VPN vs Tailscale vs Cloudflare Tunnel

**Commercial privacy VPN** like NordVPN or Mullvad: you install the app, your browsing leaves through their server, sites you visit see their IP instead of yours. Solves "I don't want my ISP or the coffee shop Wi-Fi to see what I browse."

**Corporate or road-warrior VPN** like the Cisco AnyConnect your employer makes you use: tunnels you back to a corporate network so you can reach internal company servers.

**Mesh VPN** like Tailscale: builds a private network across your *own* devices, regardless of which network each one is on. These three solve different problems. A YouTube ad for NordVPN does not help you reach your home NAS, and Tailscale does not make your Netflix think you're in Canada.

Tailscale is the easy modern way for non-IT homeowners to reach their own stuff from outside. You install a small app on your phone, laptop, NAS, Home Assistant — anything you want in the mesh. They all sign in to the same Tailscale account. Now each device has a small private IP address (in the 100.x.x.x range) that only your mesh can see, and they can reach each other directly using those addresses, no matter what network each device is on.

As of April 2026, the free Personal plan covers 6 users and unlimited devices, which is enough for most extended families. Built on WireGuard underneath. Native packages exist for Synology, QNAP, and Unraid; TrueNAS uses TrueCharts in 2026.

Cloudflare Tunnel is the easy modern way to make a single service at home reachable as a public web link, without a port-forward. You install `cloudflared` on a device at home. It opens an outbound connection to Cloudflare's edge — Cloudflare never has to reach in to your house. In the Cloudflare dashboard, you map a subdomain to the tunnel. Cloudflare terminates the public HTTPS, sends traffic into the tunnel, your service answers. Free for personal use.

**Caveat**: the free and Pro plans cap proxied HTTP uploads at 100 MB per request, which trips up Immich photo uploads and Nextcloud large-file sync. Streaming Plex/Jellyfin via Cloudflare Tunnel is a long-running grey area in Cloudflare's terms; the safer pattern is Tailscale for streaming, Cloudflare Tunnel for read-only dashboards and shared albums.

**A. Just want to reach my NAS from my phone**: Tailscale. Done.

**B. Want a normal HTTPS link my parents can click without installing anything**: Cloudflare Tunnel. Add a Cloudflare Access policy on top so it's not literally open to the public.

**C. Want full self-host control, no third-party coordinator**: Headscale on a $5 VPS, Tailscale's official client apps pointed at it. ~30-45 minutes to set up.

**D. Want to hide my browsing from my ISP or look like I'm in Canada**: completely different problem. Use a commercial privacy VPN (Mullvad, Proton VPN). Tailscale and Cloudflare Tunnel do nothing for this.

These are alternatives in the same family, each with a different tilt. **ZeroTier** is the closest competitor to Tailscale — same idea, slightly different architecture, free for up to 25 devices per network. **Twingate** is more zero-trust focused — better when you'll grant access to many separate people for different specific apps. **Pangolin** is the newest entrant (2024-2026), open-source, self-hostable Cloudflare Tunnel alternative running on your own VPS. **NetBird** is open-core Tailscale-style mesh, also self-hostable.

None of these are "wrong"; if you have no preference, Tailscale is the default because it's easiest to recover from when something breaks at 11pm.