this post was submitted on 13 Jul 2023
40 points (91.7% liked)

Selfhosted

39435 readers
7 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
 

So everyone is talking about cloudflare tunnels and I decided to give it a shot.

However, I find the learning curve quite hard and would really appreciate a short introduction into how they work and how do I set them up…

In my current infrastructure I am running a reverse proxy with SSL and Authentik, but nothing is exposed outside. I access my network via a VPN but would like to try out and consider CF. Might be easier for the family.

How does authentication work? Is it really a secure way to expose internal services?

Thanks!

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 3 points 1 year ago (1 children)

Essentially it IS a tunnel, just with cloudflare's infrastructure in the middle handling auth and obscuring each end from the other.

Auth is handled by cloudflare. That doesn't mean cloudflare necessarily is the auth provider, though. Not likely in selfhosted, but one could set up some other auth provider, like azure, and cloudflare could give tunnel access to authorized users who actually provided credentials via azure.

The service, port, whatever being accessed via the tunnel may also require auth, and cloudflare generally doesn't handle that. For example, your cloudflare tunnel to your local sonarr instance requires auth at cloudflare first, to access the tunnel, then again at sonarr because your sonarr instance requires authentication.

In a docker environment, you would either tunnel to the docker host or to individual Dockers. The latter is more sensible and generally a bit more secure, if only because least access = better. There's probably some cloudflare tunnels docker out there that does half the setup for you, then you just stick it and the Dockers you want exposed through the tunnel all on the same docker network interface (which you create), but that's just speculation.

As far as setting tunnels up goes, the docs are really good at the step by step. Easiest way to learn it is to set up a VM similar to what you want and bang away at the steps until it does what you want. Some things are easy, like RDP. Other things are trickier.

The basics of setup are that you use the cloudflared application at both ends: one server-side to expose what you want and one client-side to access the tunnel via cloudflare.

Tailscale is the same kinda thing. I think it is way easier for a lot of people. There's a lot less setup involved. Just install the apps and make a few choices.

For personal use, I use wireguard to access my home server. Professionally I use cloudflare tunnels for a couple of things, but mostly an enterprise vpn.

[–] [email protected] 1 points 1 year ago (1 children)

Thank you for the detailed explanation. I am running Tailscale as a temporary solution to access some services, but I dislike that you have to set firewall rules basically twice (once in your local network and once in Tailscale). I suppose it would be similar for CF?

[–] [email protected] 2 points 1 year ago

Yeah, any solution is going to require at least egress rules for its traffic. Tailscale is a bit different since part of what it's able to do is provide access to your LAN, if desired. Cloudflare just needs two ports, but it's only providing a tunnel from the host.