Cloudflare Mesh replaces Tailscale in my homelab setup

At a glance:

• Cloudflare Mesh successfully replaced Tailscale for remote homelab access, eliminating a third-party dependency
• The migration was straightforward for users already using Cloudflare DNS, DoH, and tunnels
• Local IP addresses remained accessible across networks without public exposure or port forwarding

Why I replaced Tailscale with Cloudflare Mesh

As a technology journalist with years of experience in computer science and hardware ecosystems, I had built a robust homelab infrastructure that relied on multiple services. Tailscale had earned a permanent place in my stack, solving the persistent problem of CGNAT and providing seamless remote access to sensitive dashboards like Portainer, Pi-hole, and Omada Controller. Beyond homelab services, I was actively using Tailscale in my development environment, allowing local projects on my Windows PC to be accessed from mobile devices.

The dedicated 100.x.x.x addresses that Tailscale provided were particularly valuable, offering a straightforward solution without networking headaches. I had become so comfortable with Tailscale that I recommended it to every homelab user I knew, praising its beginner-friendly approach, NAT traversal capabilities, and ability to bypass complex WireGuard setup. Despite this satisfaction, I began questioning whether maintaining a separate networking service was necessary when Cloudflare was already handling my DNS, DoH, and tunnels.

The decision to experiment with Cloudflare Mesh wasn't about finding a better product but about reducing dependencies. Tailscale was the only major networking layer outside my existing Cloudflare ecosystem. By replacing it with Cloudflare Mesh, I could eliminate one account, one service dependency, and one company handling my connectivity metadata. This consolidation approach aligned with my philosophy of simplifying technical infrastructure while maintaining functionality.

Setting up Cloudflare Mesh: A practical walkthrough

Initially, I viewed Tailscale as a networking application and Cloudflare Zero Trust as enterprise infrastructure software, expecting the Zero Trust dashboard to be overwhelming. While it did contain many features irrelevant to homelab use, focusing only on what I needed made the setup manageable. The process began with selecting "Replace my client-based or site-to-site VPN" in the setup interface, which presented six simple steps—three already completed for me, with two being optional.

In my case, the heavy lifting was already done. I had existing tunnels, Cloudflared running on my server, and services already behind Cloudflare's infrastructure. Adding a private network route required minimal effort—specifying the IP range and installing the WARP client on my devices. However, I encountered unexpected issues during the client app setup. When connecting my MacBook to mobile data and attempting to access the Portainer dashboard via local IP, the connection failed. After troubleshooting, I discovered that WARP split tunnel excluded 192.168.0.0/16 by default and that mesh connectivity was turned off—fixing these resolved the issue.

A separate frustration arose during the authentication process. Cloudflare sends OTPs to the added email address, but after multiple attempts, I wasn't receiving any. This initially seemed like a Cloudflare network issue, especially since my Workspace subscription was active and DNS records appeared correct. The actual problem turned out to be a WHOIS data mismatch at my domain registrar, which had suspended my domain name. A quick chat with support resolved this within 20 minutes, highlighting the importance of maintaining accurate domain information.

A week with Cloudflare Mesh: The results

After completing the setup and resolving the initial issues, Cloudflare Mesh functioned seamlessly. SSH connections remained stable, and services like Jellyfin, Immich, and Nextcloud were accessible as before. The most significant advantage was maintaining access to local IP addresses even when connected to different networks, eliminating the need to remember or manage separate device addresses as with Tailscale.

The migration proved that consolidating services within the Cloudflare ecosystem could simplify infrastructure without compromising functionality. My workflow remained intact, with remote access continuing to work and CGNAT no longer being a concern. After a few days, the infrastructure became background noise, invisible in my daily routine—a testament to how well the implementation worked.

There were trade-offs worth noting. Cloudflared running on my homelab server created a single point of failure; if the server went down, the tunnel would follow. The setup lacked true peer-to-peer mesh functionality since the homelab server acted as a connector rather than enabling direct device-to-device communication. However, this dependency was theoretical in practice—if the server were down, all services hosted on it would be inaccessible regardless of the networking solution used.

Interestingly, I found myself missing Tailscale less than anticipated. Its dedicated IP addresses had been helpful in specific scenarios, but the local IP addresses provided by Cloudflare Mesh were easier to use in daily operations. The migration felt less like replacing a tool and more like removing duplication from my stack, which was precisely my goal when beginning this experiment.

The verdict: Simplification over superiority

This exercise wasn't about declaring a winner between Cloudflare Mesh and Tailscale. Both products serve their purpose well, and Tailscale remains an excellent solution, particularly for users not already deeply invested in the Cloudflare ecosystem. For my specific situation—where Cloudflare already handled DNS, DoH, and tunnels—consolidating networking services made practical sense.

The key takeaway is that infrastructure decisions should be driven by individual needs rather than brand loyalty or feature comparisons. By reducing dependencies and simplifying my stack, I achieved greater operational efficiency without sacrificing functionality. Cloudflare Mesh successfully filled the role previously held by Tailscale in my environment, demonstrating that sometimes the best technology solution is the one that reduces complexity rather than adding features.