| ▲ | noduerme 4 days ago |
| This seems really interesting for managing a lot of remote dev boxes or something like that... so, kind of an uneducated question (from someone who isn't heavily involved in actual infrastructure)... I haven't used CF tunnels, and the extent of my proxying private services has pretty much been either reverse proxy tunnels over SSH, or Tailscale. Where pretty much any service I want to test privately is located on some particular device, like, a single EC2 instance, or my laptop that's at home while I'm out on my phone. Could you explain in layman's terms what this solves that e.g. tailscale doesn't? |
|
| ▲ | fossorialowen 4 days ago | parent | next [-] |
| Thanks! I think what you are using (SSH, Tailscale) is great for your use case! We see this as more of a static and permanent tunnel to a service - less ephemeral than a ssh tunnel - and more to get public users into your application. Meaning if you had a internal app for your business or some homelab application like Immich or Grafana at home/work that you want to expose to your family in their browser this could be a good tool to use. Does that make sense? |
| |
| ▲ | barbazoo 4 days ago | parent | next [-] | | I’m using an nginxproxymanager as reverse proxy and ssl terminus for exactly that, Immich, home assistant, etc. What would I gain from your solution? | | |
| ▲ | fossorialowen 4 days ago | parent [-] | | I think if that works for you then stick with it! Pangolin would mostly do the same thing. I think if you wanted more auth control like users and pin codes and OIDC and roles you might not get that with NPM out of the box but could add on. Pangolin has a tunnel component to it so if you were challenged on the ISP front you can put this on the VPS and it just makes configuring the connection back to the network easier so you don't need to set up WG back etc... It wraps it all up nicely in a UI and simple install script. It can also all be automated with the API if you are into that kind of thing. |
| |
| ▲ | wredcoll 3 days ago | parent | prev | next [-] | | If you have an internal app or homelab app or whatever, why don't you just... route to it? Configure your firewall to let traffic in and out? I get there's a tunnel provided by this sort of software, I just don't understand how so many people actually need one. | | |
| ▲ | zerd 3 days ago | parent [-] | | My ISP blocks port 25, 80 and 443, so need to tunnel those. Some don't want to expose their IP directly. If you have dynamic IP you don't have to update the IP in DNS (since the "application" connects to the tunnel endpoint). |
| |
| ▲ | noduerme 4 days ago | parent | prev [-] | | That makes a ton of sense actually! I'm excited to give it a try! |
|
|
| ▲ | j45 4 days ago | parent | prev | next [-] |
| Tailscale (and headscale) is great for internal access to something that night not have public internet access. Others have mentioned an example of keeping a NAS off the public internet. Cloudflare tunnels help expose a service to the internet with a bit more protection. I have seen folks use both tailscale to access the backend and the public side is only Cloudflare tunnels. It’s not unreasonable to point Cloudflare tunnels to a central and internal nginx proxy manager. Tailscale can route the public internet into your services too can do this too but the protections in Cloudflare are likely a little more robust. Panagolin looks interesting enough to try out, it could sit run behind Cloudflare tunnels while testing and then moved out. |
| |
| ▲ | Lord_Zero 3 days ago | parent [-] | | I'm using caprover on a Linux VM with tailscale and cloudflare. Works great, it does require some tinkering because caprover doesn't like not being in control of SSL, and the nginx configs need to be manually edited per app if you want to set up headers for cloudflare real ip and stuff. | | |
| ▲ | j45 2 days ago | parent [-] | | Sounds like a nice setup. I like being able to choose if I don’t want to maintain or think about it again, then going one direction. If it’s something I will be tinkering with, a different direction is better. |
|
|
|
| ▲ | mbesto 4 days ago | parent | prev | next [-] |
| I use CF tunnels pretty extensively with my home unraid server. The TL;DR is this - there are certain apps I host that I want to be public and don't want to onboard a Tailscale node (for example my sister uses my Plex server). So, instead of setting up a reverse proxy, I simply create a subdomain in DNS (via CF) and then route that subdomain to the CF tunnel. It's like 3 form entries to do all of this for one site/service and automatically creates an SSL cert for me. I love it. |
| |
| ▲ | jonotime 4 days ago | parent | next [-] | | Out of curiosity why not give your sister restricted access to your tailnet instead? Then nothing is public. | | |
| ▲ | omnimus 4 days ago | parent | next [-] | | My guess is that teaching and convincing someone to install tailscale on every device they need access is a lot harder than sending a link. Thats why i use pangolin. | |
| ▲ | noduerme 4 days ago | parent | prev [-] | | Tailscale and Plex do not play nicely, particularly since Plex implemented a bunch of shit to try to charge users for accessing their own files outside what it considers a local network. Switching to Jellyfin is on my maintenance list. It's very understandable that if you had given a family member access to your Plex server before this year and it "just worked" you might look now at Tailscale as a way to put them on your LAN and then decide that the complexity isn't worth it, given the hoops that Plex had apparently gone through to make that a non-viable option. Fuck Plex, by the way. Good on them for building up and turning themselves into a streaming service of sorts. Add value and I'll pay for it. But suddenly one day your free mobile viewer app updates and requires payment to stream your own mp4 files? Seriously, they can go to hell. No one streaming movie files to their family is doing so because they love paying middle-men, by the way. And no core function of Plex can't be done freely. | | |
| ▲ | wredcoll 3 days ago | parent | next [-] | | I don't want to defend plex too hard, but I was super confused by what you were talking about: > But suddenly one day your free mobile viewer app updates and requires payment to stream your own mp4 files I have a plex server that a dozen of my friends and family use and none of them have to pay a cent to access it. Then after thinking about it a bit longer, I remembered that plex was making some kind of distinction about "members of a household", apparently called Plex Home [1]. I'm not sure what benefits you get from using it, since I haven't bothered trying to see what it needs to work. Long story short, however, is if you just have your family members sign up for their own plex account, then add them to your plex server as a separate user, things will continue to Just Work and do so for free. | | |
| ▲ | noduerme 3 days ago | parent [-] | | I haven't found this to be the case. I use the free plex server on Windows and MacOS, and connect to my home boxes from my phone. Prior to April 2025, I could stream on my phone from my Plex servers anytime. Since the last update, attempting to stream from any device that's not on the same LAN as the server pops up a window asking you to subscribe if you want to stream "remotely". This is even in cases where nothing is being sent through Plex's servers except for signaling data. It is only possible to stream over the internet for free now if you tunnel to that server, make it your tailscale exit node, and use the web app, not the mobile app. I'm not sure what the deal is with Plex Home but maybe they grandfathered in some kinds of older accounts. At this point though, it no longer appears to be a free option to easily stream from your home server if you're setting it up fresh or have a regular account. | | |
| ▲ | wredcoll 2 days ago | parent [-] | | Are you connected via the same account or a separate one added to as a friend or whatever? |
|
| |
| ▲ | jonotime 3 days ago | parent | prev | next [-] | | Ah ok. Admittedly I dont host a media server so it sounds like Plex brings new challenges. I would just prefer to not have to public expose a service for a single user. In my case when sharing an image server to family it has been easy enough to walk them through installing tailscale on their windows desktop that they use. I love adding friends and fam to my tailnet. It then also makes it easier to log in and troubleshoot their issues later too. It looks like CFs solution for restricted public access is CF access controll, but thats still publicly exposed. Their non-public option is WARP, but that requires installation on the client machine. At that point your user setup is even harder then tailscale. | |
| ▲ | subscribed 4 days ago | parent | prev [-] | | To me, another huge no-no is the apparent lack of option to stop Plex from sending all the filenames to the mothership. |
|
| |
| ▲ | hexfish 4 days ago | parent | prev [-] | | Are you aware that serving media streams over the tunnel might be against the ToS? This is what kept me from using it tbh. |
|
|
| ▲ | 4 days ago | parent | prev [-] |
| [deleted] |
