I finally understand Cloudflare Zero Trust tunnels

Original Article ↗ Hacker News Discussion ↗

Perceived Value vs Tailscale / Headscale / VPS

  • Several commenters question the “win” over Tailscale + a cheap VPS/headscale, arguing Cloudflare adds complexity and vendor lock-in to optimize a minority NAT case.
  • Others counter that for homelab and family use, Cloudflare Tunnel’s free tier and no-VPS, no-port-forwarding setup are compelling, especially for sharing services with non-technical users who won’t install a VPN client.

Vendor Lock‑in and Trust

  • Cloudflare is criticized as “half-baked features + lock‑in,” but others note all these options are vendors; the real distinction is business model, behavior, and openness.
  • Tailscale is seen as “less lock‑in” because of WireGuard, open clients, and compatible self-hosted control servers like Headscale, though not everything is fully open.

TLS Termination, Privacy, and “Zero Trust”

  • A big privacy concern: Cloudflare often terminates TLS, sees traffic, and may re-encrypt to the origin, unlike Tailscale’s end‑to‑end model.
  • Some clarify this TLS termination is not mandatory in all Cloudflare products, but many tunnel/Access features effectively require it.
  • Several people argue that calling a centrally terminating, fully trusted middlebox “Zero Trust” is marketing more than reality.

Architecture & CNAME-Based Tunnels

  • The cfargotunnel.com CNAME mechanism is called out as opaque and “kludgy”: a DNS record that looks like a normal CNAME actually triggers Cloudflare’s private routing stack.
  • Confusion points: CNAMEs that don’t resolve publicly, multiple apps sharing one tunnel identity, strict TLS settings coexisting with cleartext to the origin, and unclear behavior when CNAMEs or routes don’t match.

Bandwidth Limits and Media Streaming

  • Cloudflare’s free tiers disallow heavy video/large-file use (e.g., Plex/Jellyfin) in their ToS, though many report using tunnels for personal media servers without enforcement so far.
  • Critics dislike content-type-based restrictions for an encrypted “zero trust” network and would prefer simple global bandwidth limits.

Performance, P2P vs Relay

  • Some prefer P2P with relay fallback (Tailscale, other tools) to reduce dependency on a single relay provider and preserve privacy.
  • Others report Cloudflare’s global network gives excellent performance, sometimes better than direct P2P, especially for distributed teams.

Use Cases and Alternatives

  • Enterprise: discussed as a ZTNA replacement for traditional VPNs (inside‑out tunnels, L4 proxying, fine-grained access policies).
  • Home/homelab: exposing self-hosted services under custom domains, clientless access, bypassing CGNAT/IPv4 limitations.
  • Alternatives mentioned: Netbird, Netmaker, Headscale, NetFoundry/OpenZiti, connet, tuns.sh, and plain IPv6 where ISPs allow inbound traffic.