VPN & Zero Trust Network
Tailscale, WireGuard, Cloudflare Tunnel - private networking for remote teams and services without exposing them to the public internet
VPN & Zero Trust Network
Your team needs to reach internal services (staging, dashboards, databases, ssh) without exposing them to the public internet. The old answer was a corporate VPN — a gateway you connected to, then routed traffic through. The modern answer is zero trust networking: every connection authenticated and authorized individually, no implicit "inside the network" trust.
Two Generations of Solutions
| Old (perimeter VPN) | New (zero trust) |
|---|---|
| One VPN gateway; everyone inside is trusted | Every connection authenticated and authorized per-resource |
| Hub-and-spoke: traffic to / from gateway | Mesh: direct peer-to-peer between authorized devices |
| Hairpin routing through corporate office | Latency-optimal direct paths |
| Static credentials, manual revocation | Tied to identity provider; revoke = remove from IdP |
| Bridge two networks | Authenticate per app / resource |
| OpenVPN, Cisco AnyConnect | Tailscale, Cloudflare Access, Twingate, Pomerium |
Zero trust is faster, easier to operate, and more secure. For new deployments, don't build a traditional VPN.
The Players
Mesh VPN (peer-to-peer, all-purpose)
| Tool | Notes |
|---|---|
| Tailscale | Built on WireGuard; identity-aware; "it just works"; free for personal + small business |
| Twingate | Similar to Tailscale; more enterprise-leaning |
| Netbird | Open-source Tailscale alternative |
| Headscale | Open-source Tailscale control plane (use with the Tailscale client) |
| ZeroTier | Older mesh; pre-dates Tailscale; still solid |
| WireGuard | The protocol underneath; build your own with this |
Reverse Tunnel (expose internal HTTP)
| Tool | Notes |
|---|---|
| Cloudflare Tunnel | cloudflared; origin has no public IP; first-class with Cloudflare CDN |
| ngrok | Original dev-tool tunnel; now broader enterprise features |
| frp | Open-source reverse proxy; self-host |
| inlets | Self-host alternative to ngrok |
Zero Trust Access (per-app authentication)
| Tool | Notes |
|---|---|
| Cloudflare Access | Per-app SSO; works with Tunnel or any backend |
| Tailscale + Tailscale Funnel | Tunnel + SSO via the mesh |
| Pomerium | Open-source zero-trust proxy |
| Teleport | Strong for ssh, K8s, DBs; identity-aware bastion |
| Google IAP (Identity-Aware Proxy) | GCP-native zero trust |
| AWS Verified Access | AWS-native equivalent |
The lines blur. Tailscale + Cloudflare Tunnel together cover 90% of the use cases for small-to-mid teams.
What These Replace
| Problem | Old approach | Modern |
|---|---|---|
| Engineers SSH into prod | VPN + bastion host | Tailscale: ssh by hostname |
| Internal dashboard (Grafana, Argo CD) | VPN + DNS rewrite | Cloudflare Access + Tunnel |
| Demo env for prospects | "Send them the VPN config" | Tunnel with email-based access |
| Mobile dev tests against staging | Connect to office VPN | Tailscale on phone |
| Office printer / NAS | Local network only | Tailscale mesh, anywhere |
| Self-hosted Git, CI, monitoring | DMZ + reverse proxy | Tunnel; no public IP |
When to Use What
| Scenario | Best fit |
|---|---|
| Engineers reaching internal services / SSH from anywhere | Tailscale |
| Exposing one internal web app to specific external users | Cloudflare Tunnel + Access |
| Many internal services to many users with SSO | Cloudflare Access or Pomerium |
| Site-to-site (connecting two cloud VPCs) | Tailscale (subnet router) or WireGuard direct |
| Replacing OpenVPN / Cisco AnyConnect | Tailscale |
| Strict audit / record SSH sessions | Teleport |
| Per-pod identity in K8s for service-to-service | Service Mesh (Istio / Linkerd) |
| Air-gapped, no SaaS dependency | Headscale + Tailscale clients or WireGuard direct |
Learning Path
1. Getting Started
Install Tailscale on your laptop and a server; ssh by hostname; expose a service via Cloudflare Tunnel
2. Zero Trust Patterns
ACLs, exit nodes, subnet routers, identity-aware access, MagicDNS, federation
3. Best Practices
Production deployment, key management, observability, scaling, security hardening
How Mesh VPNs Work
Laptop Server in AWS
│ │
▼ ▼
Coordination server (Tailscale) Same coordination server
- issues identity (auth via your IdP) - issues identity
- distributes ACLs - distributes ACLs
- holds public keys for peer-to-peer - holds public keys
│
Both peers learn each other's public keys + endpoint
│
─── direct WireGuard tunnel (peer-to-peer) ─────────────►
(or NAT-traversed via DERP relay if direct fails)The coordination server holds metadata — identity, public keys, ACLs. It never sees the encrypted traffic itself. Tailscale, Twingate, Netbird all follow this shape.
When two peers can't establish a direct connection (NAT, firewalls), traffic falls back through a relay. Slower but always works.
How Cloudflare Tunnel Works
Internal service Your local machine User
on a private network (or container) on the internet
───────────────────── ──────────────────── ─────────────
cloudflared connects out
──────────────────────► Cloudflare's edge
│
◄─── HTTPS request
user.example.com routes
through tunnel back ──────────────► User browses
to your local machinecloudflared makes an outbound connection to Cloudflare. Cloudflare routes inbound HTTPS through that tunnel. Your network has no inbound ports open, no public IP needed for the internal service. Combined with Cloudflare Access, you can require SSO / device posture before traffic even reaches your service.
Zero trust networking and Service Mesh overlap conceptually — both authenticate every connection. Service mesh operates inside a cluster (service-to-service); zero trust operates at the boundary (user-to-service, service-to-internet). Many teams use both: mesh inside, zero trust at the edge.