Back to Home11/16/2025, 5:39:43 PM

I finally understand Cloudflare Zero Trust tunnels

eustoria
56 points
16 comments

Mood

supportive

Sentiment

positive

Category

tech

Key topics

Cloudflare

Zero Trust

Networking

Security

Debate intensity20/100

The author shares their newfound understanding of Cloudflare Zero Trust tunnels, providing a resource for others to learn about the technology. The post has garnered a positive response from the community.

Snapshot generated from the HN discussion

Discussion Activity

Active discussion

First comment

10h

Peak period

11

Day 1

Avg / period

5

Comment distribution15 data points

Based on 15 loaded comments

Key moments

  1. 01Story posted

    11/16/2025, 5:39:43 PM

    2d ago

    Step 01
  2. 02First comment

    11/17/2025, 3:35:23 AM

    10h after posting

    Step 02
  3. 03Peak activity

    11 comments in Day 1

    Hottest window of the conversation

    Step 03
  4. 04Latest activity

    11/19/2025, 12:50:21 AM

    9h ago

    Step 04

Generating AI Summary...

Analyzing up to 500 comments to identify key contributors and discussion patterns

Discussion (16 comments)
Showing 15 comments of 16
siwatanejo
2d ago
1 reply
But is this vendor-lockin, as in CloudFlare being the vendor here? Because at least with Tailscale there's no vendor lock-in.
siwatanejo
2d ago
1 reply
Actually, seems TailScale is also a vendor? huh, and I thought it was an opensource project...
wg0
2d ago
Tailscale is almost open source with Wireguard itself being open source.

- Most of the clients are open source probably. - Tailscale allows you to run custom control server of your own. - One open source control server "headscale" is sponsored by Tailscale themselves.

jijji
2d ago
1 reply
what's the difference between this and a reverse SSH tunnel, for example making a local port on your laptop accessible to a public-facing internet server or even running on localhost on that same server... or using sshuttle to access your local network from a remote server
ghoshbishakh
2d ago
Zero trust is a marketing term used by them - surprisingly it has nothing to do with end-to-end encryption also.
mrbluecoat
1d ago
1 reply
I stopped reading at "everything goes through the Cloudflare network, no direct p2p"

https://github.com/alecbcs/hyprspace has penetrated every NAT I've ever encountered. No megacorporation required.

8organicbits
1d ago
That project appears abandoned and unmaintained.
sylens
1d ago
1 reply
I've experimented with Cloudflare tunnels before to sit in front of my Immich instance in my homelab. Only issue is the 100MB upload size for videos. But Immich added upload chunking support to their roadmap so its possible this will work very well in the future.
ranguna
1d ago
Immich also has the ability to use different domains for different networks. Meaning that I connect directly to my server when I'm connected to my local home network and connect through cloudflare when I'm out of my house.

This way I can upload big videos when I get home.

favflam
9h ago
Don't ISPs now provide ipv6 addresses? Why not just connect directly home via ipv6 address. I think many ISPs in Asia where ipv4 addresses are scarce have been moving to MAP-e, which is ipv6 centric.

I don't see why I want to loop in a 3rd party to connect back to my house.

jumski
1d ago
I'm using Netbird [0] for my home / private needs: - Synology NAS - All the laptops and desktops my family uses - All family mobile phones

Given i work in Tmux, its super convenient to take a laptop with me and just use it as a thin client to my Desktop wherever I am.

[0] https://netbird.io/

iku
2d ago
Thanks a lot. Both the post itself and the comments are very useful. Can't really comment on the content at this post; but the images in the article seem to be broken — produce 404 errors. Like this one: https://david.coffee/targets-config-screen.png
youngbum
1d ago
Big fan of Cloudflare Tunnel here, too.

We use our Windows workstations as WSL SSH tunnels, protected with email verification (only for our domain), and it’s been working perfectly.

I’m curious, though, about how we can expose Docker services. It would be fantastic to have a remote build server set up with Cloudflare Tunnel.

suckow
1d ago
Oh man, someone has to talk about this!! Cory told me about CF's gold issues and it really does seem problematic to me, I'm glad ZT is finally being criticised.
HenriTEL
22h ago
With that it becomes clear that some service is self hosted (the DNS record points to a private IP). It can be a security issue when the Whois record or the domain name allows the identification of the hosting entity. Finding its physical address can be an easy task depending on its social presence.

Then probably the hosting place is an easier target than a data center.

1 more comments available on Hacker News

View full discussion on Hacker News
ID: 45946865Type: storyLast synced: 11/16/2025, 9:42:59 PM

Want the full context?

Jump to the original sources

Read the primary article or dive into the live Hacker News thread when you're ready.

Read ArticleView on HN