All posts
April 10, 20267 minAdoba Yua

Cloudflare One and Tailscale, connected

I run both. That sentence makes some people twitch. Here is why, what it took to make them actually coexist at the DNS, identity, and routing layers, and what the evaluation surfaced before anything shipped.

I run both Cloudflare One and Tailscale. That sentence makes some people twitch. Why both. They overlap. Pick one.

Here is why both, what it took to make them play nice, and what I learned running the evaluation project on the integration itself.

Why both

Cloudflare One handles the edge. Zero trust web access, DNS filtering, tunnels into private services from anywhere. That is what it is good at.

Tailscale handles the mesh. Device to device, machine to machine, infrastructure I do not want exposed to any public edge at all. Subnet routers, tagged ACLs, SSH that just works without punching holes.

The overlap is real but the use cases are different. Cloudflare is my perimeter for human traffic. Tailscale is my fabric for machine traffic.

The real question was never which one. It was whether these two can coexist without fighting each other at the DNS layer, the routing layer, and the identity layer.

What had to not break

Three things.

  • Tailscale MagicDNS and Cloudflare Gateway DNS both want to be the DNS resolver. If you do not tell them explicitly who goes first, resolution gets weird on devices that are on both
  • Cloudflare Access and Tailscale both do identity. Both with Okta. You do not want a machine getting two different identity opinions on the same request
  • Tailscale subnet routers advertise CIDRs. Cloudflare Tunnel advertises hostnames. Overlap on a private range will send packets places you did not intend

What I actually did

I ran the whole integration as an evaluation project. Panaptico picked up both tenants, mapped the DNS resolution order, the identity flows on both sides, and the route advertisements. It told me where the conflicts lived before I shipped anything to prod.

Three real conflicts surfaced. All three fixable in config. Not one of them would have shown up in a docs-only read.

One of them was embarrassing: a Tailscale subnet that shadowed a Cloudflare Tunnel hostname in a way that only manifested on devices enrolled in both, at specific DNS cache states. Finding that from reading documentation would have taken me a weekend. Finding it by shipping would have taken me a production incident.

The rule I ended up with

Tailscale owns the machine-to-machine plane. Cloudflare owns the human-to-service plane. DNS order is explicit and documented. Identity provider is Okta, and the trust chain is written down so when something breaks at 2am I am not guessing which side saw which token first.

What I would tell anyone doing this

Do not take either vendor's word for works great with X. Run the actual integration against your actual identity and your actual network. The documentation will tell you it works. Your stack will tell you if it works.

Related problem

Systems Evaluation

Compare tools against your real stack, not vendor decks.

Read how we solve it

More from the blog

April 17, 2026

How I picked an observability platform without trusting a single demo

Three vendors, three polished demos, three curated sample environments. By the end of the week I had no real idea which one would survive a Tuesday incident. So I ran the evaluation inside my own stack instead.

April 3, 2026

Vendor demos are rigged, and it is not the vendor's fault

Every vendor demo runs on a rigged environment. We do not mean dishonest. We mean set up in advance to make the product look its best. The problem is not the demo. The problem is when you mistake it for an evaluation.

March 27, 2026

Why I cannot remember why finance MFA is 30 days

Six months after a rollout, somebody asked me why the finance pool MFA lifetime is 30 days. I knew I had picked it. I was on the call. I approved the setting. But the reason was gone.