Once you've got the home lab bug and have several self-hosted services running, especially those that you might want access to at all times, like an image library, you'll want a way to access those services when not on your home network. While there are any number of ways to do this, they all vary from very easy to much more involved.
VPNs are the best-known way of accessing your home network from afar, which creates an encrypted connection between your device and your home network. This lets you use everything as if you're on your home network, but the technical setup process can be complex, and there are plenty of things that can go wrong. Cloudflare Tunnel, on the other hand, is designed for easy setup, and takes only a few steps to get things connected. That's not the only way they differ though, and you might want one or the other depending on your network configuration and security needs.
Should you use Tailscale, Pangolin, ZeroTier, or NetBird to remotely access your home lab?
Which remote access tool is best for your home lab?
Cloudflare Tunnels are simple to set up
But you do need your own domain name to get them running
Networking used to be incredibly technical, and still is under the hood, but services like Cloudflare Tunnel make things simple. You start the process from the Cloudflare Dashboard, and create a Tunnel that gives you a client file to install on your internal network. It's that client that does all the hard work of traversing NAT, firewalls, and other restrictions to let you connect to your self-hosted services using your own domain name.
In many ways, it's like a reverse proxy, except far easier to set up, and you can share access with a simple web address instead of having to configure clients. Plus, you can combine Tunnels with other Cloudflare Zero Trust features for authentication, so only the users you allow are able to connect to your services.
Instead of your external devices trying to connect directly to your network, they query a domain name you own that's linked to the Cloudflare Tunnels. That then serves as a proxy between your internal LAN devices or services and the client asking for data, while keeping your IP private and protected thanks to the weight of Cloudflare's DDoS mechanisms. This makes it simple to get single web services connected securely, through a domain you control and without opening ports to the internet.
VPNs can be more involved
Anyone who's used a VPN knows they tend to break connections at inconvenient times, and are often restricted in speed. They require open ports through your firewall to work, so they're not always as secure as they seem, and once the user is connected they have access to everything on your home network. But, they do allow you to reach all your network resources, like SMB, RDP, SSH, and others, while Cloudflare Tunnel is limited to the web app(s) it's pointed at.
Cloudflare Tunnels
Both are secure and private
But they handle this in very different ways
VPNs are one type of end-to-end tunnel for remote access that encrypt all data between the client and the network. Cloudflare Tunnels aren't necessarily encrypted while moving through Cloudflare's network, as they can decrypt the data at the edge. It all depends on where you want your security to live. It also depends on the network configuration at home, as VPNs can be a pain with restrictive NAT or CGNAT from your ISP or workplace, while Cloudflare Tunnel can sidestep those concerns.
|
Feature |
Cloudflare Tunnel |
VPN |
|---|---|---|
|
Firewall Ports |
No need to open any inbound ports |
Requires at least one open port |
|
IP Exposure |
Hides your real IP and uses Cloudflare's |
Exposes your public IP unless you take additional steps |
|
DDoS Protection |
Built-in thanks to Cloudflare's network |
None by defautl |
|
Traffic Privacy |
Cloudflare can decrypt and inspect all traffic at the edge, even TLS |
End-to-end encrypted, only you can see the traffic |
|
Access Control |
Publicly accessible unless further restricted |
Private, only authenticated users can connect |
|
User Restrictions |
Can limit the users to individual services |
Once connected, users have access to your whole network |
Sometimes it's more secure to use Cloudflare Tunnel and its Zero Trust architecture to add another layer of authentication with your choice of SSO provider, so that only allowed users can reach the services being exposed. Plus, then you get DDoS and IP obfuscation out of the box, things that are complex to set up for VPNs.
Other users will prefer to have encrypted links to their home network, so they can use local resources as if they were at home. It really depends on your network, how easy it is to open firewall ports, and where your level of comfort in the various security options lies.
How I made a home VPN with dynamic DNS for secure remote access
Never fret about IP changes again by combining your own self-hosted VPN with DDNS
There's still a trade-off
Cloudflare can technically see your traffic
Cloudflare acts as a proxy when Cloudflare Tunnel is enabled, which means they could technically be inspecting your unencrypted data stream. That's a privacy concern at any level, from personal information to more regulated environments. Plus, it's not suitable for streaming or high-bandwidth content like media servers, and less flexible if you need protocols other than HTTP(S) or TCP.
VPNs encrypt all your data between your client and your network, but that means overhead, and can limit the speeds you're able to connect at. But, you do get the ability to use any network protocols you need, like SMB shares or printing. It is also the most secure option, as a self-hosted VPN is under your control for encryption so you know nobody else can see your traffic.
4 reasons your cloud provider should be using end-to-end encryption
Using zero knowledge architecture and E2EE makes the web safer for everyone.
Cloudflare Tunnels and VPNs do a similar job but in a different way
There are many ways to access your self-hosted services from outside your network, or even from inside your home if you prefer to use the principles of Zero Trust. Cloudflare Tunnels are quick to set up, and come with a host of benefits thanks to Cloudflare, including authentication for individuals, DDoS protection, and more. But a self-hosted VPN is still the more secure option for accessing your home network and the devices or services on it, if you want to put in the extra time to set it up properly.