I Finally Understand Cloudflare Zero Trust Tunnels

Postedabout 2 months agoActiveabout 2 months ago

eustoria

308 points

107 comments

david.coffeeTechstoryHigh profile

calmmixed

Debate

70/100

Cloudflare Zero Trust TunnelsNetworkingSecuritySelf-Hosting

Key topics

Cloudflare Zero Trust Tunnels

Networking

Security

Self-Hosting

The post explains Cloudflare Zero Trust tunnels, sparking a discussion on their benefits, limitations, and comparisons to alternative solutions like Tailscale and Netbird.

Snapshot generated from the HN discussion

Discussion Activity

Light discussion

First comment

10h

Peak period

12-18h

Avg / period

2.1

Comment distribution15 data points

Loading chart...

Based on 15 loaded comments

Key moments

01Story posted
Nov 16, 2025 at 12:39 PM EST
about 2 months ago
Step 01
02First comment
Nov 16, 2025 at 10:35 PM EST
10h after posting
Step 02
03Peak activity
5 comments in 12-18h
Hottest window of the conversation
Step 03
04Latest activity
Nov 18, 2025 at 7:50 PM EST
about 2 months ago
Step 04

Generating AI Summary...

Analyzing up to 500 comments to identify key contributors and discussion patterns

Discussion (107 comments)

Showing 15 comments of 107

siwatanejo

about 2 months ago

1 reply

But is this vendor-lockin, as in CloudFlare being the vendor here? Because at least with Tailscale there's no vendor lock-in.

siwatanejo

about 2 months ago

1 reply

Actually, seems TailScale is also a vendor? huh, and I thought it was an opensource project...

wg0

about 2 months ago

Tailscale is almost open source with Wireguard itself being open source.

- Most of the clients are open source probably. - Tailscale allows you to run custom control server of your own. - One open source control server "headscale" is sponsored by Tailscale themselves.

jijji

about 2 months ago

1 reply

what's the difference between this and a reverse SSH tunnel, for example making a local port on your laptop accessible to a public-facing internet server or even running on localhost on that same server... or using sshuttle to access your local network from a remote server

ghoshbishakh

about 2 months ago

Zero trust is a marketing term used by them - surprisingly it has nothing to do with end-to-end encryption also.

mrbluecoat

about 2 months ago

1 reply

I stopped reading at "everything goes through the Cloudflare network, no direct p2p"

https://github.com/alecbcs/hyprspace has penetrated every NAT I've ever encountered. No megacorporation required.

8organicbits

about 2 months ago

That project appears abandoned and unmaintained.

sylens

about 2 months ago

1 reply

I've experimented with Cloudflare tunnels before to sit in front of my Immich instance in my homelab. Only issue is the 100MB upload size for videos. But Immich added upload chunking support to their roadmap so its possible this will work very well in the future.

ranguna

about 2 months ago

Immich also has the ability to use different domains for different networks. Meaning that I connect directly to my server when I'm connected to my local home network and connect through cloudflare when I'm out of my house.

This way I can upload big videos when I get home.

favflam

about 2 months ago

Don't ISPs now provide ipv6 addresses? Why not just connect directly home via ipv6 address. I think many ISPs in Asia where ipv4 addresses are scarce have been moving to MAP-e, which is ipv6 centric.

I don't see why I want to loop in a 3rd party to connect back to my house.

jumski

about 2 months ago

I'm using Netbird [0] for my home / private needs: - Synology NAS - All the laptops and desktops my family uses - All family mobile phones

Given i work in Tmux, its super convenient to take a laptop with me and just use it as a thin client to my Desktop wherever I am.

[0] https://netbird.io/

iku

about 2 months ago

Thanks a lot. Both the post itself and the comments are very useful. Can't really comment on the content at this post; but the images in the article seem to be broken — produce 404 errors. Like this one: https://david.coffee/targets-config-screen.png

youngbum

about 2 months ago

Big fan of Cloudflare Tunnel here, too.

We use our Windows workstations as WSL SSH tunnels, protected with email verification (only for our domain), and it’s been working perfectly.

I’m curious, though, about how we can expose Docker services. It would be fantastic to have a remote build server set up with Cloudflare Tunnel.

suckow

about 2 months ago

Oh man, someone has to talk about this!! Cory told me about CF's gold issues and it really does seem problematic to me, I'm glad ZT is finally being criticised.

HenriTEL

about 2 months ago

With that it becomes clear that some service is self hosted (the DNS record points to a private IP). It can be a security issue when the Whois record or the domain name allows the identification of the hosting entity. Finding its physical address can be an easy task depending on its social presence.

Then probably the hosting place is an easier target than a data center.

92 more comments available on Hacker News

View full discussion on Hacker News

ID: 45946865Type: storyLast synced: 11/20/2025, 5:42:25 PM

Want the full context?

Jump to the original sources

Read the primary article or dive into the live Hacker News thread when you're ready.

Open link View on HN