VIGIL MESH

Documentation

A Cloudflare Tunnel alternative: publish, or keep it private

Cloudflare Tunnel (the cloudflared daemon) made something simple that never used to be: making a local service reachable from the internet without opening a port on your router. It is an excellent product, and for a public website it does its job very well. But before looking for a cloudflared alternative, it is worth asking the real question: do you need to expose this service to the world, or only to reach it yourself? VIGIL-MESH answers both cases — a private, end-to-end encrypted mesh when nothing should be public, and an HTTP or TCP publication when a door really has to be opened — and this page compares the two approaches honestly.

What Cloudflare Tunnel solves well

The principle behind Cloudflare Tunnel is elegant: a small daemon, cloudflared, runs next to your service and establishes an outbound connection to Cloudflare's network. Visitor traffic arrives on that network, then comes back down through the tunnel to your machine. The result: no inbound port to open, no forwarding rule to configure on the router, and the service works even behind a home NAT or a carrier-grade NAT, where hosting a conventional server is impossible.

  • Exposure without an open port: the machine hosting the service does not listen from the internet; it connects outward to Cloudflare's network.
  • The protection of a global network: public traffic first lands on Cloudflare's infrastructure, which absorbs denial-of-service attacks before they reach your machine.
  • Managed names and certificates: visitors reach a domain name over HTTPS without you installing any certificate on the origin machine.
  • Hidden origin address: visitors only ever see Cloudflare's network, never the IP address of your own connection.

The underlying question: who terminates TLS

To understand what you are really choosing, you have to distinguish two families of tools that are often conflated. An exposure tunnel makes a private service reachable from the public internet: anyone can connect to it, and an intermediate infrastructure receives that public traffic and relays it to the origin. A private network, by contrast, connects your machines to each other: nobody else can connect to it, and traffic is encrypted from one end to the other between the two machines talking.

The difference crystallizes around one precise technical point: who terminates TLS. In Cloudflare Tunnel's documented public architecture, visitors' HTTP traffic transits Cloudflare's infrastructure, which terminates the TLS connection on the public side before forwarding requests down the tunnel. It is a coherent architectural choice — it is what makes caching, attack inspection and the global network's protection possible — and it is openly documented. You simply have to draw the conclusion: an exposure tunnel is not an end-to-end private network, and it does not claim to be one.

Exposure tunnelEnd-to-end private network
PurposeMake a service reachable by the publicConnect your machines to each other, and nobody else
Who can connectAnyone on the internet (unless controls are added)Only members of the network, according to the ACLs
TLS terminationOn the intermediate infrastructure, public sideOn the machines at both ends
EncryptionIn segments, around the intermediaryEnd to end, between the two nodes
Typical casePublic website, world-facing APINAS, home automation, SSH, internal dashboards

When nothing should be public: the private mesh

If the service is meant only for you, your team or your machines, VIGIL-MESH keeps it entirely off the internet. Each machine joins a private mesh network using outbound connections only — a single flow on 443 UDP, the same port as the modern web — with no inbound port and no router configuration, including behind a 4G/5G carrier-grade NAT. The connection goes through a relay immediately, then migrates without interruption to the direct peer-to-peer path as soon as NAT traversal succeeds.

End-to-end encrypted, nobody in the middle

Sessions are QUIC/TLS 1.3 connections established between the two machines themselves, with a hybrid post-quantum X25519 + ML-KEM key exchange. TLS terminates on your nodes, not on an intermediate infrastructure: no third party sees the content.

The relay is structurally blind

When traffic has to be relayed, the vigie carries flows whose keys it does not hold. It brokers connections and transports encrypted bytes — it cannot read what passes through, by construction.

Access by name, as if local

Each machine keeps a stable address on the mesh and a MagicDNS name. You reach your NAS or your server by name, from anywhere, exactly as if it were on your local network.

Deny by default, access by identity

ACLs decide who talks to what: ordered rules naming machines, groups and tags rather than IP addresses, with everything not explicitly allowed being denied.

This access control is not a mere configuration option: every policy change produces a new generation signed by the controller, which each client verifies cryptographically — including offline — before applying it. Belonging to the network grants no rights by itself; without a rule allowing it, a flow is denied. It is a Zero Trust model, not a flat network.

And because no public door exists, the service's attack surface toward the internet drops to zero: nothing to scan, nothing to brute-force, nothing to shield from a denial of service. The best defense for a service that was never meant to be public is not being reachable at all.

When you really must expose: publication

Sometimes a service genuinely has to be reachable from the public internet: a web application for users who are not mesh members, an API consumed by partners, a TCP entry point for a business protocol. VIGIL-MESH covers this need with the platform's publications. The principle stays the same as for the mesh: the machine hosting the service opens no inbound port, it joins the mesh outward; the platform is what presents a public surface and relays inbound traffic to the service through the encrypted mesh.

A publication is an explicit, surgical act: each publication opens a door to exactly one internal service. The rest of the network — addresses, machine names, unpublished services — stays invisible to the visitor. Over HTTP, the platform acts as a reverse-proxy: it terminates TLS on the public side with a certificate obtained and renewed automatically, then carries the request to the service. Over TCP, it relays the raw stream without interpreting it — and therefore without encrypting it for you: the published protocol (SSH does so natively) must provide its own encryption.

AspectHTTP publicationTCP publication
Nature of the serviceWeb application, API, dashboardRaw stream: database, SSH, business protocol
Public entry pointDomain nameTransport port
TLS terminated by the platformYes, automatic certificateNo: the stream is relayed as is
End-to-end encryptionUp to the internal applicationUp to the published protocol

Let us be honest about the comparison: as soon as you publish over HTTP, someone terminates TLS on the public side — that is true for a VIGIL-MESH publication just as it is for Cloudflare Tunnel. The difference is no longer about end-to-end, but about scope and scale. And on scale, Cloudflare has a genuine advantage: its global network doubles as a CDN and absorbs massive denial-of-service attacks close to their source. For a public site with heavy worldwide traffic or particular exposure to attacks, that is a strength VIGIL-MESH publication does not claim to match.

Sovereignty: whose servers carry your bytes

One question remains that exposure tunnels never raise: who owns the infrastructure your traffic crosses? With a managed tunnel, the answer is structural — traffic goes through the tunnel operator's network. With VIGIL-MESH, your machines' traffic takes the direct peer-to-peer path whenever it exists, crossing no infrastructure at all. And for the relayed share, you can take back control.

  • Self-hosted private vigie: you deploy your own relay on your own server; it registers automatically with the controller and serves only your workspace. Your relayed bytes transit only through your machines.
  • Blind even at home: the vigie — yours as much as the service's — does not hold the session keys. Self-hosting serves path sovereignty, proximity and compliance, not content confidentiality, which end-to-end encryption already guarantees.
  • Proximity and compliance: a relay in your datacenter or your region shortens the detour taken by relayed traffic and keeps it within your contractual and geographic perimeter.

Which tool for which need

The choice does not boil down to "Cloudflare Tunnel or something else": it depends on who must reach the service. This table maps each need to the tool that fits it — including when that tool is not ours.

NeedRight toolWhy
Reaching your own services (NAS, home automation, SSH, dashboards) from outsideVIGIL-MESH private meshEnd-to-end encrypted, access by name, nothing exposed to the internet, deny-by-default ACLs
Public site with heavy worldwide traffic or high attack exposureCloudflare Tunnel (or a publication behind a CDN)Cloudflare's global network brings caching and denial-of-service absorption at an unmatched scale
Internal web application to open to a few external usersVIGIL-MESH HTTP publicationReverse-proxy, automatic certificates, a single service exposed, no port opened on the host machine
Non-web protocol to make reachable (SSH, database, business protocol)VIGIL-MESH TCP publicationStream relayed as is to the service, encryption provided by the protocol itself
Relayed traffic that must stay within your perimeterSelf-hosted private vigieThe relayed path goes through your servers, and the relay stays blind to the content
Service that must never be reachable from the internetPrivate mesh + ACLsNo public door exists; even inside the mesh, only what is explicitly allowed gets through

The last two rows are the heart of the matter: most services in a homelab or a small infrastructure do not need to be public. Putting them on the mesh, and publishing only the exception, shrinks the attack surface far more reliably than any protection placed in front of an exposure.

Getting started: the two scenarios

First scenario, the most common one: reaching your services without exposing anything. Everything happens from the console, without touching the router or the firewall.

  1. 1
    Create an account and a workspaceThe workspace gathers your networks, your machines and your access policies. It is free for personal use.
  2. 2
    Install the client on the machines involvedThe machine hosting the service (NAS, server, home-automation box) and the ones that need to reach it — Windows, Linux, Android, Jetson, or even the browser through the WASM node.
  3. 3
    Enroll each machineNetworks page → Machines → "Add a machine": a single-use key enrolls the machine into the network.
  4. 4
    Verify connectivityEach machine receives a stable address and a MagicDNS name; a ping or opening the service confirms the mesh is in place.
  5. 5
    Reach the service by its nameFrom any machine on the network, reach the service through the machine's address or name, as if local. Nothing has been exposed to the internet.

Second scenario: the service must be reachable by visitors outside the mesh. That is where an HTTP publication of the platform comes in.

  1. 1
    Designate the internal service to publishThe mesh machine and the port on which the web application is listening. The service keeps running exactly as before, unmodified.
  2. 2
    Choose the public nameThe domain or subdomain through which visitors will reach the service; its management is described in the domains documentation.
  3. 3
    Let the platform obtain the certificateThe public name's TLS certificate is requested and renewed automatically — no file to install, no expiry date to watch.
  4. 4
    The reverse-proxy relays to the serviceInbound traffic is terminated on the public side then carried to the internal service through the encrypted mesh. The rest of the network stays invisible.

Frequently asked questions

Does Cloudflare Tunnel see my traffic?
In Cloudflare Tunnel's documented public architecture, visitors' HTTP traffic transits Cloudflare's infrastructure, which terminates the TLS connection on the public side before relaying requests to your service. It is a deliberate architectural choice, and it is what makes caching and DDoS protection possible. On a VIGIL-MESH private mesh, by contrast, sessions are QUIC/TLS 1.3 connections encrypted end to end between your machines: the relay carries flows whose keys it does not hold.
Can VIGIL-MESH replace Cloudflare Tunnel?
It depends on your need. If what you were really after was reaching your own services without opening a port, the private mesh does it without exposing anything at all, with end-to-end encryption. If a service genuinely has to be public, the platform's HTTP publication (reverse-proxy, automatic certificates) or TCP publication covers it. For a public site with very heavy worldwide traffic or under massive attack, Cloudflare's global network remains an excellent choice: VIGIL-MESH does not claim to provide a planetary CDN.
Do I need to open a port on my router or firewall?
No. Each mesh machine establishes outbound connections only — a single flow on 443 UDP, the same port as the modern web — with no inbound port and no forwarding rule. And if you publish a service, the machine hosting it opens nothing either: the platform receives the public traffic and relays it through the mesh.
How do I reach my services without publishing anything at all?
By leaving them on the private mesh: each machine keeps a stable address and a MagicDNS name, and you reach the service by name from anywhere, as if local. Nobody outside the network can connect to it, and even inside, deny-by-default ACLs only let through what is explicitly allowed.
Does VIGIL-MESH's HTTP publication also terminate TLS?
Yes, and we say so plainly: in HTTP publication, the platform acts as a reverse-proxy and terminates TLS on the public side with an automatic certificate, before carrying the request to the service through the encrypted mesh. That is inherent to any web publication with managed certificates. In TCP publication, on the other hand, the stream is relayed as is, with no TLS termination: encryption is up to the published protocol itself, as with SSH.
What about DDoS protection?
For a genuinely public service, Cloudflare's global network absorbs attacks at a scale few infrastructures can match — it is a real strength of their offering. For everything that does not need to be public, the best protection remains not being reachable: a service living on the private mesh has no door onto the internet, so there is nothing to scan and nothing to saturate.
Can I self-host VIGIL-MESH?
Partially, and the perimeter is stated without spin: you can host your own private vigie — the relay your relayed traffic goes through, auto-registered with the controller and structurally blind to your data — but the control plane (the console) remains a managed service. The standalone vigie is currently in preview. The direct peer-to-peer path, for its part, depends on no third-party infrastructure.
Does it work behind CGNAT or a 4G/5G connection?
Yes. Carrier-grade NAT prevents hosting a conventional server, but it lets connections out — and VIGIL-MESH only ever connects outward. The machine connects immediately through the relay, then the session migrates without interruption to the direct path if NAT traversal succeeds. If both ends sit behind symmetric NATs, traffic stays relayed permanently, through a blind relay — your own, if you host your vigie.
Read nextPublishing a service: HTTP and TCP