VPN & Secure Access¶
Problem¶
Internal services need: - Secure remote access - No public exposure - Access control - Minimal client setup
Solutions¶
Cloudflare Tunnel¶
What: Outbound-only tunnel, browser-based access
Pros: Zero client config, built-in auth, free (50 users)
Cons: HTTP/HTTPS only, vendor lock-in
Cost: Free (50 users), $7/user/month for advanced
Use for: Web dashboards that need easy access
Tailscale¶
What: WireGuard-based mesh VPN
Pros: All protocols (SSH, databases), peer-to-peer, free tier
Cons: Requires client app
Cost: Free (personal), $6/user/month (team)
Use for: Infrastructure access (SSH, databases, internal APIs)
WireGuard (Self-Managed)¶
What: Manual VPN setup
Pros: Full control, zero cost
Cons: Manual setup, no UI, time-intensive
Cost: Free (labor cost)
Use for: Maximum control requirements
Recommended¶
Hybrid approach: - Cloudflare Tunnel: Public-facing dashboards - Tailscale: Infrastructure access (SSH, databases)
Cost: $0/month (both free tiers)
Setup¶
Cloudflare Tunnel¶
# Install
curl -L https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64 -o cloudflared
sudo mv cloudflared /usr/local/bin/
sudo chmod +x /usr/local/bin/cloudflared
# Create tunnel
cloudflared tunnel login
cloudflared tunnel create internal
# Configure
cat > ~/.cloudflared/config.yml <<EOF
tunnel: <tunnel-id>
credentials-file: ~/.cloudflared/<tunnel-id>.json
ingress:
- hostname: analytics.example.com
service: http://localhost:3000
- service: http_status:404
EOF
# Run as service
sudo cloudflared service install
Tailscale¶
# Install
curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale up
# Access services
ssh root@server.tail-scale.ts.net
Security¶
Cloudflare Access¶
Email domain: @example.com
Require: Email verification
Session: 24 hours
Tailscale ACLs¶
{
"acls": [
{
"action": "accept",
"src": ["group:founders"],
"dst": ["*:*"]
}
]
}
Firewall¶
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow from 100.64.0.0/10 # Tailscale
sudo ufw enable