Tailscale vs Cloudflare Zero Trust — Decision Note
Date: 2026-06-18 Context: 7-person team. Currently on Cloudflare Zero Trust but only using DNS filtering. Considering a move to Tailscale.
The core insight
They solve different problems. Not a like-for-like swap.
- Cloudflare Zero Trust = DNS filtering + ZTNA + Access. We use ~5% of it (DNS only). Free up to 50 users. Best-in-class DNS filtering.
- Tailscale = mesh VPN (device-to-device private connectivity). Does NOT do content/security DNS filtering.
Switching to Tailscale for DNS filtering = a downgrade + a new bill.
Tailscale is right ONLY if we have an unmet need
- Reach internal servers / DBs / staging without exposing them publicly
- Replace a clunky legacy VPN
- Gate SSH / admin access behind device identity
If none apply → stay on Cloudflare, no action.
Pricing (verified 2026-06-18)
| Plan | Price | Users | Notes |
|---|---|---|---|
| Tailscale Personal | Free | up to 6 | We're at 7 and it's non-commercial only — a business domain auto-classifies as paid. Doesn't apply to us. |
| Tailscale Standard | $8/user/mo | unlimited | MDM, device posture, SCIM → 7 ppl ≈ $56/mo (~$672/yr) |
| Tailscale Premium | $18/user/mo | unlimited | Audit logs, JIT access, flow logs |
| Cloudflare Zero Trust | Free | up to 50 | DNS filtering + ZTNA + Access (current) |
Decision matrix
| If... | Do |
|---|---|
| Only need DNS filtering | Keep Cloudflare. $0. Don't switch. |
| Need private access to servers/DBs | Add Tailscale Standard ($56/mo) alongside Cloudflare, not replacing |
| Cloudflare UI is the pain | Pain is config, not the tool. Switching won't fix "set once, forgot." |
Alternatives (other than CF ZT), by job-to-be-done
DNS filtering — the thing we actually use
| Tool | Price (7 ppl) | Why |
|---|---|---|
| NextDNS ⭐ | ~$2/mo flat | Best value. Same filtering power as CF, nicer UI, per-device profiles. No-brainer cheap. |
| Control D | ~$2/user/mo | By Windscribe. Granular, fast, good dashboards. |
| Cloudflare Gateway (current) | Free | Fine. UI is the pain, not the filtering. |
| Cisco Umbrella / DNSFilter | $$$ | Enterprise/MSP. Overkill for 7. Skip. |
MDM — manage the devices (likely our real gap; CF ZT was never real MDM)
| Tool | Price | Why |
|---|---|---|
| Mosyle ⭐ | Free tier / ~$1/device | Built for Apple-only shops. Mac team → start here. |
| Jamf Now | Free up to 3, then ~$2/device | Simple Apple MDM. |
| Kandji | ~$5–8/device | Premium, beautiful, automation-heavy. |
Private network access — only if needed (Tailscale alternatives)
| Tool | Price | Why |
|---|---|---|
| Twingate ⭐ | Free up to 5 users, then ~$6/user | Easier ZTNA than Tailscale, real free tier for small teams. |
| NetBird | Self-host free / ~$8/user cloud | Open-source, WireGuard-based. |
| Tailscale | $8/user | See above. |
Recommendation
- DNS pain → NextDNS ($2/mo). Dump CF ZT, instant UX upgrade, near-zero cost.
- Want real MDM → Mosyle (Apple). CF ZT never did MDM.
- Need private server access → Twingate free tier beats Tailscale at 7 people.
Deciding question: Are all devices Macs? If yes → Mosyle + NextDNS is the clean, cheap stack that actually does MDM + filtering.
7 people, DNS-only → simplest move is NextDNS, or just stay on Cloudflare free. Tailscale only with a real private-access need (none named yet).
Sources: Tailscale Pricing · NextDNS · Mosyle · Twingate