cheers.

[–] [email protected] 1 points 1 year ago

Because Cloudflare decrypts all your traffic, and Tailscale doesn’t. It’s still functionally the same though because you accomplish the game goal in a similar manner, but one is privacy respecting and one isn’t.

[–] [email protected] 1 points 1 year ago (1 children)

You can selfhosted tailscale so that they don't have any access. You can't with cloudflare tunnels as far as I know. Tailscale's client is open source, so is their Headscale server which originally was developed by a 3rd party. You can look into the code for that. Not sure what you'd want me to say. If you really want to be informed I'd inspect the code yourself

[–] [email protected] 2 points 1 year ago (1 children)

I'm self hosting cloudflared right now, the TLS from cloudflare terminates in a container in my network and then goes to my reverse proxy container for my local network. I'm definitely going to poke around tailscale and their funnels for the future, I'm just playing devils advocate for those replying not knowing anything about cloudflare tunnels yet saying they're the wrong choice.

[–] [email protected] 1 points 1 year ago

Cloudflare tunnels definitely aren't wrong, you're just not entirely using open source software. It's a very good option if you need to open things to the public or want to learn more about cloud services

[–] [email protected] 1 points 1 year ago (1 children)

Well like... if you’d rather put your data in the hands of a company instead of your own when you could easily do the same thing yourself, why are you self hosting in the first place?

[–] [email protected] 3 points 1 year ago (1 children)

Just my two cents I'd prefer my traffic going through Cloudflare vs Tailscale if it's all the same, since I've heard a lot about Tailscale but know nothing. I've interacted on Github threads with people from cloudflare and they're all super nice and their blog posts and post-mortems are very insightful. Was curious to see if people had actual insight but appears it's just auto cloudflare = bad.

[–] [email protected] 2 points 1 year ago (1 children)

That’s the beauty of Tailscale, you don’t have to trust them, because they don’t MITM your data, unlike with Cloudflare. I’m sure the employees of Cloudflare are nice, but so are the employees of any company, good or bad. It’s not that Cloudflare is necessarily bad, but you’re putting them in a position of trust over the content of your data you send through them, as opposed to trusting no one.

I’m sure most of the people who work for Google are very nice people, but people still switch to self hosting for the privacy and control over their own data, and the same goes for Cloudflare.

[–] [email protected] 1 points 1 year ago (2 children)

Got any info on how cloudflare MITM and decrypts all traffic but tailscale doesn't? Playing devils advocate and pointing out how not much you're saying is making sense.

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago) (1 children)

Look man I get that you’re not very tech literate and as a hobbyist that’s perfectly ok but just because you don’t know much about technology doesn’t mean the technology doesn’t make sense. You wanted to know what’s different and I told you, you wanted to know how and I told you. If you still don’t understand something then you need to articulate that and ask an actual question. It took me years to earn a degree in network engineering I can’t just distill all of that knowledge into a single comment for you to cover every possible dependent piece of knowledge that you’re lacking because all you can communicate is “I don’t get it”. You have to be specific on what it is specifically that you’re not getting.

I will indulge you again here under what might be a false assumption that you genuinely want to know the answer.

Cloudflare MITMs your traffic because that’s how it was designed. Your traffic is encrypted to their servers, de encrypted, then reencrypted between Cloudflare and your server. They can see and modify any data you send through them. All your passwords, tokens, and personal information are readable by Cloudflare. Therefore there’s an incredible amount of trust you need to put in Cloudflare, and the security of their systems.

Tailscale on the other hand has a service called funnel, which is a direct replacement to Cloudflare tunnels, however they differ in that Tailscale is a company with privacy and security as a priority and they accomplish the same goal as CF tunnels but their solution is designed to keep your data encrypted end to tend, from your client to your server. You therefore don’t need to place all that trust with Tailscale because they can’t see or modify your data even if they wanted to.

Both services accomplish the task of proxying public traffic to your backend server, however CF opens up all your data, and Tailscale doesn’t. Think of them both like a postal service, except Cloudflare opens up all your mail and puts it into new envelopes before giving it to the carrier for delivery to your mailbox. A lot of us prefer the postal service that just leaves your mail sealed from origin to destination.

[–] [email protected] 0 points 1 year ago* (last edited 1 year ago) (1 children)

I apologize, I misread the chain of comments. Your explanation is perfectly adequate for someone who has a basic grasp on networking and VPN and tunnels and encryption.

I would just like to add that if your endpoints communicate via an encrypted transport (HTTPS, SSH, etc) then doesn't matter if cloudflare tries to inspect your packets. There would be 2 layers of encryption while traversing the public web, then 1 layer when traversing CF's network.

And to some, packet inspection is not a downside since they can offer more protection - but that is totally up to your attack vector tollerence

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago) (1 children)

I would just like to add that if your endpoints communicate via an encrypted transport (HTTPS, SSH, etc) then doesn't matter if cloudflare tries to inspect your packets. There would be 2 layers of encryption while traversing the public web, then 1 layer when traversing CF's network.

Thats not how Cloudflare tunnels work. Your data is encrypted to Cloudflare’s network then decrypted. Then they encrypt a second connection between their server and yours via a connector service running in your server. It does matter if CF tries to inspect your packets because there is one layer of encryption over the internet, then briefly zero layers of encryption, then one layer of encryption while traversing CF network. I’m not aware of any product that Cloudflare provides that allows for them to tunnel your HTTPS traffic without them being able to decrypt your data to plain text.

[–] [email protected] 0 points 1 year ago (1 children)

hmm, I'm not sure I agree - or perhaps I didn't explain myself well previously and caused confusion between us.

Yes I agree with you in your description of how cloudflare encrypts -> decrypts -> encrypts; they are allowing you to ride over their network. If you remove cloudflare from the picture entirely, then you just have the internet facing server.

What I'm saying is, if the client and endpoint (server) talk in an encrypted protocol, then cloudflare cannot MiTM the data, only the IP headers. This is similar if you were to connect to any ol' website over an ISP's network. If your session is not HTTPS, then your application data can be read. You can have encrypted sessions inside of CF tunnel-network-tunnel.

If your services support encryption, great. But you can also expose a wireguard endpoint so you have the following

wg client --(tunnel to CF)--> CF network --(tunnel to your server)--> wireguard server

the real advantage to CF tunnel is hiding your IP from the public internet, not poking any holes in your firewall for ingress traffic, and cloudflare can apply firewall rules to those clients trying to reach your server by DNS hostname.

[–] [email protected] 3 points 1 year ago* (last edited 1 year ago) (1 children)

You’re explaining yourself fine, you’re just mistaken about the way Cloudflare tunnels work. You’re confusing concepts between a L4 proxy and a L7 proxy.

What I'm saying is, if the client and endpoint (server) talk in an encrypted protocol, then cloudflare cannot MiTM the data, only the IP headers.

This is not the case. You are under the mistaken impression that CF tunnels work like a L4 tunnel, proxying a TCP stream from client to server, allowing you to maintain an encrypted TLS session from client to server. That would be closer to what Tailscale Funnel does (Which I’d advocate for). CF tunnels do not work this way. Cf tunnels work more like a L7 proxy. Your client and your server never talk, so there is no encrypted protocol between them. There is only encryption between you and Cloudflare, and then Cloudflare and your backend server. Cloudflare can and does MitM the data AND the IP headers.

This is similar if you were to connect to any ol' website over an ISP's network. If your session is not HTTPS, then your application data can be read.

You cannot establish an HTTPS connection with your application from your client. You establish an HTTPS connection with Cloudflare, which gives them plaintext access to all the data you send through them.

You can have encrypted sessions inside of CF tunnel-network-tunnel.

To be clear, no you can’t. This is your misunderstanding. At least, you can’t with Cloudflare tunnels. Cloudflare may offer a TCP proxy service, which is what you’re confusing CF tunnels with, if you sign up for an enterprise plan, but you don’t get that functionality in their free plan which OP, and self hosters in general would be using.

[–] [email protected] 1 points 1 year ago

thanks for the masterclass in CF tunnels.

I am ready to accept everything you've said but there is the SSH case that keeps tripping me up. For reference, here is the CF docs on Connecting SSH through CF Tunnels.

Can you help me clear up the misunderstanding here? From the docs it appears you can create a SSH key pair on a client and then copy the public key to the server. It does not appear that the docs state you need to share those keys with CF, so I assume (perhaps incorrectly) that my session will be encrypted with my private key (on client) and public key (on server).

Again, what you said appears to make sense, perhaps SSH is the only edge case that is implemented differently?

[–] [email protected] 1 points 1 year ago (1 children)

EncryptKeeper’s explanation is perfectly concise and informative if you have a cursory grasp of self hosting and networking.

If it’s not making sense to you, I would suggest revisiting some of the technical fundamentals of self-hosting, which admittedly is quite an advanced topic that most people don’t, and do not need to care about.

You would be equally well-served, perhaps more so (if you don’t really care about privacy or terms of service) by sticking to regular cloud services. The road to self-hosting is arduous and if done wrongly, causes you more harm than good. Especially if your technical foundation is not yet strong. Which your posts suggest is the case.

[–] [email protected] 1 points 1 year ago

I appreciate the thoughtful reply but my issue with their explanation is not in the concepts or how it operates but in the fact they stated that Cloudflare tunnels were not an option to choose despite proving they have no knowledge in how they are used or operate.