Learn how Brisbane SMBs can use Tailscale and Cloudflare to build secure, zero-trust infrastructure. Complete setup guide with Terraform, Docker, and modern automation patterns.
What if you could secure your entire small business network without opening a single firewall port—and do it for free? For Australian SMBs navigating the increasingly hostile cybersecurity landscape, the combination of Tailscale and Cloudflare offers exactly that: enterprise-grade zero-trust security at startup-friendly prices.
With 62% of Australian SMEs having suffered cyber attacks and an average breach cost of AUD $122,000, the old "castle and moat" approach to network security simply doesn't work anymore. This guide shows you how to implement modern zero-trust networking using two of the best tools available—with practical examples tailored for Brisbane and Queensland businesses.
Serving Southeast Queensland: This guide is designed for Brisbane, Gold Coast, Ipswich, Logan, and regional Queensland businesses looking to modernize their network security without breaking the budget.
What is Zero Trust Networking?
Zero Trust operates on a simple principle: never trust, always verify. Unlike traditional VPNs that create a trusted perimeter, zero-trust architectures verify every connection request regardless of where it originates.
Why Zero Trust Matters for Australian SMBs
| Challenge | Traditional VPN | Zero Trust |
|---|---|---|
| Remote worker access | Complex port forwarding | Automatic NAT traversal |
| Contractor access | Full network access | Granular permissions |
| Compliance (Essential Eight) | Manual MFA setup | Built-in MFA enforcement |
| Lateral movement risk | High | Eliminated |
The Australian Cyber Security Centre's Essential Eight framework now mandates MFA for remote access—zero-trust solutions like Tailscale and Cloudflare make compliance straightforward.
Tailscale vs Cloudflare: When to Use Each
These aren't competing products—they're complementary tools solving different problems. Understanding when to use each is critical for a well-architected solution.
Tailscale: Internal Mesh Networking
Tailscale creates a peer-to-peer mesh network using the WireGuard protocol. Key characteristics:
- Direct P2P connections: 90%+ of connections are direct (no relay)
- End-to-end encryption: Traffic is never decrypted in transit
- No central bottleneck: Unlike traditional VPNs, traffic doesn't flow through a single gateway
- Automatic NAT traversal: Works through most firewalls without configuration
Best for: Team access to internal resources, dev environments, database connections, SSH access.
Cloudflare Tunnel: Public Service Exposure
Cloudflare Tunnel creates outbound-only connections from your origin to Cloudflare's edge network:
- No inbound ports: Your firewall stays locked down
- DDoS protection: Unmetered mitigation included
- Zero Trust Access: Identity-aware access policies
- Global edge: 300+ data centers including Sydney and Melbourne
Best for: Public-facing applications, customer portals, APIs that need DDoS protection.
Using Both Together
The pattern is straightforward:
- Cloudflare for anything customers or the public need to access
- Tailscale for internal team access to the same (or additional) resources
Free Tier Reality Check
Both platforms offer generous free tiers, but there are important limitations to understand.
Tailscale Pricing
Personal
For personal use only
- +3 users maximum
- +100 devices
- +All core features
- +SSO with any OIDC provider
Starter
For commercial teams
- +Unlimited users (MAU billing)
- +100 + 10/user devices
- +Network-level ACLs
- +MagicDNS
Premium
Advanced security
- +Tailscale SSH
- +Funnel (public exposure)
- +Audit logging
- +Device posture checks
- *Personal plan is NOT for commercial use.
- *Prices in USD. At current rates, approximately AUD $9.70/user/month for Starter.
- *Active user billing means you only pay for users who connect.
Cloudflare Zero Trust
Free
Up to 50 users
- +50 users maximum
- +Unlimited tunnels
- +DDoS protection
- +Basic Access policies
Pay-as-you-go
For growing teams
- +Unlimited users
- +Advanced policies
- +Browser isolation
- +Extended logs
- *Free tier is production-ready for small teams.
- *Cloudflare Workers free tier includes 100K requests/day.
What This Means for Your SMB
For a typical 10-person Brisbane SMB:
| Scenario | Monthly Cost (AUD) |
|---|---|
| Both free tiers (3 Tailscale + 50 CF users) | $0 |
| Tailscale Starter + CF Free | ~$97 |
| Both paid tiers | ~$210 |
Step-by-Step: Setting Up Tailscale
Prerequisites
Before diving in, make sure you have everything ready. The setup is straightforward, but having these in place will make the process smoother.
Installing Tailscale
Tailscale provides a convenient install script that works across most Linux distributions. Choose your platform below:
# Install Tailscale
curl -fsSL https://tailscale.com/install.sh | sh
# Start and authenticate
sudo tailscale up
# Verify connection
tailscale statusYou'll be prompted to authenticate via your browser. Once authenticated, your device joins your tailnet automatically.
Here's what a successful connection looks like in your terminal:
Notice how Tailscale automatically establishes a direct P2P connection, bypassing the relay server for lower latency. This is the magic of WireGuard's NAT traversal.
Setting Up a Subnet Router
For legacy devices that can't run Tailscale (printers, NAS devices, IoT), use a subnet router:
1# Enable IP forwarding2echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.conf3echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.conf4sudo sysctl -p56# Advertise your local network (adjust CIDR for your network)7sudo tailscale up --advertise-routes=192.168.1.0/24 --accept-routesThen approve the routes in your Tailscale admin console.
Configuring ACLs (Access Control Lists)
Tailscale uses a deny-by-default model. Create a policy file (policy.hujson) for GitOps management:
1{2 // Define groups for role-based access3 "groups": {4 "group:developers": ["alice@company.com", "bob@company.com"],5 "group:admins": ["admin@company.com"],6 "group:contractors": ["contractor@external.com"]7 },89 // Define device tags10 "tagOwners": {11 "tag:server": ["group:admins"],12 "tag:database": ["group:admins"],13 "tag:dev": ["group:developers"]14 },1516 // Access rules (least privilege)17 "acls": [18 // Admins can access everything19 {20 "action": "accept",21 "src": ["group:admins"],22 "dst": ["*:*"]23 },24 // Developers can access dev and server resources25 {26 "action": "accept",27 "src": ["group:developers"],28 "dst": ["tag:server:80,443", "tag:dev:*"]29 },30 // Contractors only get web access to servers31 {32 "action": "accept",33 "src": ["group:contractors"],34 "dst": ["tag:server:80,443"]35 }36 ],3738 // Test your policies before applying39 "tests": [40 {41 "src": "alice@company.com",42 "accept": ["tag:server:443"],43 "deny": ["tag:database:5432"]44 }45 ]46}Docker Deployment
For containerized environments, here's a complete Docker Compose setup:
1# docker-compose.yml2version: '3.8'34services:5 tailscale:6 image: tailscale/tailscale:latest7 container_name: tailscale8 hostname: docker-router9 cap_add:10 - NET_ADMIN11 - SYS_MODULE12 volumes:13 - tailscale-state:/var/lib/tailscale14 - /dev/net/tun:/dev/net/tun15 environment:16 - TS_AUTHKEY=${TAILSCALE_AUTH_KEY}17 - TS_STATE_DIR=/var/lib/tailscale18 - TS_ROUTES=172.18.0.0/16 # Docker network CIDR19 - TS_EXTRA_ARGS=--accept-routes20 network_mode: host21 restart: unless-stopped2223 # Your application containers24 webapp:25 image: your-app:latest26 networks:27 - internal28 expose:29 - "8080"3031networks:32 internal:33 driver: bridge34 ipam:35 config:36 - subnet: 172.18.0.0/163738volumes:39 tailscale-state:Step-by-Step: Setting Up Cloudflare Tunnel
Prerequisites
- Cloudflare account (free tier works)
- Domain name with DNS managed by Cloudflare
- Server to run cloudflared
- 20 minutes
Installing cloudflared
1# Download and install cloudflared2curl -L https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64 -o cloudflared3chmod +x cloudflared4sudo mv cloudflared /usr/local/bin/56# Authenticate with your Cloudflare account7cloudflared tunnel login89# Create a new tunnel10cloudflared tunnel create my-smb-tunnel1112# This outputs a tunnel ID - save it!Tunnel Configuration
Create a configuration file at ~/.cloudflared/config.yml:
1# config.yml2tunnel: your-tunnel-id-here3credentials-file: /home/user/.cloudflared/your-tunnel-id.json45ingress:6 # Public web application7 - hostname: app.yourcompany.com.au8 service: http://localhost:80809 originRequest:10 connectTimeout: 30s1112 # Internal tool (protected by Access)13 - hostname: admin.yourcompany.com.au14 service: http://localhost:30001516 # API endpoint17 - hostname: api.yourcompany.com.au18 service: http://localhost:40001920 # Catch-all (required)21 - service: http_status:404Running as a Service
1# Install as a system service2sudo cloudflared service install34# Start the service5sudo systemctl start cloudflared67# Enable on boot8sudo systemctl enable cloudflared910# Check status11sudo systemctl status cloudflaredAdding Zero Trust Access Policies
In the Cloudflare Zero Trust dashboard:
- Navigate to Access > Applications
- Click Add an application > Self-hosted
- Configure:
- Application name: Admin Dashboard
- Session duration: 24 hours
- Application domain: admin.yourcompany.com.au
- Create a policy:
- Policy name: Require Company Email
- Action: Allow
- Include: Emails ending in @yourcompany.com.au
Infrastructure as Code: Terraform Examples
Managing your infrastructure with Terraform ensures reproducibility and enables GitOps workflows.
Provider Configuration
1# providers.tf2terraform {3 required_version = ">= 1.6"45 required_providers {6 tailscale = {7 source = "tailscale/tailscale"8 version = "~> 0.16"9 }10 cloudflare = {11 source = "cloudflare/cloudflare"12 version = "~> 4.0"13 }14 }15}1617# Use environment variables for credentials:18# TAILSCALE_OAUTH_CLIENT_ID19# TAILSCALE_OAUTH_CLIENT_SECRET20# TAILSCALE_TAILNET21# CLOUDFLARE_API_TOKEN2223provider "tailscale" {}24provider "cloudflare" {}Tailscale ACL Management
1# tailscale.tf2resource "tailscale_acl" "main" {3 acl = jsonencode({4 groups = {5 "group:developers" = var.developer_emails6 "group:admins" = var.admin_emails7 }89 tagOwners = {10 "tag:server" = ["group:admins"]11 "tag:database" = ["group:admins"]12 "tag:ci" = ["tag:ci"]13 }1415 acls = [16 {17 action = "accept"18 src = ["group:admins"]19 dst = ["*:*"]20 },21 {22 action = "accept"23 src = ["group:developers"]24 dst = ["tag:server:*"]25 },26 {27 action = "accept"28 src = ["tag:ci"]29 dst = ["tag:server:22"]30 }31 ]32 })33}3435# Create ephemeral auth key for CI/CD36resource "tailscale_key" "ci_key" {37 reusable = true38 ephemeral = true39 preauthorized = true40 tags = ["tag:ci"]41 expiry = 86400 # 24 hours42}4344# DNS configuration45resource "tailscale_dns_preferences" "main" {46 magic_dns = true47}Cloudflare Tunnel
1# cloudflare.tf2resource "random_id" "tunnel_secret" {3 byte_length = 324}56resource "cloudflare_zero_trust_tunnel_cloudflared" "main" {7 account_id = var.cloudflare_account_id8 name = "smb-tunnel"9 secret = random_id.tunnel_secret.b64_std10 config_src = "cloudflare"11}1213resource "cloudflare_tunnel_config" "main" {14 account_id = var.cloudflare_account_id15 tunnel_id = cloudflare_zero_trust_tunnel_cloudflared.main.id1617 config {18 ingress_rule {19 hostname = "app.${var.domain}"20 service = "http://localhost:8080"21 }22 ingress_rule {23 hostname = "api.${var.domain}"24 service = "http://localhost:4000"25 }26 ingress_rule {27 service = "http_status:404"28 }29 }30}3132# DNS records pointing to tunnel33resource "cloudflare_record" "app" {34 zone_id = var.cloudflare_zone_id35 name = "app"36 type = "CNAME"37 value = "${cloudflare_zero_trust_tunnel_cloudflared.main.id}.cfargotunnel.com"38 proxied = true39}GitOps: Automated Policy Deployment
Manage your security policies with version control using GitHub Actions:
1# .github/workflows/tailscale-acl.yml2name: Tailscale ACL GitOps34on:5 pull_request:6 paths: ['tailscale/policy.hujson']7 push:8 branches: [main]9 paths: ['tailscale/policy.hujson']1011jobs:12 test:13 runs-on: ubuntu-latest14 steps:15 - uses: actions/checkout@v41617 - name: Test ACL Policy18 uses: tailscale/gitops-acl-action@v119 with:20 oauth-client-id: ${{ secrets.TS_OAUTH_CLIENT_ID }}21 oauth-secret: ${{ secrets.TS_OAUTH_SECRET }}22 tailnet: ${{ secrets.TS_TAILNET }}23 policy-file: tailscale/policy.hujson24 action: test2526 apply:27 if: github.event_name == 'push' && github.ref == 'refs/heads/main'28 needs: test29 runs-on: ubuntu-latest30 steps:31 - uses: actions/checkout@v43233 - name: Apply ACL Policy34 uses: tailscale/gitops-acl-action@v135 with:36 oauth-client-id: ${{ secrets.TS_OAUTH_CLIENT_ID }}37 oauth-secret: ${{ secrets.TS_OAUTH_SECRET }}38 tailnet: ${{ secrets.TS_TAILNET }}39 policy-file: tailscale/policy.hujson40 action: applyCI/CD Pipeline Integration
Access internal resources from your CI pipeline:
1# .github/workflows/deploy.yml2name: Deploy to Internal Server34on:5 push:6 branches: [main]78jobs:9 deploy:10 runs-on: ubuntu-latest11 steps:12 - uses: actions/checkout@v41314 - name: Setup Tailscale15 uses: tailscale/github-action@v216 with:17 oauth-client-id: ${{ secrets.TS_OAUTH_CLIENT_ID }}18 oauth-secret: ${{ secrets.TS_OAUTH_SECRET }}19 tags: tag:ci2021 - name: Deploy via SSH22 run: |23 ssh deploy@internal-server "cd /app && git pull && docker compose up -d"2425 - name: Health Check26 run: |27 curl -f http://internal-server:8080/healthAustralian Compliance Considerations
Essential Eight Alignment
The ACSC's Essential Eight framework requires MFA for remote access. Here's how Tailscale and Cloudflare help:
| Essential Eight Control | Tailscale | Cloudflare |
|---|---|---|
| MFA | Via SSO provider | Via Access |
| Application Control | ACL policies | Access policies |
| Restrict Admin Privileges | Tag-based RBAC | Role-based policies |
| Patch Applications | N/A (SaaS) | N/A (SaaS) |
SMB1001 Framework
The Australian SMB1001 cybersecurity framework includes zero-trust principles at Silver tier and above. Both tools help achieve:
- Identity verification before access
- Device posture checks (Premium features)
- Audit logging for compliance
Cyber Security Act 2024
For businesses with >AUD $3M turnover, the new Cyber Security Act 2024 requires 72-hour ransomware payment disclosure. Zero-trust architectures reduce ransomware risk through:
- Elimination of lateral movement
- Granular access controls
- Complete audit trails
Brisbane and Queensland Considerations
Latency Optimization
Cloudflare has data centers in Sydney and Melbourne, providing 10-30ms latency for Brisbane users. The Brisbane Internet Exchange (BIX) ensures local routing.
Tailscale operates DERP relays in Sydney. For most connections, you'll achieve direct P2P connections with 1-5ms overhead. The Peer Relays feature (available in Premium) can further reduce latency for subnet routers.
Local Support Options
For Brisbane SMBs needing implementation help:
- Buun Group (that's us!) offers zero-trust architecture consulting
- Tailscale provides excellent documentation and community support
- Cloudflare has Australian enterprise support for paid plans
Common Pitfalls and Troubleshooting
DNS Resolution Issues
Problem: Can't resolve MagicDNS names after setup.
Solution: Check for DNS rebinding protection on your router. Use split DNS or configure your router to allow Tailscale's 100.x.x.x addresses.
ACL Policy Mistakes
Problem: Users can't access resources they should have access to.
Solution: Use the test feature before applying. Always validate ACLs locally before pushing to production.
Common mistakes:
- Typos in email addresses (case-sensitive!)
- Forgetting that ACLs are deny-by-default
- Not approving subnet routes in admin console
Key Management
Problem: Auth keys expiring, breaking automated systems.
Best Practices:
- Use OAuth clients instead of API keys (they don't expire)
- Store secrets in a vault (AWS Secrets Manager, HashiCorp Vault)
- Never commit auth keys to source control
- Use ephemeral keys for CI/CD (auto-cleanup)
Cloudflare Tunnel Connectivity
Problem: Tunnel shows as unhealthy.
Solution: Check outbound connectivity:
1# Check tunnel status2cloudflared tunnel info my-tunnel34# Test connectivity5cloudflared tunnel run --url http://localhost:8080Decision Framework: Which Tool for What?
Tailscale & Cloudflare Quick Reference
Common commands and use cases
tailscale statussudo tailscale upsudo tailscale downtailscale ping hostnametailscale ip -4tailscale debug acltailscale up --advertise-routes=192.168.1.0/24cloudflared tunnel logincloudflared tunnel create my-tunnelcloudflared tunnel run my-tunnelcloudflared tunnel listcloudflared tunnel info my-tunnelNext Steps for Your Brisbane SMB
- Start with free tiers - Both platforms offer production-ready free plans
- Set up SSO first - Use your existing Google Workspace or Microsoft 365
- Deploy Tailscale to key servers - Start with the most critical internal resources
- Add Cloudflare Tunnel for public services - Protect customer-facing applications
- Implement GitOps - Version control your security policies
- Document and train - Ensure your team understands the new access patterns
Further Reading
For more on zero-trust and cloud infrastructure:
- DevOps for Small Business: A Practical Guide
- Docker Production Deployment: Complete Guide
- Cloudflare Workers Best Practices
- Infrastructure as Code: Terraform vs CloudFormation
Sources
- Tailscale Documentation - Official KB, January 2026
- Cloudflare Tunnel Documentation - January 2026
- Tailscale Pricing - January 2026
- Cloudflare Zero Trust Plans - January 2026
- ACSC Essential Eight - 2025
- SMB1001 Framework - 2025
Ready to secure your Brisbane business with zero-trust networking?
Topics
Comments
Sign in to join the conversation
LoginNo comments yet. Be the first to share your thoughts!
Found an issue with this article?