I have an Unraid server at home and for safe reason, I tunneled everything via Cloudflare Zero Trust. I hosted a couple of traffic heavy services such as nextcloud, immich and so on.
I’ve only recently found out that it’s actually against CF’s ToS and they’d throttle me most of the time. I had hard time loading any videos from immich and I can barely download any big files from nextcloud despite having a Gigabit line at home.
I consider myself as tech savvy, but networking has always been my archiles heel. I just wanted something easy that can automatically deal with all the HTTPS and SSL thingamajigs. That’s why I went with CF Zero Trust, as it manages everything for me.
I looked around for solution and a couple of names keeps on pop up: Twingate, Zerotier, & Tailscale.
From what I understand so far, Twingate and Zerotier is not what I looked for; I do not want to install any sort of client to access my server. I then learn that I could do something similar to CF Zero Trust with Tailscale.
After a whole weekend of reading up on stuff, I’ve successfully replaced it with Tailscale. I rented the cheapest Linode VPS (nanode) closest to my home and tunneled everything through it now. And the performance has been stellar. I could stream high bitrate 4K videos from my Immich without any problems.
What’s the point of putting NGINX + tailscale? Why not just use NGINX and skip tailscale? End result is the same, no? With one less point of failure? Are you being CGNATted? I don’t get the point of this.
Just so I’m understanding: you’re using NPM on a VPS to serve your webpages to the open web and using Tailscale to tunnel between your actual server and NPM on the VPS? Is the idea to obfuscate your server a bit?
I’ve only recently found out that it’s actually against CF’s ToS and they’d throttle me most of the time.
This is wrong, you found old information, it used to be against the TOS but it’s not anymore. The issues you experienced are the bandwidth limits of the free accounts for the tunneling services.
Seems like OP just put Unraid and a VPS on the same Tailscale network, put Nginx Proxy Manager on the VPS as a reverse proxy, and then used Tailscale IPs/Hostnames as destinations.
Mostly CGNAT proxying, by the looks of it. In this scenario OP is essentially just using Tailscale as a Wireguard tunnel through the NAT/firewall, but with Tailscale’s UDP tunnelling and easy configuration
OP could have installed Wireguard on the proxy server and just tunnelled that way, which is probably how most people would have done it, but why not take advantage of Tailscale making things easier?
It’s more akin to a traditional VPN tunnel than to Tailscale’s “flat mesh” VPN but I don’t see anything wrong with that. Maybe a TINY bit of extra overhead, in exchange for easier setup and configuration
For anyone who feels comfortable setting up Wireguard directly I’d probably still just do that… but this is a neat solution for those who aren’t as confident
Since the VPS is outside of the CGNAT and could have acted as teh server, OP could have actually used any VPN here - IPSEC, OpenVPN, WireGuard, or any of the Tailscale-like layers would have worked fine
Unless you’re hosting your media with them, you cannot use them as a bridge for media. It’s against their ToS to run Plex or even Immich through CF.
I’m sure you saw the one video where the guy said “it’s not against their new ToS!”, even though he was wrong and didn’t actually comprehend the new ToS.
ahh yes, I see this now. thanks. I wonder though, if that’s the requirement, why not using one of the many Cloudflare replacements, https://github.com/anderspitman/awesome-tunneling. Many are open source and have free SaaS, for example zrok.io.