Tailscale is the preferred path for trusted personal devices. Cloudflare Tunnel fills a different role: browser-only access from devices where installing Tailscale is not practical.
That makes it useful for constrained environments, especially when the goal is to reach a small number of web interfaces without exposing broad firewall ports.
Access Pattern
- Selected browser-accessible services are published through an identity-protected tunnel.
- Google identity and multi-factor authentication sit in front of access.
- Guacamole provides browser-based remote desktop access when direct client software is unavailable.
- Some AI research and project-management interfaces are reachable this way for controlled workflows.
Tradeoffs
The setup is stable once configured, but the hard part is deciding what deserves browser access at all. Routing subdomains to the right internal endpoints can be fiddly, and returning to the configuration months later requires good notes.
The important lesson is access design: private overlay access by default, browser-tunnel access where it solves a real constraint, identity/MFA in front of anything reachable through the browser, and no broad firewall port exposure for the lab.