I prefer mesh vpn because it's an extra authentication layer that Cloudflare tunnels don't have. But if you need to offer services publicly it's a good option true.
Interestingly, you say this. During my AI-driven research that led me toward tunnels, I found that VPN was the less secure approach.
For SSH/Mosh, for example, I chose a WARP tunnel. I set it up with a certificate that expires immediately after each connection. My MFA was explicitly limited to password and Duo SSO Push.
As I mentioned, though, my decision was primarily based on an Agent Mode prompt to ChatGPT, so I'm far from an expert.
AI driven research tells you everything you need to know about your conclusions; there's a hint of truth that's hiding an incredible web of misconceptions.
Mesh VPNs as a security mechanism replacing having secure server to server communication is just replacing one soft-center security mechanism with another. Mesh VPNs as the gateway to services that are themselves well secured is well over doubly secure over just having publicly accessible services; now you need the security holes to line up.
Why would a VPN be less secure? It's an extra hurdle for attackers to take. You can still use whatever authentication you can on the service. And with a mesh VPN you also don't need to open any ports.
However when I look into it it seems like WARP is also a vpn-like service, just a cloud one. Also, I do self-hosting so a "cloud native" solution as cloudflare calls it is explicitly not what I want. If your homelab is all about cloud then of course you would want something like this.
