You're one of the few channels that has given me a better outlook on my homelab and how to make it all tick. Many content creators only scratch the surface, but you manage to go in depth and explain how this is all set up, why it should be set up, the pros and cons, and specifics like what rules you should be setting up in your firewall. Keep up the great work!!
@Jims-Garage Жыл бұрын
Thanks, appreciate the feedback
@melaronvalkorith130111 ай бұрын
Well said. Getting the scope on a video right can be a challenge, and a lot of creators stay too high level.
@workingdbАй бұрын
Haha, I agree. So many tutorials feel the need to put in cheesy distracting techno music. Your music is better and less distracting than most, but still somewhat distracting. Nevertheless, your videos are top quality, and thank you very much.
@Glatze603 Жыл бұрын
Very good and important content! Thanks for making this video.
@melaronvalkorith130111 ай бұрын
Really excellent job explaining. You can’t explain everything in one video and everyone is on a different part of the learning journey. You approach that challenge intentionally by adding brief explanations for each component and referencing other content for further explanation. Well done, sir.
@Jims-Garage11 ай бұрын
I appreciate that! Thanks.
@Galasuy3 ай бұрын
Very well explained. Thanks
@Jims-Garage3 ай бұрын
@@Galasuy thanks 👍
@ARedHerring Жыл бұрын
Nice video mate. You explained it well and didn't go too far into the weeds. I'm keen to loop through your other videos. Keep making content!
@Jims-Garage Жыл бұрын
Thanks 👍
@CTWilliams89 Жыл бұрын
Great video, thank you!
@Jims-Garage Жыл бұрын
Thanks!
@stevemazza8 ай бұрын
Thank you for such a clear and succinct explanation. This has been most helpful!
@Jims-Garage8 ай бұрын
You're welcome
@madeyeQ4 ай бұрын
I've been using cloudflare for a while, but I couldn't figure out how to limit it to a few containers. What I really wanted was to find a way to limit docker to only use a single interface on my server, but it has proven impossible. It was possible to use incus to create a vm for docker to run in, and that could be limited. However it feels a little cumbersome. Your video really helped me find the right solution using macvlan. 👍
@Jims-Garage4 ай бұрын
@@madeyeQ that's great. Macvlans are an awesome tool.
@nateify10 ай бұрын
Great tutorial! However at 02:38 you mentioned not getting the visitor IP through the tunnel, is this not still exposed via the Cf-Connecting-Ip HTTP header similar to when using a standard Cloudflare proxy without the tunnel?
@Jims-Garage10 ай бұрын
Yes, good point. That will work for http headers but not for non-http (at least from my testing and the docs)
@chrisumali9841 Жыл бұрын
Thanks for the demo and info, have a great day
@Jims-Garage Жыл бұрын
You too, Chris.
@cloud2050 Жыл бұрын
Like the way your explain everything in your videos. Keep up the good work.
@shorshfields Жыл бұрын
Amazing video, thanks for your work.
@Jims-Garage Жыл бұрын
Thanks!
@antoniomax3163 Жыл бұрын
By the way, as I said, I don't use docker, but debian. The virtual machine is located in virtualbox, which is installed on windows 10. Because when I used docker, I couldn't figure out how to set up a network connection. Rather, I did not understand why there is no connectivity between the docker, which is installed on the Ubuntu virtual machine and the local network. The virtual machine was also on virtualbox, ubuntu was installed, there was a docker in it. There was connectivity between Ubuntu and the local network, there was a connection between docker and Ubuntu - the network worked. But there is no connection between docker and LAN. I couldn't ping or anything. It was as if Docker was isolated. That's why I used debian, because it's very simple there. Just one team.
@Jims-Garage Жыл бұрын
It's probably the network setting you gave the VM in virtual box. You'll want to create a bridge so that VMs can access the lan. I recommend a dedicated hypervisor like proxmox or esxi if you can.
@makeitcloudy29 күн бұрын
@@Jims-Garage @antoniomax3163 - it seems to me that in your case you have two NAT's, which causes that you just can't use the target networks, behind the second nat on the docker, but you should rather point to the first network on your virtualbox, and then perform a bit of port forwarding, or disable the nat and bridge the network, so you are receiving the IP addresses transparently, that should do the trick. you can even go with the simplest mikrotik device and setup a hypervisor behind it, probably it will be just easier than getting to know the meandres of the networking, in this case. cheers
@cbaservs11 ай бұрын
Christian is doing some very good work but so do you James. clear video's also the good stuff i want to learn
@Jims-Garage11 ай бұрын
Thanks, appreciate the feedback 😃
@Nightrapture Жыл бұрын
Very interesting video. Now I have to realize how setup this without docker, as I installed CF tunnel for a Jellyfin service hosted in my proxmox server. I wonder if proxmox firewall could also be used for this. 🤔
@Jims-Garage Жыл бұрын
Thanks, yes you could probably control access with Proxmox firewall
@leobottaro8 ай бұрын
Great video! Thanks for reaching me how to secure my self hosted server!
@Jims-Garage8 ай бұрын
You're welcome 😁
@t288msd Жыл бұрын
Just implemented this for my cloudflare tunnel. great content. so easy to understand!
@Jims-Garage Жыл бұрын
Great, thanks for the feedback 👍
@codecrush_6668 ай бұрын
Thanks a lot, this is what I was looking for, you did such a great job explaning things clear and precisely, keep up the good work sir!
@Jims-Garage8 ай бұрын
Thanks 😊
@mrd4233 Жыл бұрын
I had also this concern about the "privacy" of these services when they became available! Mac-Vlans are pretty powerful feature! Thanks for the solution and the fantastic tutorial!
@Jims-Garage Жыл бұрын
Thanks 👍
7 ай бұрын
Thanks for the video, good content! Now correct me if I'm wrong, but using this technique will allow me to block all traffic that is not using a FQDN (i.e. IP scanners) if I disable normal port forwarding on the my UDM SE firewall and then open ports for the incoming traffic from the Cloudflare tunnel? If so, is there any other way that I could accomplish that without using Cloudflare tunnels? Alt. provider of similar functionality, or with some firewall configuration...? Or is this a unique combination of functionality?
6 ай бұрын
I was hoping you would honor me with an answer, would really appreciate it! I'm thinking it might work to host stuff through a tunnel this way, having a public facing server without actually opening any ports on it, and that the combination of DNS management (having a proper DNS entry for public access) and a tunnel (connected to that entry) is something that I have't seen elsewhere and might be unique. You can have CNAME entries pointing to TailScale network nodes, but that would require access to the TailScale network, which is different from this...
@WesleyGDeSouza7 ай бұрын
Again, great video Jim. My cloudflare container do not get the ip. Running "ip add" it shows no ipv4. Any help?
@Jims-Garage7 ай бұрын
Try putting it on a vlan with DHCP enabled or manually specify the IP in the macvlan settings (what I do).
@justinbrennan1110 ай бұрын
Are you running this along side the pihole/cloudflare you showed in an earlier video? Tried this but kept getting errors on the 2nd cloudflare container
@Jims-Garage10 ай бұрын
No, I only run the one which is for outbound PiHole DNS queries. This was aimed more at people who use them for internal access.
@justinbrennan1110 ай бұрын
@@Jims-Garage ahh ok. Yeah I tunnel out services on a different machine. Thought you might have had it so you could tunnel DNS queries through it but also tunnel internal services
@lossless41299 ай бұрын
Thank you, exactly what I was looking for! Great info and points here!
@Jims-Garage9 ай бұрын
Glad it was helpful!
@MohammedYasinRashid6 ай бұрын
Dear Jim, looking at your network topology, after ISP modem, what firewall are you using? Hardware or software ?
@Jims-Garage6 ай бұрын
I used to use Sophos XG, it's great and user friendly. I've since moved to OPNSense
@Michael-v3v2u2 ай бұрын
Can you make a guide on adding these firewall rules in OPNsense? They are vastly different and don't seem to correlate with the ones you entered in sophos.
@hh00ng15 күн бұрын
wow great guide on how to secure using Cloudflare tunnel, has been one of the guide i been looking for, is there anyway you can do a guide for an extra layer of protection? example: cloudflare tunnel to vlan 4, then reverse proxy to vlan 5 using nginx proxy manager, then only reach to portainer vlan 200?
@romayojr Жыл бұрын
excellent tutorial regarding added security. i’ll be adding mac vlan soon to my setup soon. i might also add 2fa and sso using authelia.
@Jims-Garage Жыл бұрын
Awesome, always good to have multiple layers.
@dino.hurricane9785 ай бұрын
Would you recommend using this set up or a DDNS with a reverse proxy for a homelab?
@Jims-Garage5 ай бұрын
I only use a reverse proxy
@dino.hurricane9785 ай бұрын
@@Jims-Garage so does that mean you have a static IP address?
@Jims-Garage5 ай бұрын
@@dino.hurricane978 no, I use ddns
@dino.hurricane9785 ай бұрын
@@Jims-Garage makes sense. Thank you. I really appreciate the response. Last question. Do you have a preferred DDNS service? Like do you use DuckDNS, Cloudflare DDNS or something else?
@Jims-Garage5 ай бұрын
@@dino.hurricane978 I use Cloudflare for DDNS and as my registrar
@randyclark74333 ай бұрын
Thank you for the video, this is truly amazing. I just have one question. Would it be better if I also run my application docker client from within the macvlan and assign it its own ip? that way their network would be entirely isolated and I wouldn't have to make any rules in the firewall.
@Jims-Garage3 ай бұрын
@@randyclark7433 you can do that, sure. It will help to isolate traffic. Note that if your host is compromised though it won't save you.
@randyclark74333 ай бұрын
@@Jims-Garage I am trying to expose a simple golang website, and I can't afford to set up a firewall. If I isolate the tunnel and the application in their own macvlan, would that be okay? or do I absolutely need to isolate my host entirely? If so, what would you recommend for a third-world student who can't afford any network isolation hardware?
@Jims-Garage3 ай бұрын
@@randyclark7433 the cheapest option is likely to use Cloudflare proxy (free) or Cloudflare tunnel (has privacy issues but likely scans all traffic). As someone in security it's hard to escape a hard recommendation for a firewall though. You can virtualize it like I do to use the same hardware.
@jbarr8 ай бұрын
Interesting! What are your thoughts on a CF Application in front of a CF Tunnel? I that putting too many eggs in one basket?
@Jims-Garage8 ай бұрын
How do you mean? Can you give an example?
@jbarr8 ай бұрын
@@Jims-Garage I have a homelab running Proxmox hosting several VMs and LX Containers. (And Docker's in there as well.) I use a CloudFlare Tunnel to provide remote access to the VMs and Containers without needing to open any ports on my router. I then have CloudFlare Applications pointing to various services providing authentication. My understanding is that no one will be able to even get to my server until/unless they pass authentication through the Application. Do you think this is a good idea? I'd love to have a self-hosted alternative, but honestly, CF Tunnels & Applications seem to provide the access and security I need. Thoughts?
@Jims-Garage8 ай бұрын
@@jbarr if the authentication is required before accessing the container that sounds good from an accessibility perspective. As long as you're happy with zero privacy (Cloudflare sees all traffic in plain text) then it's also fine from a security perspective.
@kiomarperez72487 ай бұрын
Newbie to networking and docker here! For this to work i assume i need to create a Vlan interface in the firewall for vlan 4 to act as a gateway for vlan memebers right? And does the switchport connected to the docker host must be configured as a trunkport to accept vlan 4 (cloudflare tunnel docker) and the watherver vlan the host is part of? Thank you for this video.
@Jims-Garage7 ай бұрын
That's correct
@Brian-nz6ns Жыл бұрын
why is the parent interface enp6s18.4...what's the .4 part? It looks like you're naming it macvlan4, but you're not assigning it a vlan ID. How's this a vlan?
@Jims-Garage Жыл бұрын
The .4 is vlan 4 (the dot is the vLAN notation). You can read more here: docs.docker.com/network/drivers/macvlan/
@S-OllyАй бұрын
Where it says Routes on the tunnel its empty for me. What shal i do?
@andherium9 ай бұрын
Can you please elaborate on why we needed to do this? The cloudlfare tunnel only communicates to your portainer instance at 192.168.200.X anyway no?
@Jims-Garage9 ай бұрын
Yea, but Portainer controls everything (a bad example for a tunnel tbh, never expose Portainer to the web). The key problems are zero privacy, complete offloading of security to Cloudflare (no firewall), and if something is missed a compromised container could allow lateral movement. Use a VPN for accessing Portainer if possible.
@andherium9 ай бұрын
@@Jims-Garage yea I wouldn't ever expose portainer. But say I was exposing a simple app (Trilium Notes for example); the only security concern would be a bug on either cloudflared or trilium notes itself, right? A vulnerability on the app itself wouldn't be saved by the introduction of vlan. So I guess the vlan just protects from a security bug in cloudflared ...?
@Jims-Garage9 ай бұрын
@@andherium first concern is privacy, Cloudflare sees everything you do in plain text. vLAN can help to prevent network propagation but it wouldn't do anything against the host being compromised. I recommend having a firewall internally to scan the traffic, it's a free service after all.
@andherium9 ай бұрын
@@Jims-Garage thanks!
@Tmacs-yp6vvАй бұрын
@@Jims-Garage So basically the macvlan4 is only so cloudflared isnt able to scan traffic outside the macvlan4?, because in theory anything thats on macvlan4 could also access vlan 200 if its breached?Is this the purpose of setting two separate vlans? One for privacy, one for security/net segregation?
@difegam35 ай бұрын
Thanks! Nice video a very well explained.
@Jims-Garage5 ай бұрын
Much appreciated 👍
@rocket016669 ай бұрын
my biggest complaint with all the "How to" videos is the fact that no one talks about TLS and the importance of the Origin cert.
@khanhthedag726910 ай бұрын
Can I ask something? if I run the docker-compose with maclan configuration, the cloudflare tunnel will be down. is that right?
@BigFourHead Жыл бұрын
mm wouldnt a another option be to limit access to your web domains. I have setup limited access to my sub domains to two locations. Ill never be in AUS or Fiji accessing my sub domains.
@Jims-Garage Жыл бұрын
Agreed, and mentioned with reference to using Cloudflare WAF. Why not add more 'transparent' layers though?
@JGNiDK11 ай бұрын
But the problem here is, what to do, where to start? I was also looking into Cloudflare, and thought it was safe. But now you put an extra layer on top of it. And you’re even having Traefik (I think it was?) also?? I’m confused. What to do? Where to start? And end?!
@Jims-Garage11 ай бұрын
Can you port forward? If so, you don't need to use tunnels, use their proxy.
@JGNiDK11 ай бұрын
@@Jims-Garage and with "their proxy" you mean Cloudflare??
@Jims-Garage11 ай бұрын
@@JGNiDKYes, the cloudflare proxy
@avpr1c Жыл бұрын
What do you think about Cloudflare authentication for the tunnel versus this option?
@Jims-Garage Жыл бұрын
That's good for access control, but I still like the added comfort of having the traffic scanned by my firewall and crowdsec.
@lejoe11 ай бұрын
How would you set something similar on a cloud where you don't have the possibility to filter the traffic between devices (like hetzner)? Any way to achieve something similar with subnets?
@Nate-D9 ай бұрын
Any chance you know how to add the macvlan when docker is running rootless?
@Clarence-Homelab Жыл бұрын
Great video and lovely of you to give Christian a shout-out. Have you thought about collabing with him or any of the other homelab tech youtubers (TechnoTim, LawrenceSystems, LearnLinuxTV etc.)?
@Jims-Garage Жыл бұрын
Thanks! Yeah, would love to. Those guys are the homelab luminaries! Think I need to earn my stripes a little first though.
@Clarence-Homelab Жыл бұрын
@@Jims-Garage the quality of your content is right up there with theirs!
@Jims-Garage Жыл бұрын
@@Clarence-Homelab thanks, that's high praise!
@eug1 Жыл бұрын
I agree, Jim’s content is awesome. But I guess if he wants to be up there with the big boys, he needs RGB!! 😂
@Jims-Garage Жыл бұрын
@@eug1 lol! Red hair, check! Green jumper, check! Hmmm, something blue...
@cloud2050 Жыл бұрын
I too use an XG firewall, i have CF tunnel working with Nginx. Unfortunately when i put the tunnel on it own vlan the tunnel now report error TLS handshake timeout, cannot reach origin server. I have the firewall rule setup to allow traffic from the tunnel vlan to NPM vlan just like the video. I can ping my Nginx proxy from the tunnel vlan. Not sure why its not working when they are on separate vlan.
@Jims-Garage Жыл бұрын
What firewall rules do you have in place? Why not put an any any rule in place to troubleshoot the firewall?
@cloud2050 Жыл бұрын
@Jims-Garage the firewall rule in place is pretty open, I am not blocking any ports. In fact, I have it set to allow traffic from one vlan subnet to the other subnet with no service or IP restrictions or IPS during my testing. I am going to remove the NPM out of the equation to see if that's the issue. I will instead use cloudflare as the proxy on the tunnel. I would prefer to use an internal proxy, though.
@Jims-Garage Жыл бұрын
@@cloud2050Hav eyou checked that it can resolve internal DNS?
@cloud2050 Жыл бұрын
@Jims-Garage DNS for what's behind the NPM proxy? If so, not yet. I was stuck on the tunnel error about it reaching my proxy, so most of my troubleshooting was making sure NPM and cloudflared can communicate.
@IntelBrow Жыл бұрын
You need to check on cloudflare tunnel Dashboard the option to not check TLS (in the TLS section).
@davidwestra81819 ай бұрын
Would adding a user defined bridge network be just as secure? I have my cloudflare docker on a bridge network that only communicates with Traefik. All of my docker services have their own user defined bridge network that communicates with Traefik. The goal is that none of my services can be aware of the others and that all traffic must go through Traefik with crowdsec monitoring. Is there a flaw in my understanding of these bridge networks?
@jens9945 ай бұрын
Did you learn more about this? I'm currently running CF also with a bridge network which only has CF & my reverse proxy.
@Krieger18839 ай бұрын
Really interesting video! Seems like Cloudflare tunnel is not the solution I was hoping for. I just need the option to grant different specific external people access to very specific devices of my home network (with 2FA/passkey etc.) . Do you know of a solution that is halfway user friendly (as near to plug and play as possible)? Thanks a lot!
@Jims-Garage9 ай бұрын
Sadly that two are often at odds. Wg-easy can do part of that, otherwise it'll be something like headscale/tailscale I guess you could use something like Authentik and Authelia to restrict access by user accounts
@Krieger18839 ай бұрын
@@Jims-Garage thanks a lot for that super fast reply! I will look into these tools. Do you have a suggestion for a product for easy segmentation?
@Jims-Garage9 ай бұрын
@@Krieger1883 running WireGuard on OPNSense should be able to achieve this
@antoniomax3163 Жыл бұрын
What is unix/unix+tls? I don't understand the logic of the work, why is it necessary?
@Jims-Garage Жыл бұрын
Hi Antonio, which part of the video are you referring to, I don't remember saying that?
@antoniomax3163 Жыл бұрын
youtube deleted my comments. I don't understand what I violated. Because of this, you didn't see all my comments@@Jims-Garage
@Jims-Garage Жыл бұрын
@@antoniomax3163 you said "what is Unix/Unix+TLS" . I'm not sure what that means.
@antoniomax3163 Жыл бұрын
http_status, bastion -what is it? By the way, CF has the ability to install rdp on windows, and in the tunnel settings, choose an rdp tunnel, do you have a video or instructions on how to do this and how to secure such a tunnel?
@Jims-Garage Жыл бұрын
As with SMB, I don't recommend exposing RDP to the internet, it'll likely be brute force attacked. You're better off putting this behind a proper VPN like WireGuard (I have a video on that, or headscale if you're unable to port forward - see other video)
@alexcostafotografia10 ай бұрын
Dude aewesome video. Iknow it’s lots of work but could you make a tutorial of implementing this on a casaos environment? I have one server with all my apps and I want to set another one to run firewall tunnels and monitoring. As I’m not a security professional I need more details on it lol.if you can point ,e to a tutorial or create one would be amazing
@Jims-Garage10 ай бұрын
Casa OS is on the to-do list. Hope to get round to it soon, thanks for the feedback.
@dunno-jl7uz Жыл бұрын
i html-only website, should i be fine without securing the tunnel?
@Jims-Garage Жыл бұрын
That's probably the worst case scenario. All depends how much you care about privacy and how much risk you're willing to take, perhaps for your use case it's fine.
@dunno-jl7uz Жыл бұрын
@@Jims-Garage yeah i moved back to a VPS. my ISP is very stingy. no bridge mode, no vLANs, hell i can't even change dns on router and have to do it on device-by-device bases :/
@sebasdt2103 Жыл бұрын
I've used Cloudflare tunnels before and it's too easy to setup. Unaware users don't know what security layers they lost... I'd rather use nginx rproxy over a VPN into a VPS.
@Jims-Garage Жыл бұрын
Exactly, simplicity is often at the cost of security. Hopefully this helps people to add some control back.
@Clarence-Homelab Жыл бұрын
How exactly could network engineers at a company prevent someone from hosting an internal company service externally over their own domain through cloudflare tunnels? Block all Cloudflare traffic and break the company internet? 😅
@Jims-Garage Жыл бұрын
@@Clarence-Homelab several ways. A couple of obvious ones, Block access to production, docker, kubernetes etc through privileged access management. Block egress traffic. Monitor and alert on new containers etc
@korygollan4 ай бұрын
I appreciate your videos! You have been a lot of help on my journey. However, this isn't working for me. In my Sophos log, I see the my rule being used, and the traffic gets routed to the correct IP. However, it seems to end there. My Traefik access logs don't show any entries. So the traffic is being dropped somewhere between my firewall and the Traefik container. Any troubleshooting advice? I feel like somehow I am losing the name resolution, so Traefik ignores it. But I don't know how to check for that.
@Jims-Garage4 ай бұрын
Thanks! You likely need an internal NAT rule for 80 and 443 (to redirect internally to 81 and 444).
@alfonce76135 ай бұрын
Just wanted to pop in and say awesome series - this has really made all the difference in my homelab journey. Thanks and keep up the good work! Question - does this still have value if you already host all your external accessible apps on a DMZ?
@Jims-Garage5 ай бұрын
Thanks 👍 this is only relevant if you use Cloudflare tunnels without a DMZ
@ws_stelzi799 ай бұрын
I hope 5 Months on you progressed a little towards a "Makro KZbin Career" 😇🤪
@ryanmalone26817 ай бұрын
Watched it like 20 times and still can't recreate it. I just left it unsecure, bought a backup server that I sync once a week and keep it offline. If I get hacked, I just wipe it and bring up my backup server. Simples.
@Tmacs-yp6vvАй бұрын
have you been hacked yet? lol
@ryanmalone2681Ай бұрын
@@Tmacs-yp6vv Nope, but thanks for your concern anyways d1ckhead. Turns out that my ISP’s “passthrough mode” modem isn’t really passthrough and won’t allow anything to hit my firewall and it’s impossible to connect my gateway directly. We’re still troubleshooting what middleware on their side of the network is screwing this up. In addition, adding CF firewall filtering rules blocked 99% of traffic and only allowed the tiny amount of valid traffic through the tunnel.
@Tripp11111 ай бұрын
Thank you! ❤🍕
@Jims-Garage11 ай бұрын
You're welcome 😊
@antoniomax3163 Жыл бұрын
What is smb? I know that this is a protocol for a local network to share files. But how does it work through the tunnel? As far as I know, smb is very critical of delays. At least it works very slowly through the VPN, even though the VPN channel is quite high-speed.
@Jims-Garage Жыл бұрын
SMB is short for samba, you're right, it's a network share protocol. I would advise against using it in a Cloudflare Tunnel, you don't want to be exposing shares this way (i.e. to the internet - use a VPN instead).
@Tripp11110 ай бұрын
I love the video, but I can't seem to match up your process with my pfSense fw.
@Tripp11110 ай бұрын
I figured it out.
@dzmelinux7769 Жыл бұрын
Good video,but I really hate, very much any background music, why in the world would anyone need this?
@Jims-Garage Жыл бұрын
Thanks for the honest feedback. I prefer videos without, but apparently most people like some ambient background music. I'll mix it up on future videos and see how it goes.
@dzmelinux7769 Жыл бұрын
Thanks, I don't watch your videos as entertainment, rather as technical information and tutorials. I find any kind of background music totally distracting.
@EduardoSantanaSeverino Жыл бұрын
I personally prefer the background music. And also enjoy this video. Thank you.
@dzmelinux7769 Жыл бұрын
@@EduardoSantanaSeverino That's great, just imagine, if you use your own device for listening to music, you can even chose which song you want to play in the background ;-)
@Seekeroftruth191 Жыл бұрын
Bro you must have crazy good hearing for me it's so low I don't really notice it besides Jim has the voice on an angel ;p
@OnlineObsessionista10 ай бұрын
When you say you're punchunig a hole in your home security, do you understand that no one has any security rather than anything standard included. And I don't even know if anything is included in macos by default
@Jims-Garage10 ай бұрын
Agreed. But most people running a Mac aren't exposing it directly to the internet. Moreover, most homelabbers will have a 3rd party firewall that they control tunnel. With a Cloudflare Tunnel you're effectively handing all trust over to Cloudflare. Granted, they're one of the biggest players in the game and therefore advanced, but it does also make them a prime target for attack. I feel it's worth taking control and doing it yourself, or doing both as I illustrate.
@OnlineObsessionista10 ай бұрын
@@Jims-Garage I mean, I don't have any firewall in my router, so anyone can break inside my lcoal network. I'm exposing my Synology NAS by trusting Synology to do that. I'm exposing my homeassistant by trusting nabucasa. I always trusting someone.
@rickhernandez2114 Жыл бұрын
I have an internal reverse proxy (traefik) that routes all of my internal hosts by name i.e: proxmox.local.home.lan docker.local.home.lan portainer.local.home.lan Which is great as I don't have to put in port numbers or anything and everything all the time is https even inside my network. Is it more secure to point my cloudflare tunnel at one of those? In other words I would like to set this up exactly as you have outlined here (great job by the way) but not go to the actual server just go to my interal proxy. Is this better? Does cloudflare still see my traffic this way?
@Jims-Garage Жыл бұрын
Routing through a proxy won't really do much. In my video I'm making sure the traffic goes through a firewall, and is scanned by crowdsec. Those are the two bits that add back some security.
@rickhernandez2114 Жыл бұрын
@@Jims-Garage the reverse proxy is also behind my firewall ( it isn't meant for external access) so I'll just make all the rules and see how it goes. Thanks again!
@Jims-Garage Жыл бұрын
@@rickhernandez2114 the problem is the tunnel bypasses the firewall. You want to route traffic back through it to scan it and control access.