If you look at cloudlfares strategy here, they want to be the sweetheart of everyone who knows what a VPN is in order that they will be selected by those people for corporate projects. Monetising the data that flows through their network is antithetical to that objective.

This is just naïve. Cloudflare is a business and if they see more value in selling you out, and legally you agreed they may, then they will. Acting “antiethical” has never stopped a big player from infringing on the rights of small players, especially in the tech industry where individuals essentially have zero rights.

Additionally I would venture that the data doesn’t really have any value, it would be impossible to use it to build data about an individuals browsing or buying habits.

Interesting. I would pay you $5 monthly for all the data going through your tunnel under the same conditions that cloudflare requires you to agree to. How about it?

Surely you have to acknowledge that it’s disingenuous to copy the last sentence of the clause and omit the first sentence that says the exact opposite of the point you’re trying to make.

No it doesn’t. The first sentence does not state anything that is not already clarified by law. Hence, it adds zero value to the actual meaning of the paragraph.

You are a person. Your basic human rights are guaranteed to you by law. Given that, you hereby grant me the right to enter your house and shave your head at my discretion and however often I wish, if I deem it necessary to provide to a free service that I don’t classify further in this agreement.

Same thing, you can say if I redact the first two sentences from the quote I’m being disingenuous, but really I’m just trying to get one over on you by making you feel like you have some control in this when in actually you do not.

Disagree. “Necessary to provide the service” means whatever they want it to mean. If they deem it necessary to monetize your data so they can offer you their service “for free”, that is well within their right to do. The fact that you " retain all rights" just means you can use your data too without asking Cloudflare for permission.

Subject to the terms of this Agreement, you hereby grant us a non-exclusive, fully sublicensable, worldwide, royalty-free right to collect, use, copy, store, transmit, modify and create derivative works of Customer Content, in each case to the extent necessary to provide the Services.

You’ll have to be fine with Cloudflare having any and all rights to the data transmitted through the tunnel, while you in return have none. They pinky promise not to fuck you over, but they also promise to legally burry you for any infringement at their discretion.

For me, this is a non-starter.

I have tailscale, which is great for ssh-ing onto my Nas from the outside world. But to access my services, is a VPN the best way to do it?

The main point about Tailscale that I see people on here often get wrong is that they compare it to a “classic” hub-and-spoke VPN, when in fact it is an end-to-end zero trust encrypted mesh network. End-to-end does not mean machine-to-machine, it means user to service. So in your case, you should place one tailscale node in each pod (collection of containers that make up one service) as a sidekick. That way, a user need to authenticate in order to even open a network connection for a specific service, which is a very secure solution.

If you like pass, you might want to look into passage

The main downside of docker images is app developers don’t tend to play a lot of attention to the images that they produce beyond shipping their app. While software installed via your distribution benefits from meticulous scrutiny of security teams making sure security issues are fixed in a timely fashion, those fixes rarely trickle down the chain of images that your container ultimately depends on. While your distributions package manager sets up a cron job to install fixes from the security channel automatically, with Docker you are back to keeping track of this by yourself, hoping that the app developer takes this serious enough to supply new images in a timely fashion. This multies by number of images, so you are always only as secure as the least well maintained image.

Most images, including latest, are piss pour quality from a security standpoint. Because of that, professionals do not tend to grab “off the shelve” images from random sources of the internet. If they do, they pay extra attention to ensure that these containers run in sufficient isolated environment.

Self hosting communities do not often pay attention to this. You’ll have to decide for yourself how relevant this is for you.

Syncthing uses inotify to watch for changes, so it’s pretty much instant

Yeah, and for that reason, I opted for syncthing instead of Git for this use case.

Never had merge conflicts I take it 😄

Does not have great UX on phones though.

I ran a funnel test and yes it works, but still have to use the ts.net

Out of curiosity, why is that a deal breaker for you?

Cloudflare can decrypt the data before it hits my site before it encrypts it

Give Tailscale funnel a try, it provides similar functionality but does not need to terminate yout TLS to do it.

Precisely. Except there is no “Tailscale manage them for you”.

So you could summarize your answer as " Tailscale certificates work like let encrypt".

That’s just not true. When you run an nginx proxy on a tailscale node, that nginx will terminate the TLS. There is no “gap” between your browser and that server.

Both CF and Tailscale play MITM with your HTTPS connection

That’s not correct, tailscale does not intercept the traffic, TLS is terminated on the node. Tailscale mandates HTTPS / TLS with ts.net certificates so it can route traffic to the correct node in your tailnet.

Except you can condense that whole thread into

1. Install Tailscale

Is there any other way?

For all intends and purposes, let’s assume there isn’t. Running a DNS server on the ‘open internet’ is notoriously difficult if you are not familiar with the intricacies, especially with regards to security. Running it through a VPN is really the best option you have here.

I absolutely agree with this. If you cannot easily reproduce you configuration, all you are doing is pushing the problems down the line. Eventually, even simple things will get uncomfortable because it becomes uncomfortable to make. Better address the problem now while its still small

Definitely, the specs are nice and I also cannot say I’m a huge fan of the RPi foundation. More competition in this space would be great, but not having mainline support is just too much of a hassle.