From Cloudflare Zero-trust to Tailscale
Source: Dev.to
I spent some time last year implementing Cloudflare Tunnels on my Home Assistant and my Synology NAS.
On Mastodon, I had not one but two commenters advertising Tailscale:
Nicolas Fränkel 🇪🇺🇺🇦🇬🇪 – “I started building an application to schedule posts across multiple social media platforms. Details are irrelevant to this post. Suffice to say, modules are running in a #Docker container on my #SynologyNAS at home. It’s accessible when I’m at home. However, I’ll soon travel to Australia for weeks, and I want to continue publishing content. The question then arose: how do I access it securely from there?”
Tags: #TOTP #Cloudflare
Why I switched to Tailscale
I decided to give Tailscale a try and migrate my servers and devices. Thanks to Heiko Does and higgins for prompting me to look further!
What is Tailscale, how and why?
“A Zero‑Trust identity‑based connectivity platform that replaces your legacy VPN, SASE, and PAM and connects remote teams, multi‑cloud environments, CI/CD pipelines, Edge & IoT devices, and AI workloads.” – Tailscale
In other words, Tailscale creates a mesh VPN (learn more) that lets devices communicate privately, isolated from the rest of the world.
With my Cloudflare Zero‑Trust setup, my user devices weren’t on the network, so I had to expose public endpoints—introducing privacy and security concerns. Tailscale eliminates that need: my devices join the same isolated network, removing the requirement for public endpoints.
Onboarding on Tailscale
The onboarding experience is superb. You pick an identity provider (IdP) and Tailscale delegates all authentication to it. Choose wisely—your account can’t be bound to multiple IdPs for fallback.
By default you get a 14‑day free Enterprise trial. You can switch to the personal free plan (3 users, 100 devices) if you don’t need the extra features. That’s more than enough for my use case.
Adding servers and devices
I installed Tailscale on each machine and authenticated via the IdP. Supported platforms include:
- Linux
- Windows
- macOS
- iOS
- Android
- Synology
If a device can’t present a web UI for IdP authentication, you can generate a ready‑made script with a dedicated enrollment key (there’s even an API for this).
Note: I use the terms server and device deliberately.
Devices are tied to a person’s identity; servers are not. Once authenticated, a server can be assigned to a tag (see docs). Tags act like service accounts but are more flexible—you can assign multiple tags to a single device.
Gains and losses
Migrating from Cloudflare Tunnel/public endpoints to Tailscale gave me several benefits and a few trade‑offs.
| Aspect | Before (Cloudflare) | After (Tailscale) |
|---|---|---|
| Public endpoint | Required (subdomain + TLS cert) | Not needed; Tailscale provides a *.ts.net subdomain |
| Remote SSH | Not possible | Available from any device on the mesh |
| Media sync (Synology) | Only via internal IP | Accessible via Tailscale IP/name on any device |
| Naming | Manual IPs | MagicDNS – reference devices by name (nas.pTsDVj8tCL11XNTRL.ts.net or simply nas) |
| Security | Exposed to internet | Zero‑trust, private mesh |
Access methods
| Type | Example |
|---|---|
| IPv4 | 100.98.98.68 |
| IPv6 | fd7a:115c:a1e0::3701:6261 |
| Fully qualified name | nas.pTsDVj8tCL11XNTRL.ts.net |
| Simple name | nas (via MagicDNS) |
Migrating to Tailscale – A Quick Recap
And finally, I could remove all the port‑forwarding rules on my home router.
All the above are net gains, but there are some losses too. Because I let go of subdomains, I need to remember ports when multiple apps are available on the same host. Tailscale offers services to alias a port, but the Tailscale version that comes with the Synology plugin doesn’t.
By default, Tailscale doesn’t provide TLS over internal servers. It does allow generating certificates, though. I’m too lazy to configure them right now, because the idea of a private mesh should protect from man‑in‑the‑middle attacks. In addition, if Tailscale wanted to eavesdrop on the traffic, it could, since Tailscale generates certificates anyway.
The last hurdle is network access from devices that Tailscale doesn’t support, e.g., smart watches. In theory, I would be able to access my Home Assistant from my Garmin watch via the relevant app. I have installed it, but never used it. With neither a public endpoint nor specialized software, I can’t use it anymore. For this specific use case, Tailscale provides Subnets.
I’ll need to check into the features later.
Conclusion
Migrating to Tailscale was a leap of faith, but I’m very happy I did it. My setup has improved a lot, both in terms of privacy and security. It is also much simpler regarding my requirements. I encourage you to have a look.
To go further
Originally published at A Java Geek on January 11th, 2026