Tailscale is the better choice for private, device-to-device remote access to a NAS or homelab, while Cloudflare Tunnels is the better choice for sharing self-hosted web apps with other people over a standard browser URL. Both tools solve a real problem for Australian users: getting reliable remote access when most home internet connections sit behind CGNAT or lack a static IP. The difference comes down to what you are exposing and to whom. Tailscale builds a private overlay network between your devices, so only enrolled devices can connect. Cloudflare Tunnels punches a hole through your router and exposes a web service to the public internet, protected only by Cloudflare's edge. This guide works through the real differences so you can pick the right tool for your situation.
In short: Use Tailscale if you want private access to your NAS, Plex, Home Assistant, or any self-hosted service from your own devices only. Use Cloudflare Tunnels if you want to share a web app or dashboard with other people via a public URL without opening firewall ports. Both are free for most home users and both bypass CGNAT, which is common on Australian mobile broadband and some NBN connections.
The Core Problem: Remote Access in Australia
Remote access to a home NAS or self-hosted app sounds simple until you hit the realities of Australian internet infrastructure. Three problems come up repeatedly.
CGNAT (Carrier-Grade NAT) is the most common blocker. Many Australian mobile broadband providers and some NBN services place multiple customers behind a single public IP address. Port forwarding does not work with CGNAT because there is no public IP assigned to your connection. You cannot forward a port that does not belong to you. Aussie Broadband, Telstra Mobile, Optus Mobile, and various ISPs on the Optus HFC network have all been associated with CGNAT deployments. If you have ever tried to forward a port and found it simply does not work, CGNAT is the likely cause.
No static IP is the second problem. Most NBN plans provide a dynamic IP that changes periodically. Dynamic DNS services work around this, but they add complexity and introduce a point of failure.
NBN upload speed limits compound the problem for media streaming. A typical NBN 100 plan delivers around 20 Mbps upload. That is enough for a couple of 4K direct-play streams but leaves little headroom for simultaneous access. NBN 250 and NBN 1000 plans improve upload to 25 Mbps and 50 Mbps respectively, though actual speeds vary by technology type. HFC and FTTP can often deliver better upload than these figures; FTTN and FTTC frequently fall short.
Both Tailscale and Cloudflare Tunnels solve the CGNAT and dynamic IP problems. Neither makes NBN upload faster, but they eliminate the infrastructure barriers that otherwise block remote access entirely.
Tailscale
Tailscale is a zero-config VPN built on WireGuard. It creates a private mesh network across all your enrolled devices. Once a device joins your Tailscale network (called a tailnet), it gets a stable private IP address (in the 100.x.x.x range) and can reach any other device in the same tailnet directly, regardless of what network each device is on.
From a NAS perspective, you install the Tailscale app or Docker container on the NAS, enrol it in your tailnet, and your NAS becomes reachable from any other enrolled device using its Tailscale IP or MagicDNS name. Your phone, laptop, and work computer can all access the NAS as if they were on the same local network, without touching your router's firewall.
Tailscale uses DERP relay servers to punch through CGNAT and NAT in general. When a direct connection is not possible, traffic routes through Tailscale's relay infrastructure. For most connections between two WireGuard-capable devices on modern routers, Tailscale achieves a direct peer-to-peer connection and the relay is only a fallback. The relay servers add latency when used, but they ensure the connection works even in the most restrictive network environments.
The free Tailscale plan covers up to 3 users and 100 devices, which is more than sufficient for a single household or small homelab. Paid plans add ACL policies, user provisioning, and centralised logging for teams.
| Protocol | WireGuard (mesh VPN) |
|---|---|
| Access model | Private (enrolled devices only) |
| CGNAT support | Yes, via DERP relay servers |
| Static IP required | No |
| Port forwarding required | No |
| Traffic routing | Direct peer-to-peer (relay fallback) |
| Free tier | 3 users, 100 devices |
| Paid plans | From USD $6/user/month (Personal Pro) |
| NAS support | Synology, QNAP, TrueNAS, Docker |
| Self-hostable control plane | Yes (Headscale, open source) |
| Data passes through Tailscale servers | Only if direct connection fails (DERP relay) |
| Exit node support | Yes (route all traffic through a trusted device) |
Pros
- Works through CGNAT with no port forwarding or firewall changes required
- Traffic is end-to-end encrypted via WireGuard; Tailscale cannot read your data
- Direct peer-to-peer connection when possible, so speed is close to raw WireGuard performance
- Supports Synology DSM 7, QNAP QTS/QuTS hero, TrueNAS, and any Docker host
- MagicDNS gives enrolled devices stable hostnames, no IP memorisation needed
- Exit node feature lets you route traffic through your home NAS when away from home
- Headscale (open source) lets you self-host the control plane if you do not trust Tailscale's servers
- Free tier is generous for personal use
Cons
- Requires the Tailscale app installed on every device that needs access, including phones and laptops
- Not suitable for sharing access with people who do not have Tailscale installed
- DERP relay latency can be noticeable if a direct connection cannot be established
- Control plane authentication requires a third-party login (Google, Microsoft, GitHub, or Apple account)
- More complex to set up subnet routing if you want to access all devices on your home network, not just the NAS
Cloudflare Tunnels
Cloudflare Tunnels (previously Argo Tunnel) works differently. Instead of creating a private network, it exposes a service running on your local machine to the public internet via Cloudflare's edge network. You install a small agent called cloudflared on the machine running the service, configure a tunnel, and Cloudflare assigns a public URL. DNS is handled automatically through Cloudflare. No firewall ports, no static IP, and it bypasses CGNAT because the outbound connection is initiated from inside your network.
The trade-off is that your service becomes publicly accessible. Anyone with the URL can attempt to access it. Cloudflare provides access controls including email-based authentication, Google/GitHub SSO, and IP allowlisting through Cloudflare Access (the zero trust product that sits alongside Tunnels). Without Access configured, a Cloudflare Tunnel is effectively the same as port forwarding to the public internet: open to anyone who finds the URL.
For NAS users, this means Cloudflare Tunnels is well suited to scenarios like sharing a Nextcloud instance with family members, running a Jellyfin server accessible from a browser without requiring the Tailscale app, or exposing a Home Assistant dashboard to collaborators. It is not a good fit for exposing raw NAS admin interfaces (Synology DSM, QNAP QTS) to the public internet without additional authentication layering.
Cloudflare Tunnels is free for personal use. Cloudflare Access is also free for up to 50 users, which covers all reasonable home and small business scenarios.
| Architecture | Reverse proxy via Cloudflare edge |
|---|---|
| Access model | Public URL (optional: Cloudflare Access for auth) |
| CGNAT support | Yes, tunnel is outbound from your network |
| Static IP required | No |
| Port forwarding required | No |
| Traffic routing | All traffic via Cloudflare edge servers |
| Free tier | Unlimited tunnels on free Cloudflare plan |
| Cloudflare Access free tier | Up to 50 users |
| NAS support | Any HTTP/HTTPS service (Docker, web UI) |
| Data passes through Cloudflare servers | Yes, always |
| Protocol support | HTTP, HTTPS, SSH, RDP, TCP (some require WARP client) |
| Latency source | Cloudflare PoP nearest to both client and server |
Pros
- No app required on client devices for HTTP/HTTPS services, works in any browser
- Free and no credit card required for basic use
- Bypasses CGNAT as the tunnel connection is outbound from your network
- Cloudflare Access adds email or SSO authentication without modifying the application
- Cloudflare's global edge network provides DDoS protection and SSL termination automatically
- Zero firewall changes needed on home router
- Supports SSH and RDP tunnels in addition to web services
Cons
- All traffic passes through Cloudflare's servers, which are a third-party infrastructure provider
- A public URL is exposed to the internet; requires Cloudflare Access to add authentication
- Not suitable for accessing NAS admin interfaces without careful access control configuration
- Cloudflare's terms of service prohibit using free tunnels for video streaming at scale
- Less suitable for high-bandwidth private use compared to Tailscale's direct peer-to-peer connection
- Control depends on Cloudflare remaining free; pricing or policy changes could affect existing setups
Side-by-Side Comparison
Tailscale vs Cloudflare Tunnels
| Tailscale | Cloudflare Tunnels | |
|---|---|---|
| Access model | Private (enrolled devices) | Public URL (optional auth via Access) |
| CGNAT bypass | Yes | Yes |
| Port forwarding needed | No | No |
| Client app required | Yes (on every accessing device) | No (browser access for HTTP/HTTPS) |
| Traffic routing | Direct P2P when possible, DERP relay fallback | Always via Cloudflare edge |
| Data privacy | End-to-end encrypted; Tailscale cannot read data | Traffic decrypted at Cloudflare edge |
| Best for NAS admin UI | Yes (private network only) | Not recommended without strict Access policies |
| Best for sharing with others | Only users enrolled in tailnet | Yes, any browser user |
| Speed for file transfers | Near-native WireGuard speed | Limited by Cloudflare edge; terms restrict video streaming |
| Self-hostable | Yes (Headscale) | No (Cloudflare-operated) |
| Free tier limits | 3 users, 100 devices | Unlimited tunnels; 50 Access users |
| NAS platform support | Synology DSM 7, QNAP QTS/QuTS, Docker | Any HTTP service via Docker or native install |
| Protocol support | All TCP/UDP via WireGuard | HTTP, HTTPS, SSH, RDP (TCP tunnels need WARP) |
| Setup complexity | Low (app install + enrol) | Low for basic use; moderate with Access policies |
Tailscale on Synology and QNAP NAS
Synology DSM 7.x supports Tailscale via the official Tailscale package available in the Synology Package Centre. Installation takes a few minutes. Once installed, the NAS appears in your tailnet with a stable Tailscale IP and a MagicDNS hostname. You can then access DSM, Synology Drive, Synology Photos, Plex, or any other service running on the NAS from any enrolled device anywhere in the world, without touching firewall rules.
QNAP QTS supports Tailscale via the App Centre. The installation and setup process is similar to Synology. QuTS hero (the ZFS-based QNAP OS) also supports the Tailscale app.
For NAS devices running services in Docker, Tailscale can be deployed as a Docker container with the --network host flag to give the container access to the host network. This approach works on any Docker-capable NAS, including Asustor, TrueNAS, and Unraid.
A common configuration for NAS users is to combine Tailscale with a subnet router. You install Tailscale on the NAS and configure it as a subnet router for your home network (e.g., 192.168.1.0/24). All enrolled devices can then reach every device on your home network using their local IP addresses, even devices without Tailscale installed, such as printers, IP cameras, and other NAS units.
Cloudflare Tunnels on a NAS
Cloudflare Tunnels is best suited to NAS deployments where you are running a web-facing service and want to share it with people who do not have Tailscale installed. Common use cases include Nextcloud, Bitwarden (Vaultwarden), Home Assistant, or a self-hosted photo gallery.
The setup process: create a Cloudflare account, add your domain (or use a free Cloudflare-provided subdomain), deploy the cloudflared agent as a Docker container on your NAS, create a tunnel in the Cloudflare dashboard, and map it to the local service port. Cloudflare handles DNS automatically.
For Synology users, cloudflared can run as a Docker container managed through Container Manager. For QNAP, the same Docker approach applies via Container Station. On a NAS with no Docker support, cloudflared can be installed as a native binary if the processor architecture is supported (ARM64 and x86-64 are both covered).
The critical step that many users skip is enabling Cloudflare Access in front of the tunnel. Without Access, the service is public. Adding an Access policy that requires a specific email address or Google account to authenticate takes about five minutes and changes the risk profile dramatically. For a NAS admin interface, this is not optional if you value the security of your data.
Do not expose NAS admin interfaces (Synology DSM, QNAP QTS) publicly via Cloudflare Tunnels without Cloudflare Access in front of them. The admin UI is a high-value target. An unprotected public URL will attract brute-force attacks within hours. Tailscale is a safer choice for admin interfaces because the endpoint is not publicly reachable at all.
CGNAT in Australia: Why This Matters
CGNAT is the primary reason Australian home users cannot simply port-forward their way to remote NAS access. When your ISP places you behind CGNAT, you share a public IP with dozens or hundreds of other customers. Incoming connections to that IP address are not routed to your router, let alone your NAS.
Both Tailscale and Cloudflare Tunnels solve CGNAT by initiating outbound connections from your network, not relying on incoming connections. Tailscale's DERP relay accepts an outbound connection from each device and bridges them. Cloudflare Tunnels' cloudflared agent maintains a persistent outbound connection to Cloudflare's edge. Neither requires your ISP to assign you a public IP.
ISPs known to use or have used CGNAT on some plans in Australia include Telstra mobile, Optus mobile, Vodafone mobile, and various NBN RSPs using Optus HFC infrastructure. If you are on Aussie Broadband, Superloop, or iiNet NBN and cannot port-forward successfully, confirm with your ISP whether CGNAT applies to your plan before spending time troubleshooting firewall rules.
Some ISPs offer a static IP add-on that also removes CGNAT. Aussie Broadband charges $5/month for a static IP. If you want the flexibility of both direct port-forwarding and tools like Tailscale, a static IP is worth considering and removes the dependency on third-party tunnelling infrastructure entirely.
Using Both Tools Together
Tailscale and Cloudflare Tunnels are not mutually exclusive. Many homelab users deploy both for different purposes.
A practical split: use Tailscale for all personal device access to the NAS, including file manager, DSM admin, Plex, and SSH. Use Cloudflare Tunnels for any service you want to share with people outside your household, such as a Vaultwarden instance for a family member or a Nextcloud installation for a small team.
This approach gives you the best of both: private, high-speed access for yourself via WireGuard, and convenient browser-based access for others via Cloudflare, without exposing the entire NAS admin surface to the public internet.
Which NAS Models Work Best
Both Tailscale and Cloudflare Tunnels have modest hardware requirements. The limiting factor is usually the NAS processor's ability to run the service you are accessing remotely, not the tunnelling overhead itself.
For Tailscale, any NAS running DSM 7+ or QTS 5+ with sufficient RAM to run the package is suitable. The Synology DS225+ (from $538 at Mwave, Scorptec, and PLE) is a solid entry-point 2-bay NAS that supports Tailscale natively. The QNAP TS-433 (from $639) is a comparable 4-bay option with the Tailscale App Centre package.
For Cloudflare Tunnels with Docker, you need a NAS that supports Container Manager (Synology) or Container Station (QNAP). The Synology DS425+ (from $785) and QNAP TS-464 (from $989) both run Docker reliably for this purpose. If you are running a NAS primarily as a Nextcloud or Vaultwarden host accessible via Cloudflare Tunnels, the DS225+ with its Realtek RTD1619B processor handles light web workloads adequately, though response times under concurrent access will be slower than on a Celeron or Ryzen-powered NAS.
For heavier self-hosted workloads accessible via Cloudflare Tunnels, such as a Nextcloud instance with heavy media handling or a resource-hungry web application, the QNAP TS-473A (from $1,269) with its AMD Ryzen V1500B processor provides substantially better compute performance.
Which Tool to Choose
The right choice depends on who needs access and to what.
Choose Tailscale if: you want remote access to your NAS or homelab from your own devices only, you want to access admin interfaces securely, you need raw file transfer speeds over the remote connection, you are comfortable installing an app on your phone and laptop, or you value not having your traffic pass through a third party's infrastructure.
Choose Cloudflare Tunnels if: you want to share a web application with people who do not have Tailscale installed, you need public URL access for a service (a shared Nextcloud, a Bitwarden instance for family, a Home Assistant dashboard), you are comfortable managing Cloudflare Access policies to protect the exposed service, or you want the simplest possible setup for browser-based sharing.
Choose both if: you run a homelab with multiple services for different audiences. Use Tailscale for private admin and file access, Cloudflare Tunnels for services you share externally.
For most Australian home NAS users who just want to access their own files and media remotely, Tailscale is the cleaner, more private choice. The app requirement is a minor inconvenience that buys you a private network that does not expose anything to the public internet.
Australian Buyers: What You Need to Know
Both Tailscale and Cloudflare Tunnels are free software services with no hardware to purchase. The relevant Australian context is around the NAS hardware you use with them and the internet connection quality.
If you are buying a NAS for remote access as a primary use case, the following points apply regardless of which tunnelling tool you choose.
Check your ISP's CGNAT status first. If your ISP uses CGNAT, traditional port forwarding is not an option. Both tools work around this, but confirming your situation before purchasing hardware avoids wasted setup time. The simplest test is to compare your router's WAN IP with your public IP as reported by a service like whatismyip.com. If they differ, you are behind CGNAT.
NBN upload speed matters for remote use. If you plan to stream video or transfer large files remotely, your NBN plan's upload speed is the bottleneck. NBN 100 plans deliver around 20 Mbps upload. NBN 250 and NBN 1000 plans can reach 25 Mbps upload on some technologies. For 4K video streaming over Tailscale to a single device, 20 Mbps is borderline. For multiple simultaneous users, consider an NBN 1000 plan or a plan with higher upload speeds if available in your area.
NAS warranty in Australia follows the standard chain: retailer to distributor to vendor. For hardware supporting Tailscale or Cloudflare Tunnels, the relevant retailers include Scorptec, PLE, Mwave, and Computer Alliance. For more on the warranty process, see our guide to NAS warranty and ACL in Australia. Australian Consumer Law protections apply when purchasing from Australian retailers.
Related reading: our NAS buyer's guide and our NAS vs cloud storage comparison.
Free tools: NAS Sizing Wizard and NBN Remote Access Checker — no signup required.
Use our free Cloud vs NAS Cost Calculator to compare cloud storage against owning a NAS.
Does Tailscale work with CGNAT in Australia?
Yes. Tailscale uses DERP relay servers to establish connections when direct peer-to-peer is not possible, which includes CGNAT environments. You do not need a public IP address or any router configuration. The downside is that when a direct connection cannot be established, traffic routes through Tailscale's relay servers, which adds latency. Most modern routers allow Tailscale to establish a direct WireGuard connection for better performance.
Does Cloudflare Tunnels work with CGNAT?
Yes. Cloudflare Tunnels works by having the cloudflared agent on your network establish an outbound connection to Cloudflare's edge, not by accepting inbound connections. This means CGNAT is not a problem. Your NAS initiates the connection to Cloudflare, so your ISP's NAT configuration does not interfere.
Is Tailscale free for home use?
Yes. Tailscale's free plan covers up to 3 users and 100 devices, which is more than sufficient for household use. The paid Personal Pro plan at USD $6/user/month adds features like more users and custom DNS configuration. For a single person accessing their own NAS from a handful of devices, the free plan has no meaningful limitations.
Is Cloudflare Tunnels safe for exposing a NAS?
It depends on what you expose and how you configure it. Cloudflare Tunnels creates a publicly accessible URL for your service. Without Cloudflare Access enabled, that URL is open to anyone. With Cloudflare Access configured (requiring login via email or Google/GitHub SSO), it is reasonably secure for web applications. However, exposing NAS admin interfaces (Synology DSM, QNAP QTS) publicly is risky even with Access, because admin UIs have a larger attack surface than dedicated web apps. Tailscale is safer for admin interfaces because the endpoint is never publicly reachable.
Can I install Tailscale directly on a Synology NAS?
Yes. Tailscale is available as a package in the Synology Package Centre for DSM 7.x. Installation is straightforward: install the package, authenticate with your Tailscale account, and the NAS joins your tailnet. You can then access DSM, Synology Drive, Synology Photos, and any other service running on the NAS from enrolled devices. Synology does not officially support Tailscale, but the community package is maintained by Tailscale and works reliably.
What is the difference between Tailscale and a traditional VPN?
A traditional VPN (like OpenVPN or WireGuard set up manually) requires a server with a public IP address that all clients connect to. This means you need a NAS or router with a public IP, which is not available on CGNAT connections. Tailscale is a managed WireGuard overlay network where the coordination is handled by Tailscale's control plane. Devices connect to each other directly when possible, without requiring a single server with a public IP. The trade-off is that Tailscale's control plane is a third-party service, though the data traffic itself is encrypted end-to-end and Tailscale cannot read it.
Can I use Cloudflare Tunnels to stream Plex or Jellyfin?
Technically yes, but Cloudflare's terms of service for the free plan prohibit using tunnels for video streaming or other high-bandwidth content delivery. Violating this can result in account suspension. For streaming your own media remotely, Tailscale is the more appropriate tool: it routes traffic directly between your device and the NAS (not through Cloudflare's servers), and there are no terms of service restrictions on the type of traffic.
For help choosing the right NAS hardware to run with Tailscale or Cloudflare Tunnels, see our full remote access guide for Australian NAS users.
Read: NAS Remote Access Guide for Australia