Cloudflare Access vs. Tailscale

When the pandemic struck, IT teams had to scramble to support greater numbers of remote workers. Given the amount of people working remotely, VPN concentrators were overloaded and needed to be supplemented– or even replaced.

Cloudflare Access is a gateway for application access, which integrates with your identity provider and endpoint protection solutions, and Cloudflare Gateway provides DNS filtering. Access and Gateway is part of Cloudflare One, a bundle that includes several separate features such as Cloudflare Teams and Magic WAN. Tailscale encompasses features from all of these, but it’s most similar to Cloudflare Access.

Both Tailscale and Cloudflare Access allow you to manage access to your applications based on your existing identity provider and from disparate geographical locations. Here, we’ll compare the two so you can choose the solution that’s best for you.

Overview of Cloudflare Access

Cloudflare is a cloud computing and website security company that offers a range of services: a global content delivery network, distributed denial of service (DDoS) protection (through Cloudflare Spectrum), and zero-trust authentication services. Cloudflare runs a globally distributed network of proxy servers and data centers, so that their services are low latency to users no matter where they are geographically located. Cloudflare provides a content delivery network which acts as an intermediary between site servers and visitors, by caching copies of users’ websites in Cloudflare’s network, so that visitors can reach their desired site from their local data center. Their network also has security protections built in, blocking a variety of threats.

Of Cloudflare’s offerings, Cloudflare Access is functionally most similar to Tailscale. Access allows users to login from anywhere to access protected resources, using their existing identity provider and integrating with their existing endpoint protection. Cloudflare’s globally distributed network means it has low latency for users–although all traffic must pass through Cloudflare.

Comparison matrix

Tailscale Cloudflare Access
Mesh VPN Yes No

Uses Cloudflare’s global network to intermediate connections

Open source Yes

Clients but not coordination server

No
End-to-end encryption Yes No

Encrypted data in transit via HTTPS, but not end-to-end encryption

Role-based access controls Yes Yes
Integrates with identity providers for single sign-on Yes

Google, AzureAD, GitHub, Okta, OneLogin, and more

Yes

Google, AzureAD, GitHub, Okta, and LinkedIn

Client required Yes No for web only apps

Yes for other uses

Pricing Free for personal use and open source

Paid for enterprise

Free for up to 50 users

Paid for more than 50 users

Initial setup

Both Cloudflare Access and Tailscale are managed services, making installation simple. To get started, you will need to set up clients for users and configure any desired access controls.

Cloudflare Access offers a client-less solution for users only looking to connect to web applications; and a client for all other connections.

Tailscale always requires the user to install a client.

Connectivity

Tailscale’s peer-to-peer mesh VPN is designed to improve connectivity through direct communications, whereas Cloudflare routes traffic through a centrally managed service.

Cloudflare Access offers low latency connections from a user to the service they are accessing, as user requests are authenticated on Cloudflare’s network, with their data centers acting as a reverse proxy.

Tailscale’s nodes may talk directly, without a reverse proxy server sitting in the middle. The vast majority of Tailscale users’ communications don’t go through Tailscale servers; Tailscale connects devices directly peer-to-peer in a mesh network.

Security

Both Cloudflare Access and Tailscale offer zero trust remote access solutions. Role-based access control (RBAC) limits what users, devices, or applications can connect to each other on the network. Both work with the most popular identity providers to support single sign-on.

Given that Cloudflare users never actually have access to a full virtual private network, they cannot make lateral movements within a network, accessing resources that they’re not authorized to use. With Cloudflare Access’ granular, zero trust approach, Cloudflare claims an advantage over legacy corporate VPNs, which provide scant visibility into user activity, showing usernames and IP addresses, at most. Cloudflare Access provides detailed logging of user activity so that any suspicious activity can be detected.

The vast majority of Tailscale users’ communications don’t go through Tailscale servers; devices form direct peer-to-peer connections in a mesh network, and all of their communications are end-to-end encrypted, improving data security and privacy. Two servers side by side on the same LAN can form an encrypted Tailscale link between them, providing a true zero-trust environment without any additional latency.

Tailscale lets its users define security policies that determine, by rule, which nodes can access which IP addresses. Each node in the Tailscale mesh network acts as its own stateful firewall and audit trail. Tailscale users can also define which nodes can access which services and groups of users. Since each Tailscale node logs its connections to a central logging service, every connection is logged twice (since both partners in a connection log their connection), making log tampering easy to detect, without the need to funnel network traffic through a central provider.

Performance

With Cloudflare Access, users connect to the closest entrypoint for Cloudflare’s network. Cloudflare’s routing technology finds the data center closest to the user for low latency connections. However, all traffic must go through here before reaching its destination.

With Tailscale, devices connect directly peer-to-peer in a mesh network. These communications are low latency and limited by the performance of the connections. Two servers side by side on the same LAN can form an encrypted Tailscale link between them, without any additional latency of passing through a centralized service.

Network administration

Both Cloudflare Access and Tailscale are managed services. There is no need to host infrastructure.

The bottom line

If you’re looking for a zero trust remote access service for users accessing mostly web applications, and don’t want to install a client, try Cloudflare Access. Cloudflare Access is also a good option if you are already using or need features provided by other Cloudflare services like Gateway.

If you’re looking for a VPN that is end-to-end encrypted, you have many non-web applications, or are connecting on local networks where latency matters, try out Tailscale.

Last updated

WireGuard is a registered
trademark of Jason A. Donenfeld.

© 2022 Tailscale Inc.

Privacy & Terms