frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

fp.

Open in hackernews

I finally understand Cloudflare Zero Trust tunnels

https://david.coffee/cloudflare-zero-trust-tunnels
60•eustoria•4h ago

Comments

plantinthebok•2h ago
What's the actual win here? Avoiding relay latency in the rare cases Tailscale can't punch through NAT? If that's it, a $3 VPS running Headscale seems simpler. The complexity feels like you're optimizing for the 5% case while adding permanent vendor lock in. What am I missing?
throwaway678339•1h ago
I don't think you are missing anything. They have a bunch of half baked features like this that aren't as robust as real security vendors and lock you in just like you said.
josteink•1h ago
Maybe I’m misunderstanding something…

But are you accusing someone of promoting vendor lock-in (cloudflare) while at the same time promoting vendor lock-in (tailscale)?

If you’re ok with vendor lock-in, shouldn’t you in theory be ok with any vendor?

bingo-bongo•1h ago
Headscale is the not-vendor-login version of Tailscale.
fragmede•1h ago
No. Not all vendors are equal. We can treat ProtonMail differently then Gmail, for example. Looking at what's gone down with VMware, definitely don't get in bed with Broadcom.
killingtime74•1h ago
For many homelabbers, just being cheap and avoiding the $3 VPS, that's it
comrh•1h ago
I dont even pay anything, my tiny homelab is completely covered by the free tier
k_bx•1h ago
$3 VPS running Headscale is not simpler since you won't be able to run both headscale and tailscale on your end user machines, I don't recommend it.

The solution we've found is running a white IP container (or VPS) which looks like regular Wireguard outside, while inside it "forwards" to your existing tailscale network.

I don't remember if we use https://github.com/gravitl/netmaker or https://github.com/juhovh/tailguard

Also see: https://tailscale.com/blog/peer-relays-beta

hexbin010•1h ago
This seems like an excellent guide. I love these "how the pieces fit together" kind of guides.

Perhaps CF could license it and slap it in their docs!

jchw•1h ago
One thing that makes Cloudflare worse for home usage is it acts as a termination point for TLS, whereas Tailscale does not. If you use a Tailscale Funnel, you get the TLS certificate on your endpoint. With Cloudflare, they get a TLS certificate for you, and then strip and optionally re-add TLS as traffic passes through them.

I actually have no idea how private networks with WARP are here, but that's a pretty big privacy downgrade for tunneling from the Internet.

I also consider P2P with relay fallback to be highly desirable over always relaying traffic through a third party, too. Firstly, less middlemen. Secondly, it continues working even if the coordination service is unavailable.

keehun•1h ago
TLS termination is neither required nor enabled by default, right?
crimsonnoodle58•1h ago
Correct. We run it without it and just use the DNS filtering aspect.
philipwhiuk•1h ago
How does it do DNS filtering without TLS interception - takeover for DNS resolution?
jchw•23m ago
For tunnels many of the features basically have to work this way, so I'd be surprised if you could avoid it. It's also impossible to avoid if you use normal Cloudflare "protected" DNS entries. You can use Cloudflare as just a DNS server but it's not the default, by default it will proxy everything through Cloudflare, since that's kind of the point. You can't cache HTTP requests you can't see.
yuvadam•1h ago
Tailscale now has the awesome feature of peer relays and now there's no more excuses why you can't traverse that NAT and you can forget about all those DERP servers.
qudat•45m ago
Nice article. For easily exposing private services to the internet I’ve been using https://tuns.sh which lets you run ssh tunnels. It’s nice for a zero install solution.
yegle•5m ago
Free Cloudflare account cannot be used to serve my Plex server. To me that's a no-go.

The specific term is: https://www.cloudflare.com/service-specific-terms-applicatio...

Open-source Zig book

https://www.zigbook.net
159•rudedogg•2h ago•51 comments

The fate of "small" open source

https://nolanlawson.com/2025/11/16/the-fate-of-small-open-source/
92•todsacerdoti•2h ago•54 comments

Tracking users with favicons, even in incognito mode

https://github.com/jonasstrehle/supercookie
79•vxvrs•2h ago•19 comments

Heretic: Automatic censorship removal for language models

https://github.com/p-e-w/heretic
326•melded•6h ago•113 comments

The Pragmatic Programmer: 20th Anniversary Edition

https://www.ahalbert.com/technology/2023/12/19/the_pragmatic_programmer.html
21•ahalbert2•1h ago•1 comments

Dark Pattern Games

https://www.darkpattern.games
36•robotnikman•2h ago•14 comments

Z3 API in Python: From Sudoku to N-Queens in Under 20 Lines

https://ericpony.github.io/z3py-tutorial/guide-examples.htm
60•amit-bansil•3h ago•0 comments

What if you don't need MCP at all?

https://mariozechner.at/posts/2025-11-02-what-if-you-dont-need-mcp/
45•jdkee•3h ago•20 comments

I have recordings proving Coinbase knew about breach months before disclosure

https://jonathanclark.com/posts/coinbase-breach-timeline.html
174•jclarkcom•1h ago•57 comments

I finally understand Cloudflare Zero Trust tunnels

https://david.coffee/cloudflare-zero-trust-tunnels
61•eustoria•4h ago•17 comments

FPGA Based IBM-PC-XT

https://bit-hack.net/2025/11/10/fpga-based-ibm-pc-xt/
116•andsoitis•6h ago•22 comments

Linux mode setting, from the comfort of OCaml

https://roscidus.com/blog/blog/2025/11/16/libdrm-ocaml/
27•ibobev•2h ago•3 comments

Decoding Leibniz Notation (2024)

https://www.spakhm.com/leibniz
20•coffeemug•3h ago•0 comments

Fourier Transforms

https://www.continuummechanics.org/fourierxforms.html
80•o4c•1w ago•10 comments

Your Land, My Land (Offrange) – Lithium vs. Lettuce in the Imperial Valley, CA

https://ambrook.com/offrange/photo-essay/lithium-v-lettuce
13•mfburnett•1d ago•0 comments

Shell Grotto, Margate

https://en.wikipedia.org/wiki/Shell_Grotto,_Margate
10•Michelangelo11•1w ago•1 comments

Brimstone: ES2025 JavaScript engine written in Rust

https://github.com/Hans-Halverson/brimstone
178•ivankra•10h ago•84 comments

Peter Thiel sells off all Nvidia stock, stirring bubble fears

https://www.thestreet.com/investing/peter-thiel-dumps-top-ai-stock-stirring-bubble-fears
20•hypeatei•39m ago•8 comments

Anthropic’s paper smells like bullshit

https://djnn.sh/posts/anthropic-s-paper-smells-like-bullshit/
757•vxvxvx•10h ago•236 comments

Garbage collection is useful

https://dubroy.com/blog/garbage-collection-is-useful/
104•surprisetalk•8h ago•26 comments

The Man Who Keeps Predicting the Web's Death

https://tedium.co/2025/10/25/web-dead-predictions-george-colony/
28•thm•4h ago•6 comments

Waiting for SQL:202y: Group by All

http://peter.eisentraut.org/blog/2025/11/11/waiting-for-sql-202y-group-by-all
29•ingve•5d ago•9 comments

De Bruijn Numerals

https://text.marvinborner.de/2023-08-22-22.html
56•marvinborner•6h ago•7 comments

Measuring the doppler shift of WWVB during a flight

https://greatscottgadgets.com/2025/10-31-receiving-wwvb-with-hackrf-pro/
109•Jyaif•1w ago•0 comments

Holes (1970) [pdf]

https://rintintin.colorado.edu/~vancecd/phil375/Lewis1.pdf
25•miobrien•2d ago•6 comments

Vintage Large Language Models

https://owainevans.github.io/talk-transcript.html
56•pr337h4m•8h ago•14 comments

Adding an imaginary unit to a finite field

https://www.johndcook.com/blog/2025/11/16/finite-field-i/
7•ibobev•2h ago•1 comments

Running the "Reflections on Trusting Trust" Compiler (2023)

https://research.swtch.com/nih
102•naves•7h ago•5 comments

AirPods libreated from Apple's ecosystem

https://github.com/kavishdevar/librepods
1223•moonleay•21h ago•357 comments

Dissecting Flock Safety: The Cameras Tracking You Are a Security Nightmare [video]

https://www.youtube.com/watch?v=uB0gr7Fh6lY
127•emsign•6h ago•47 comments