Cloudflare One vs Tailscale for MSP VPN Replacement

Cloudflare One vs Tailscale is the wrong fight if the MSP only asks, "Which one replaces the VPN?"
The better question is uglier: after the VPN is gone, who owns access exceptions, subnet routes, logs, apps, and after-hours outages?
Cloudflare One and Tailscale can both replace legacy VPN patterns. Cloudflare One is usually the bigger security and network platform conversation. Tailscale is usually the cleaner private connectivity conversation. Either can become a support swamp if the MSP forgets the operating model.
Quick answer: should MSPs choose Cloudflare One or Tailscale?
MSPs should look at Cloudflare One first when the client needs a broader SASE program: Zero Trust access, secure web gateway, DNS and HTTP filtering, DLP, CASB, email security, device posture, and centralized policy around users and applications.
MSPs should look at Tailscale first when the client mainly needs private network access that is fast to deploy, easy for engineers to understand, strong for device-to-device connectivity, and practical for legacy subnets through subnet routers.
The deciding factor is scope. A few private apps and remote users may point to Tailscale. Internet filtering, SaaS controls, device posture, DLP, and broader governance push Cloudflare One higher.
Scopable fits before either quote. VPN replacement should come from a scoped client decision, not a technician's favorite network tool. Scopable helps MSPs turn access gaps, app inventories, responsibility boundaries, approval paths, budgets, and client decisions into roadmap items and quote-ready work. Join Scopable early access if your VPN replacement scope still lives in a spreadsheet, a PSA note, and one engineer's head.
Cloudflare One vs Tailscale at a glance
| Criterion | Cloudflare One | Tailscale | MSP read |
|---|---|---|---|
| Core shape | SASE platform combining access, secure web gateway, Cloudflare Tunnel, DLP, CASB, email security, and more | WireGuard-based private connectivity platform built around tailnets, devices, users, groups, routes, and policy files | Cloudflare is broader. Tailscale is narrower and often easier to reason about. |
| Best first-fit client | Client wants VPN replacement plus web filtering, SaaS controls, device posture, DLP, and policy reporting | Client wants private app access, admin access, subnet access, or device-to-device connectivity without rebuilding the whole security stack | Pick based on the job, not the acronym. |
| Private network model | Connect private networks to Cloudflare using Cloudflare Tunnel, Mesh, or WAN, with users usually on the Cloudflare One Client | Connect devices into a tailnet directly, or reach conventional subnets through subnet routers | Tailscale feels natural for engineers. Cloudflare fits when private access is part of a wider policy program. |
| Web app access | Strong clientless option for public hostname and self-hosted web apps through Cloudflare Access | Works well when users have the Tailscale client or the app is exposed through Tailscale patterns | If clientless web access matters, weight Cloudflare higher. |
| Logging and evidence | Zero Trust log retention depends on service and plan, with Access logs at 24 hours on Free, 30 days on Standard and Access, and 180 days on Enterprise | Configuration audit logs are available for the most recent 90 days. Network flow logs require Premium or Enterprise | Evidence requirements belong in the quote, not after the auditor asks. |
| Pricing signal | Cloudflare says Cloudflare One SASE packaging is sales-led, and the pricing page pushes proof of concept and expert contact | Public self-serve pricing lists Standard at $8/user/month and Premium at $18/user/month | Tailscale is easier to model from public pricing. Cloudflare may require a sales motion for real SASE packaging. |
| Biggest MSP risk | Selling a platform without scoping which controls, policies, logs, and response tasks are actually managed | Treating a simple private network tool like it automatically solves governance, compliance evidence, and support ownership | Both need a written done-state. |
Sources: Cloudflare One docs, Cloudflare private networks, Cloudflare logs, Tailscale pricing, Tailscale subnet routers, Tailscale access control, and Tailscale logging.
What Cloudflare One is really selling MSPs
Cloudflare One is selling a security and network control plane, not just a VPN replacement.
Cloudflare's own docs describe Cloudflare One as its SASE platform and list products including Access, Secure Web Gateway, Cloudflare Tunnel, DLP, Remote Browser Isolation, CASB, email security, Digital Experience Monitoring, and the Cloudflare One Client. That is a lot more than "let remote users reach the accounting server."
For MSP clients, that breadth is the point and the risk.
Cloudflare Access can sit in front of web applications as an identity-aware proxy, using identity provider signals, device posture providers, and policy selectors before allowing requests through. For private network access, Cloudflare says private routes can expose both HTTP and non-HTTP resources, and users usually need the Cloudflare One Client or another traffic onboarding method to reach private IPs.
That makes Cloudflare One a strong first look when the client wants to replace several messy controls at once: legacy VPN, DNS filtering, secure web gateway policy, device posture, SaaS controls, DLP, user groups, and reporting.
The MSP risk is selling too much abstraction. A client hears "Cloudflare One" and may assume the MSP now owns every security control that touches the user's traffic. The tool may be doing its job while the support contract is still wrong.
If you choose Cloudflare One, quote the policy work like a program. Do not hide it inside "VPN replacement."
What Tailscale is really selling MSPs
Tailscale is selling private connectivity with a smaller mental model.
Its access control docs say connections in a tailnet are denied by default unless explicitly permitted through a tailnet policy file. Tailscale now recommends grants for access control, while still supporting ACLs. Its subnet router docs explain how a device in the tailnet can advertise routes to conventional subnets, letting users reach devices that cannot run the Tailscale client.
That is a very MSP-friendly shape when the pain is practical: engineers need server access, remote users need a few private apps, legacy gear cannot run an agent, cloud VPC access is messy, or admin access needs better identity than a shared VPN profile.
Tailscale's public pricing is also easier to model. The pricing page lists Personal at $0 for individuals with up to 6 users, Standard at $8 per user per month, and Premium at $18 per user per month. Premium adds items MSPs may care about, including ACL groups, network flow logs, log streaming, regional routing, traffic steering, and priority support.
That does not mean Tailscale is automatically cheaper. It means the MSP can start the budget conversation with fewer blanks.
The MSP risk is under-scoping governance. A tailnet can feel so simple that the quote forgets owner review, device cleanup, groups, tags, subnet route approvals, break-glass access, offboarding evidence, flow log requirements, and client reporting.
The VPN replacement test MSPs should run first
Before comparing features, write down the jobs the old VPN actually did. Most clients call it "the VPN" because nobody wants to say, "that cursed remote access pile we haven't cleaned since 2018."
Use this checklist first.
| Question | Why it matters |
|---|---|
| Which private apps need access? | Web apps, thick clients, RDP, SMB, SQL, ERP, line-of-business apps, and admin consoles have different access patterns. |
| Which users need access? | Full staff, vendors, technicians, executives, and service accounts should not share the same policy. |
| Which devices are trusted? | Personal laptops, unmanaged Macs, stale Windows machines, and technician workstations create different risk. |
| Which sites need routing? | One server is not the same project as three offices, a warehouse, an Azure VNet, and a half-retired firewall. |
| Which logs are required? | Insurance, HIPAA, CMMC, SOC 2, and client audits may require evidence the default plan does not retain long enough. |
| Who approves exceptions? | DNS bypasses, route changes, policy relaxations, and emergency access need a named owner. |
| What is billable after go-live? | App troubleshooting, endpoint repair, policy redesign, and after-hours outages should not become free labor. |
If the answer is mostly "users need a cleaner way to reach a few private things," Tailscale may be faster. If the answer is "users, devices, web traffic, SaaS controls, DLP, policy evidence, and multiple security controls all need cleanup," Cloudflare One is probably more realistic.
If the answer is "we do not know," sell discovery first. Guessing is not strategy. It is a future emergency ticket wearing a calendar invite.
Where Cloudflare One fits best for MSP clients
Cloudflare One fits best when VPN replacement is part of a broader security modernization project:
- the client wants private app access and internet traffic filtering in the same program
- web applications need identity-aware access without forcing every user through a full network client
- device posture, DNS policy, HTTP policy, DLP, CASB, or email security are already on the roadmap
- the client has compliance or insurance pressure that needs repeatable access evidence
- the MSP has enough security operations maturity to own policy review, logging, exceptions, and client reporting
- the buyer wants a platform conversation, not a point tool decision
Cloudflare's account limits page is a reminder that this can become real architecture: applications, rule groups, service tokens, identity providers, reusable policies, domains, infrastructure targets, DNS policies, HTTP policies, tunnels, routes, and virtual networks.
For MSPs, the quote needs design language: application inventory, policy model, identity provider assumptions, device posture rules, logging retention, ownership matrix, rollout plan, exception process, and quarterly review.
If that sounds like too much for the client, use a smaller tool or smaller scope.
Where Tailscale fits best for MSP clients
Tailscale fits best when the client needs private connectivity without buying a whole security program at once:
- the client has a small set of private apps or admin resources
- engineers need reliable access to servers, databases, cloud networks, or lab gear
- legacy devices need access through subnet routers instead of direct agent installs
- the MSP wants a clear policy file and user/device model that technicians can understand
- the client does not need web filtering, DLP, CASB, email security, or browser isolation from the same vendor
- the quote needs to be explainable from public per-user pricing
Tailscale's subnet router docs are the key MSP page. Subnet routers let a tailnet include devices that cannot run the Tailscale client, such as printers, cameras, legacy devices, cloud networks, or services in conventional subnets. Devices behind subnet routers do not count toward the pricing plan's device limit.
That matters for clients with a few awkward private resources. You may need one clean tailnet, a controlled subnet router, a handful of groups, a tested offboarding process, and a written support boundary.
The catch is evidence and operations. Tailscale's logging docs say configuration audit logs are available for the most recent 90 days. Network flow logs are available on Premium and Enterprise plans and can stream to a SIEM. If the client needs longer evidence, quote the right tier and the reporting labor.
Pricing is not only licenses
Tailscale gives MSPs a cleaner public price signal. Standard is listed at $8/user/month. Premium is listed at $18/user/month. If the client needs network flow logs, log streaming, regional routing, traffic steering, or priority support, Premium is probably the relevant comparison point.
Cloudflare's public Zero Trust pricing page is less direct for a full Cloudflare One SASE comparison. It says Cloudflare One is the single-vendor SASE platform that combines workspace security services with network services such as Cloudflare WAN and Firewall, and tells buyers to contact Cloudflare for SASE packaging options. The same page also promotes starting a proof of concept with the free plan.
That creates two different quoting motions.
With Tailscale, the MSP can usually sketch a seat-based estimate quickly, then add project and managed service labor.
With Cloudflare One, the MSP may need vendor pricing, plan confirmation, and a clearer feature boundary before the client sees the final number.
In both cases, the hidden cost is the same stuff MSPs forget to charge for: discovery, app inventory, identity cleanup, group design, endpoint deployment, pilot testing, route validation, DNS validation, user communication, rollback planning, help desk scripts, evidence review, quarterly policy review, and after-hours support rules.
If those line items are missing, the license price is theater.
Pair this with the MSP pricing and quoting margin guide before you turn VPN replacement into a fixed monthly promise.
Logging and audit evidence need a real answer
MSPs should not say "it has logs" and move on. That is how audit requests become panic archaeology.
Cloudflare's Zero Trust logs page lists different retention by service and plan. Access logs are retained for 24 hours on Free, 30 days on Standard and Access, and 180 days on Enterprise. DNS logs are 24 hours on Free, 30 days on Standard and Gateway, and 180 days on Enterprise. Network and HTTP logs are 24 hours on Free, 30 days on Standard, Gateway, and Enterprise.
Tailscale's logging docs say each agent streams logs to a central log server and records open and close events for inter-machine connections. Configuration audit logs are enabled by default for all tailnets and are available for the most recent 90 days. Network flow logs are available for Premium and Enterprise plans and can stream to a SIEM.
The MSP question is not "Which logging page is longer?" It is this:
- What evidence does the client need?
- How long must it be retained?
- Who reviews it?
- Who packages it for insurance, compliance, or board reporting?
- What is included monthly?
- What becomes a paid evidence pack?
If the client has HIPAA, CMMC, SOC 2, cyber insurance, or vendor risk requirements, use the MSP shared responsibility matrix template before you sell either tool.
VPN replacement changes who can reach what. That is an audit question, not just a network diagram.
Scope the implementation in four buckets
Do not quote Cloudflare One or Tailscale as a one-line "VPN replacement" SKU unless the client environment is tiny and clean. Split the work into four buckets:
- Discovery and design: users, groups, devices, private apps, vendors, service accounts, subnets, DNS dependencies, compliance evidence, and acceptance criteria.
- Migration project: identity setup, client deployment, app publication or subnet routing, policy creation, pilot testing, rollback, user communication, documentation, and go-live support.
- Managed access service: routine user changes, group review, device review, basic policy maintenance, standard exceptions, reporting, and client-facing review.
- Paid escalation: emergency access, after-hours outages, major app failures, new routes, DNS bypasses, incident response, SIEM evidence packs, compliance support, and policy redesign.
Use the MSP scope of work template to define the line before the CEO is locked out of payroll on a Sunday.
Final verdict
Pick Cloudflare One when the client needs VPN replacement as part of a broader access and security program: identity-aware web access, private networks, secure web gateway, device posture, DLP, CASB, logging, and policy evidence.
Pick Tailscale when the client mainly needs clean private connectivity: tailnet access, subnet routers, engineer-friendly policy, device-to-device access, and a simpler per-user buying model.
Do not pick either until the MSP has scoped ownership.
The old VPN was ugly, but everyone knew what to blame. Replacing it without a support model gives the same mess a cleaner login screen. The win is knowing who owns access, evidence, exceptions, and paid cleanup.


