- Published on
- · 3 min read
Cloudflare Mesh is Here. Should You Ditch Tailscale?
so cloudflare just announced something called Mesh and the first thing i thought was wait is this just tailscale?
short answer: kinda. but also not really. let me explain.
what is cloudflare mesh
mesh is cloudflare's take on private networking. you install a lightweight agent on your servers, install the cloudflare client on your devices, and everything gets a private IP address. all traffic flows through cloudflare's network instead of the public internet.
sounds familiar right? because that's basically what tailscale does. and wireguard. and zerotier.
the difference is that mesh lives inside cloudflare's ecosystem. so if you're already using cloudflare for DNS, tunnels, workers, or zero trust policies, mesh plugs right into all of that.
my current setup
i run a homelab on an old laptop with 15+ docker containers. jellyfin, immich, home assistant, grafana, the whole servarr media stack, and a bunch more.
for networking i use two things:
- tailscale for private access from my phone and laptop when i am not home
- cloudflare tunnel to expose some services publicly (jellyfin.coods.in, photos.coods.in, etc.)
this combo works great and i have had zero issues with it. tailscale gives me a private IP (100.x.x.x) for every device, and cloudflare tunnel handles the public stuff with SSL and all.
so what does mesh do differently
here's what caught my attention:
workers can join the mesh. this is the big one. if you have cloudflare workers or AI agents running on their edge, they can talk to your private services directly. no need to expose anything publicly. tailscale can't do this because workers don't run on your machine.
one tool instead of two. mesh handles both private access (like tailscale) and public tunneling (like cloudflare tunnel) in one system. less moving parts.
security policies built in. if you're already using cloudflare zero trust (gateway rules, device posture checks, DNS filtering), all of that applies to mesh traffic automatically.
free tier is generous. 50 nodes and 50 users per account. more than enough for any homelab.
but here's where tailscale still wins
i went and checked if mesh supports the features i actually use daily.
MagicDNS? nope. not yet. mesh is IP-only right now. so you'd be typing http://100.64.0.5:8088 instead of http://homelab:8088. they have something called "Mesh DNS" on the roadmap for later this year but it's not available today.
auto SSL certs? tailscale gives you real SSL certificates with tailscale cert. mesh doesn't have this yet.
device names? on tailscale every device gets a friendly hostname automatically. on mesh you get an IP address. that's it.
these three things matter to me because i access my homelab dashboard and services multiple times a day. typing IPs is not it.
the ai agent angle
cloudflare is pushing mesh hard for AI agents and that actually makes sense. the problem with autonomous agents is they need access to private stuff like databases and APIs but you don't want to expose those publicly. mesh lets workers and agents reach your private services through the mesh network.
tailscale doesn't really have an answer for this use case. if you're building AI agents on cloudflare workers that need to talk to your private infra, mesh is the only option.
but for a homelab? i don't have workers running AI agents against my jellyfin server lol.
my verdict
i am not switching. at least not now.
tailscale + cloudflare tunnel is a proven setup that just works. mesh is promising but missing basic stuff like DNS names and SSL certs that i use every day. once mesh DNS ships and i can do homelab.mesh instead of an IP address, i'll reconsider.
if you're starting fresh and already live in the cloudflare ecosystem, mesh might be worth trying. but if you have a working tailscale setup, there's no reason to rip it out today.
i'll keep an eye on it though. the workers integration is genuinely interesting and if cloudflare nails the DNS piece, having one tool instead of two would be nice.
tldr
| tailscale | cloudflare mesh | |
|---|---|---|
| private networking | yes | yes |
| friendly DNS names | yes (MagicDNS) | coming later 2026 |
| auto SSL certs | yes | no |
| public tunneling | no (need cloudflare tunnel) | yes (built in) |
| workers/agent access | no | yes |
| zero trust policies | basic ACLs | full cloudflare zero trust |
| free tier | 100 devices | 50 nodes, 50 users |
| maturity | battle tested | brand new |
for now tailscale stays. mesh goes on the watchlist.
Previous Article
Next.js on Cloud Run + Cloud SQL: 5 errors you will hit