Both Tailscale and Cloudflare Tunnel (cloudflared) offer free tiers that are popular among self-hosters and home lab enthusiasts. But they work differently under the hood, and each has its strengths. In this guide, I’ll break down the key differences so you can pick the right tool for your setup.
🧰 What You’ll Need
- A service or device you want to expose remotely (NAS, home server, IoT devices)
- A domain (optional but recommended for Cloudflare Tunnel)
- Basic comfort with command line / Docker
⚙️ How They Work: Architecture
Tailscale — Mesh VPN
Tailscale creates a mesh VPN — a virtual private network where devices connect directly to each other peer-to-peer. Traffic flows encrypted from device to device, without passing through a middleman. Tailscale uses WireGuard under the hood for end-to-end encryption.
Cloudflare Tunnel — Reverse Proxy
Cloudflare Tunnel (cloudflared) works as a reverse proxy. Your service connects to Cloudflare’s network, and users access it through Cloudflare’s edge servers. All traffic passes through Cloudflare, enabling packet inspection, but also giving you Cloudflare’s DDoS protection and caching.
⚙️ Free Tier Comparison
Tailscale (Personal Plan)
| Feature | Limit |
|---|---|
| Users | 1 |
| Devices | 100 |
| Subnet routers | Unlimited |
| Exit nodes | Yes |
| Monthly traffic | Unlimited |
| Open source | Yes (clients) |
Source: Tailscale Pricing
Cloudflare Tunnel (Zero Trust Free)
| Feature | Limit |
|---|---|
| Access seats | 50 |
| Tunnels | 1,000 |
| Access applications | 500 |
| DNS policies | 500 |
| Network policies | 500 |
| Identity providers | 50 |
Source: Cloudflare Account Limits
🔐 Security Model
Tailscale
- End-to-end encryption: Traffic is encrypted between devices. Tailscale servers cannot see your data.
- WireGuard protocol: Modern, fast, and secure.
- No packet inspection: Tailscale cannot inspect your traffic — it’s truly private.
Cloudflare Tunnel
- Zero Trust: Every request is authenticated, even if it’s already on your network.
- Packet inspection: Because traffic flows through Cloudflare, they can inspect and filter traffic.
- DDoS protection: Cloudflare’s global network provides free DDoS mitigation.
🌐 Performance
Tailscale
- Peer-to-peer: Direct connections between devices typically offer the lowest latency.
- Relays only when needed: If direct connection isn’t possible (NAT/firewall), Tailscale uses relays.
- Exit nodes: Can route all traffic through an exit node for VPN-like functionality.
Cloudflare Tunnel
- Proxied: All traffic goes through Cloudflare’s edge — can add latency.
- Global network: Cloudflare has servers worldwide, which can reduce latency for users far from your home.
- No peer-to-peer: Not a VPN replacement.
💸 Cost
Both are free for personal use with no time limits.
✅ Which Should You Choose?
| Scenario | Recommended |
|---|---|
| Remote access to home network | Tailscale |
| Exposing services to the internet | Cloudflare Tunnel |
| Need VPN-style full network access | Tailscale |
| Want DDoS protection | Cloudflare Tunnel |
| Privacy-sensitive (no packet inspection) | Tailscale |
| Need to expose multiple services publicly | Cloudflare Tunnel |
| Single user, multiple devices | Tailscale |
| Team access (up to 50 users) | Cloudflare Tunnel |
📝 Summary
-
Tailscale is ideal if you want a true VPN experience — secure, private, peer-to-peer connections with no middleman. Great for accessing your home network from anywhere.
-
Cloudflare Tunnel is better for exposing services to the public internet with built-in security, DDoS protection, and the ability to manage access policies.
Both are excellent free options. Choose based on whether you need remote network access (Tailscale) or public-facing service exposure with Zero Trust controls (Cloudflare Tunnel).
If this guide helped you decide, consider buying me a coffee:
Every tip helps me keep testing, writing, and sharing guides like this. Appreciate the support!