GetPublicIP vs Cloudflare Tunnel vs Tailscale — Which Is Best for Self-Hosting?
If you're self-hosting behind CGNAT or a restrictive ISP, you need a way to make your server reachable from the internet. The three most popular solutions are GetPublicIP, Cloudflare Tunnel, and Tailscale — but they work in fundamentally different ways and each has trade-offs.
Here's the short version: Cloudflare Tunnel is free but only handles HTTP/HTTPS traffic and terminates your SSL. Tailscale is a private mesh VPN that doesn't give you a public IP. GetPublicIP gives you a real dedicated public IP address with full port and protocol access.
Quick Comparison
| Feature | GetPublicIP | Cloudflare Tunnel | Tailscale |
|---|---|---|---|
| Dedicated public IP | Yes | No | No |
| Email / SMTP hosting | Yes | No | No |
| All ports (TCP + UDP) | Yes | HTTP/HTTPS only | Within tailnet only |
| SSL/TLS termination | None — your traffic passes unmodified | Cloudflare terminates SSL | E2E within tailnet |
| Public access | Full — real public IP | Yes — via reverse proxy | Limited — Funnel (HTTPS only) |
| Protocol support | All (TCP, UDP, ICMP) | HTTP/HTTPS (Spectrum for TCP, paid) | All within tailnet |
| Reverse DNS (rDNS) | Yes | No | No |
| Pricing | $8.99/month per IP | Free | Free (personal, up to 3 users) |
| Setup complexity | Low — install WireGuard, import config | Low — install cloudflared | Low — install Tailscale client |
What Each Service Does
GetPublicIP
GetPublicIP assigns you a real, dedicated public IPv4 and IPv6 address that is routed to your server through an encrypted WireGuard VPN tunnel. Your server receives traffic exactly as if the public IP was configured directly on your machine — all ports, all protocols, with zero modification or inspection of your packets. It works behind CGNAT, across ISP changes, and supports automatic failover.
Cloudflare Tunnel
Cloudflare Tunnel (formerly Argo Tunnel) creates an outbound-only connection from your server to Cloudflare's edge network using the cloudflared daemon. Cloudflare acts as a reverse proxy — it receives incoming HTTP/HTTPS requests on your domain, terminates the TLS connection at their edge servers, inspects the traffic, then forwards it to your origin server through the tunnel. You do not get a public IP address. Traffic is limited to HTTP and HTTPS protocols on the free plan.
Tailscale
Tailscale is a mesh VPN built on WireGuard that connects your devices in a private network (tailnet). It excels at securely connecting your own devices to each other — for example, accessing your home server from your laptop. However, it is not designed for public-facing services. Tailscale Funnel can expose a service publicly, but it is limited to HTTPS traffic only and routes through Tailscale's infrastructure.
SSL/TLS and Privacy
This is one of the most important differences and is often overlooked.
Cloudflare Tunnel terminates your SSL
When you use Cloudflare Tunnel, Cloudflare decrypts your HTTPS traffic at their edge servers, inspects it, and then re-encrypts it before forwarding to your origin. This means Cloudflare can see the plaintext content of every request and response passing through your tunnel. Cloudflare uses this capability for features like their WAF, bot detection, and caching — but it means a third party has access to your unencrypted traffic.
For some users this is acceptable. For others — especially those self-hosting for privacy reasons, running a personal email server, or handling sensitive data — this is a dealbreaker.
Tailscale encrypts end-to-end (within your network)
Tailscale uses WireGuard encryption between your devices. Traffic stays encrypted and private within your tailnet. However, if you use Tailscale Funnel to expose a service publicly, traffic routes through Tailscale's DERP relay servers, which adds latency and means your traffic passes through their infrastructure.
GetPublicIP never sees your plaintext traffic
GetPublicIP routes traffic through an encrypted WireGuard tunnel directly to your server without terminating SSL/TLS. We never decrypt, inspect, or modify your packets. You implement your own SSL/TLS encryption end-to-end, maintaining complete control over your privacy and security. Packets arrive at your server exactly as they were sent — with full visibility of source IPs and original traffic data.
Email and SMTP Support
If you want to self-host an email server (Mailcow, Mail-in-a-Box, Postfix/Dovecot, or similar), your choice of tunnel service matters a lot.
Cloudflare Tunnel — No email support
Cloudflare blocks port 25 (SMTP) and does not proxy email traffic through tunnels. You cannot run a public-facing email server behind a Cloudflare Tunnel. This is a fundamental architectural limitation — Cloudflare Tunnel only handles HTTP and HTTPS traffic on the free plan. The Spectrum add-on supports TCP but is paid, enterprise-tier, and still does not support email on port 25.
Cloudflare's own documentation states that they do not proxy SMTP traffic unless Spectrum is configured, and even then port 25 is restricted.
Tailscale — No public email support
Tailscale is a private mesh network. While you could theoretically run an email server accessible within your tailnet, there is no way to receive email from the public internet through Tailscale. Tailscale Funnel only supports HTTPS — not SMTP, IMAP, or any email protocol.
GetPublicIP — Full email support
GetPublicIP gives you a real dedicated public IP address with all ports available, including port 25 (SMTP), 465 (SMTPS), 587 (submission), and 993 (IMAPS). You can configure reverse DNS (rDNS / PTR records) through the management console, which is essential for email deliverability — most receiving mail servers verify that your sending IP has a valid PTR record.
This makes GetPublicIP the only option in this comparison that supports running a fully functional, public-facing email server from your home or office.
Port and Protocol Access
| Capability | GetPublicIP | Cloudflare Tunnel | Tailscale |
|---|---|---|---|
| HTTP (80) | Yes | Yes | Funnel (HTTPS only) |
| HTTPS (443) | Yes | Yes | Funnel |
| SSH (22) | Yes | Via Access (browser-based) | Within tailnet |
| SMTP (25) | Yes | Blocked | No |
| Custom TCP ports | Yes — all ports | No (Spectrum, paid) | Within tailnet |
| UDP | Yes | No | Within tailnet |
| ICMP (ping) | Yes | No | Within tailnet |
| Game servers | Yes | No (UDP required) | Within tailnet only |
| VoIP / SIP | Yes | No (UDP required) | Within tailnet only |
| DNS server | Yes | No | Within tailnet only |
If your use case involves anything beyond HTTP/HTTPS — game servers, DNS, email, VoIP, custom TCP services, or any UDP-based protocol — Cloudflare Tunnel cannot help you. Tailscale works for these protocols within your private network but cannot expose them publicly.
GetPublicIP supports all ports and all protocols because you receive a real public IP address. There is no reverse proxy or application-layer gateway — traffic is routed at the network layer, just like having a static IP from your ISP.
Pricing
| Plan | GetPublicIP | Cloudflare Tunnel | Tailscale |
|---|---|---|---|
| Free tier | No | Yes — HTTP/HTTPS only | Yes — 3 users, 100 devices |
| Paid | $8.99/month per IP | Free (Spectrum: enterprise pricing) | From $6/user/month |
| What you get | Dedicated public IPv4 + IPv6, all ports, all protocols, rDNS, failover, firewall, management console | HTTP/HTTPS reverse proxy, WAF, DDoS protection, caching | Mesh VPN, Funnel (HTTPS), MagicDNS, ACLs |
| Contracts | No — cancel anytime | No | No |
Cloudflare Tunnel is hard to beat on price — it is genuinely free for HTTP/HTTPS use cases with no usage limits. If all you need is to expose a web application, it's an excellent choice.
Tailscale's free tier is generous for personal use (up to 3 users and 100 devices). For teams, pricing starts at $6/user/month.
GetPublicIP costs $8.99/month per IP address with no contracts. While it's not free, you get capabilities that neither Cloudflare nor Tailscale offer at any price: a real public IP, full port and protocol access, email hosting support, rDNS, and connection failover.
When to Use Each
Use Cloudflare Tunnel when:
- You only need to expose web applications (HTTP/HTTPS)
- Free is a priority and you don't need email, UDP, or custom ports
- You want built-in DDoS protection and WAF
- You're comfortable with Cloudflare terminating your SSL and inspecting your traffic
- You don't need a real public IP address
Use Tailscale when:
- You need private access between your own devices (phone, laptop, home server)
- You want a mesh VPN with zero configuration
- You don't need to expose services to the public internet
- You want to share access with specific people within your tailnet
Use GetPublicIP when:
- You need a real, dedicated public IP address
- You want to self-host an email server with reverse DNS
- You need full port and protocol access (TCP, UDP, ICMP — all ports)
- You want complete privacy — no SSL termination, no traffic inspection
- You need connection failover — keep your IP when your ISP changes
- You're running game servers, VoIP, DNS, or custom TCP/UDP services
- You're behind CGNAT and need a solution that works like having a static IP from your ISP, without the ISP
Can I combine these services?
Yes — many self-hosters use more than one. A common setup is:
- GetPublicIP for your public-facing services (web server, email, game server) that need a real IP address and full port access
- Tailscale for private remote access to your devices (SSH into your server from your phone, access admin panels privately)
These two services complement each other well. GetPublicIP handles the public-facing side, while Tailscale handles private device-to-device access.
Frequently Asked Questions
Can I host an email server with Cloudflare Tunnel?
No. Cloudflare Tunnel blocks port 25 (SMTP) and only proxies HTTP/HTTPS traffic on the free plan. You cannot run a public email server behind a Cloudflare Tunnel. GetPublicIP is the only option in this comparison that supports email hosting with all required ports and reverse DNS.
Does Cloudflare Tunnel give me a public IP address?
No. Cloudflare Tunnel acts as a reverse proxy — your domain points to Cloudflare's IP addresses, not yours. You share Cloudflare's IP space with millions of other sites. GetPublicIP gives you a dedicated public IP that is yours alone.
Can Tailscale expose my server to the public internet?
Tailscale Funnel can expose HTTPS services publicly, but it is limited to HTTPS only, routes through Tailscale's relay servers, and has undisclosed bandwidth limits. It is not designed for production public-facing hosting. For full public access with all protocols, you need a real public IP from a service like GetPublicIP.
Is GetPublicIP a VPN?
GetPublicIP uses a WireGuard VPN tunnel to route a dedicated public IP address to your server, but it is not a privacy VPN like NordVPN or Mullvad. It does the opposite — instead of hiding your IP, it gives you a public IP so your server is reachable from the internet. Your existing internet connection continues to work normally for outbound traffic.
Which is best for self-hosting behind CGNAT?
All three bypass CGNAT, but they solve different problems. Cloudflare Tunnel works for HTTP/HTTPS websites. Tailscale works for private access to your devices. GetPublicIP works for any use case that needs a real public IP — web hosting, email, game servers, VoIP, or any other protocol. See our complete guide to self-hosting behind CGNAT for more detail.