Hetzner storage boxes look really compelling. Thanks for sharing!

Cloudflare tunnels definitely aren’t wrong, you’re just not entirely using open source software. It’s a very good option if you need to open things to the public or want to learn more about cloud services

You can selfhosted tailscale so that they don’t have any access. You can’t with cloudflare tunnels as far as I know. Tailscale’s client is open source, so is their Headscale server which originally was developed by a 3rd party. You can look into the code for that. Not sure what you’d want me to say. If you really want to be informed I’d inspect the code yourself

Tailscale shouldn’t be getting your data anyway. It’s a mesh VPN that directly connects devices after their auth server gives out certs and let’s clients know where to find another. If you’re not comfortable with using their server for this I’d suggest you look into the open source headscale server. I do remember it routing through their server in the rare case NAT punching doesn’t work

Personally I use tailscale which should punch through double NAT. It’s a wire guard based mesh VPN, but an exit node should make it a normal VPN

You can use headscale with tailscale if you want to self host it. Headscale is a community made server implementation for tailscale