Replacing Cloudflare Tunnels with Tailscale? - eviltoast

Someone here brought up that they were able to replace Cloudflare Tunnels with Tailscale - I can’t seem to find the post, as it was a comment and deeply buried in a thread I’ve since forgotten the title of. :)

Can anyone explain the process for doing this? I assume it’s through the use of their Funnel? I have three primary services I require to be accessible through Authentik (that’s one of them) via my domain name.

EDIT

To answer the question of why I want to leave Cloudflare Tunnels - is basically that I have several services behind it (I forgot one so make that 4 I wish to have exposed). Two password managers, Psono for my special needs daughter which finds it easier than Bitwarden and Vaultwarden for myself and my work logins. So, I can’t just set up a VPN or Tailscale at work to connect my work passwords to. :) I also have Authentik and Home Assistant tunneled at present. That doesn’t explain the reason why though so let me start here:

My step-daughter is learning video production and editing, we don’t want to share her videos on Youtube or other sites, but would like to keep it more local to home. With that said, Cloudflare may not notice it at first, bit it’s against their TOS to stream videos, not to mention their just over 100mb cap for file xfers which leads me to the next reason. Early in May of this year, we were in an auto accident, and we are frequently sending forms, accident photos and paperwork etc to the Attorneys, I want to have control of the ownership of the files and would prefer not to email them, but link them to my server, frequently, those files even zipped can be over 100mb.

I do have a private DDNS provider I have my domain CNAME pointed to so it resolves to the home IP that way, so the ultimate plan is to untie my site from Cloudflare’s DNS to a offload to a VPS or two for (NS1 and NS2) With a recent issue with Oracle Cloud, I’m not motivated to use them for this basic purpose.

And just a small part of me is starting to get tin hat against the idea that Cloudflare can decrypt the data before it hits my site before it encrypts it. Just just isn’t sitting well with me at the moment. I can’t verify this data yet, but I like to play it safe than sorry.

EDIT 2

So, I ran a funnel test and yes it works, but still have to use the ts.net like others said, so at best, I can figure this to be a good backup service. I can’t forward a CNAME to my TS DNS. I checked /r/tailscale (Duckduckgo sent me there), and about a month ago, someone asked if you could use your own domain, the answer was “not yet” but there seems to be some interest.

What I found pretty fascinating is the mobile app does work quite well on Android and is so far so good, I can at least feel better knowing that the phones are on WG full time now through Tailscale. I had issues with the official WG client and another one staying on with our phones full time, so this so far has been a good improvement.

  • Dave811@lemmy.today
    link
    fedilink
    English
    arrow-up
    3
    ·
    1 year ago

    So my post was the one to get rid of the cloudflare tunnel.

    Basically I set up a tailscail docker on my home server and connected it with a one time key from tailscale. There I exposed my local network. (Perhaps secure that only to your homeserver IP)

    Then I set up a Debian Server which hosts a lot of other stuff. But there I also installed tailscail and connected it to my account.

    After this the most important part! I wasted hours to find this line of code sudo tailscale up --accept-routes With that you allow the external server to accept routes. Otherwise you can’t redirect to your homeserver

    The next step I took was to install nginx and setup a reverse proxy to my traefik docker on my home network

    Here I routed the domain with every subdomain (*.your.domain) to my homeserver.

    My homeserver took care of the https certificate so my nginx server only redirects traefik from port 80.

    I can share my configs later but I have a little problem with large nextcloud uploads. And I don’t have the previously working nginx config anymore… So I need to dig a bit further again.

    Ask me questions, but I can only answer them in about 7h Hope my late night writing makes sense.

    • node815@lemmy.worldOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Nice! So, using the --accept-routes part, does that allow you to use a CNAME record to your funnel’s address (machine.tailscale-id.ts.net) ? I tried to do this and it failed to resolve for reasons of too many redirects.

      • Dave811@lemmy.today
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        I didn’t try that, I use the static local ipv4 address of my network. Like http(s)://192.168.1.3:443

        • node815@lemmy.worldOP
          link
          fedilink
          English
          arrow-up
          1
          ·
          edit-2
          1 year ago

          Gotcha, so normal means of exposing services via reverse proxy. :) With mine so I could access my local IP I just enabled the --advertise-routes option.

          • Dave811@lemmy.today
            link
            fedilink
            English
            arrow-up
            1
            ·
            1 year ago

            To be clear I ran that on my reverse proxy server. In the tailscail dashboard you also need to enable the subnet

            • node815@lemmy.worldOP
              link
              fedilink
              English
              arrow-up
              1
              ·
              1 year ago

              Understood! I have subnet routing enabled as well. First thing I did when I realized my phone couldn’t access my local server once connected to Tailscale. :)