I think it’s important to note that cloudflare tunnels have limitations. For exemple if you plan to use this to access stuff that require large file transfers like nextcloud, cloudflare tunnels are limited to 100mb per file.

I've been using this service for 2-3 months and I love it. Easy setup and it works very well. I'm stuck behind CG-NAT making self-hosting difficult, but Cloudflare tunnels have made life much easier.

A few things to note: end-to-end encryption can be achieved by specifying a trusted CA and an expected hostname within the cloudflare zero trust dashboard. Also, docker isolated networks are a MUST if you're going to host other containers/services that you don't want exposed to the internet

I started using this to have my college labs accessible when out of home. Making code changes real time and see them implemented makes life a lot easier.

Very informative. That extra layer of security was exactly what I was looking for

You never fail to give me practical new information on new systems. Thanks 😀

This is why I love this channel - first time I hear of the TLS intercept, which is okay, but you have to be aware of this. None of the other pointed this iirc...

This was so helpful. I was having issue on the self signed certificate validation and finally got it working!

Excellent video, very easy to follow and I have now restructured my remote connections using cloudflare tunnels and added another layer of security.Thanks!!! One thing I noticed when testing though was that I needed to set the email rules to 'Require' rather than 'Include' for the restrictions to work as described in the video.

I'd love to see you run your ssh connections through a tunnel. I've only managed to do it with their in-browser ssh client, and not through a remote terminal.

thanks so much for your detailed videos - I have been struggling since last couple of days to fix the cloudflare tunneling problem with my docker container and continuously watching videos on youtube. But your video help me to resolve the issue, thanks again.

Hi Tom. Thanks for this great content! I successfully use CF tunnels to expose home services a good while. Using "Applications Policies" in conjunction with "Access Groups" give me a granular way to lock down certain services to special groups of users or devices (by country, ip-address ranges, e-mail addr). Using special "identity provider"s for certain applications provides more flexibility also. The use tunnels depends a lot of "trusting" CF. Controlling the SSL-endpoints is a real responsibility for CF. Hope that CF never suffers a data breach or use our data for their own purposes. Than the "shit hits the fan"... A good an successful year 2023 for everybody! See you next year (in 1 day) 😀

Also, folks should consider setting memory limits on their Docker containers in case one runs wild and starts using up all the RAM on the docker host. It helps prevent problems down the road.

With the 'bug' you mentioned at the end, you can go to your DNS settings in cloudflare, and delete the subdomain forward manually

Excellent - as is your usual standard. Thank you.

Great video Lawrence! I self host Guacamole and have a custom domain pointing to it, but I think adding the extra security layer Cloudflare offers is a good idea.

It's hilarious how many times in the past year I've search this up to bypass ISP port blocking, and still haven't done it... maybe this will be the recemented video that makes me implement it.

Hey there. Not sure if you’ve figured out the bug already, but in case you haven’t. When you create a new public hostname, it’s actually creating a new CNAME entry in your DNS records. When you delete a tunnel before the hostname, you just need to go delete the DNS entry manually before you can recreate one of the same name. Deleting the public hostname “correctly” simply removes the DNS entry for you. Hope this helps!

Very good intro to bring awareness around who you bring into the trustcircle

This service is brilliant, I had superficially seen something about it, but I hadn't tested it yet, now with this video, I'm going to try to implement it in some personal project to test it and see if it fits in some current or future project!

Thank you Tom, very informative. One point I missed is - how to handle HTTPS certificates and if clouldflare can handle more sophisticated URL manipulations (rewriting)? I'm trying to understand if this could replace also my reverse proxy. I wish all best in 2023🎉😊

thank god for u, everyone missed the tls setting

If you go into your DNS settings in cloud flare for that domain you can remove them manually if you do it backwards.

Awesome video Lawrence, you got me out of a pickle, unfortunately, I followed another youtuber's video, but he failed to provide one very important detail regarding TLS verification..! Thanks

Thank you Lawrence for the videos, please upload more Cloudflare tutorials. great content

I’ve experienced the same DNS “bug” when deleting a tunnel and needed to manually delete the DNS entry to reuse the subdomain when I started setting things up and testing. However, later when I set up different tunnels and eventually deleted them after testing, the DNS entry was deleted with the tunnel. So it hasn’t been a consistent bug for me, and may be related to the process taken when deleting.

Best and most secure option to exposé internal services to the internet - and one that works with a cgnat, too 👍 Thanks for the video 😁

Lawrence, I tried what you did with uptime-kuma, but Cloudflare treated it as an http URL. It doesn't wrap it in https for me the way it did for you. The TLS tab doesn't appear when I set the target service for http. What might I be missing? Thanks.

all good thanks for cover it step by step. I discover also that you can combine tailscale network and cloudflare tunnel to host something that isn't on the same network

@Tom thank you for this.. you solved my issue.. I wasn't activating the "No TLS Verify" so it wasn't working..

It occurs to me that this might be a way to "expose" my webserver to fellow residents of the retirement village I live in and build a community portal. I'm behind a double NAT and I'm running WordPress on IIS (because I know IIS...). Thoughts on using Cloudflare Tunnels for this purpose?

Can confirm this works well on a Raspberry Pi with the Debian Buster ARM 32-bit package 🙂 Can now access NUT UPS monitoring to see more detail of what is going on when I receive the dreaded email to say my UPS is on battery. It wasn't something I wanted to publicly expose and can't anyway due to my ISPs CG-NAT.

Great Vid, what about set up for a RDP connection? I can't seem to get this to work

Damn… I already thought I must have a look at Cloudflare Zero Trust Platform, but still havent come around doing so. Thanks to this video, I now know I DEFINETILEY need to have a look at as soon as possible…

awsome. I saw it elsewhere, but not seen the additional security layer. there is only the risk that cloud flare going for the free security to paid in some years.

This is one of those awesome tools similar to ZeroTier One that once you hear about them you are super glad you know exist!

Would you still recommend putting the daemon in a DMZ of sorts, and filtering/monitoring the traffic from the cloudflared daemon to the internal app(s) through a NGFW?

I encountered that small nuance of not being able to adding back/renaming to a hostname that I had previously used. When you create/add a Public Hostname under Tunnel it creates a new CNAME in your DNS, and this doesn't get automatically deleted probably more of a safety feature since DNS propagation usually takes time. Delete the CNAME entry and you can go about the rest of the day.

Cloudflare tunnels, this is the way. Also the Web Application Firewall (WAF) they offer for free only adds additinal layers of security. You can make firewall rules to block traffic before it ever hits your network/servers/applications.

This works with other internal thing. Like my deluge client. but with nextcloud I can't get it to work. I've added the correct ip's in the config.php allowed list. But nothing ever shows. Any ideas ?

This worked excellent. So many layers and no holes in the firewall.

I need to use Traefik's reverse proxy services. Is there an option to route wildcard subdomain through cloudflare tunnel?

its possible that it was eventual concistentancy, there is also the possibilty that they just let the ttl run out ?

I am wondering what could be the potential Performance of those tunnels, packet per second etc. Also how could I make them Highly Available mode, Option1 k8sbut again some many options can I run them in replica set. The intention would be complete firewall / load-balancer replacement for large busy websites. What are your thoughts based on my comments?

Seems that UDP is also a supported service on the Cloudflare Tunnel so technically, you can use the tunnel to manage your Unifi setup AND have the inform URL set to point to it. Has anyone given this a go?

Is like the lazy man trafik? Also what happens if your internet goes out at home? Are you still able to access local services?

I'll have to give this a try. I actually had to solve this exact problem for a server I was building last year. I ended up using zerotier sdn connecting the homelab vm's to a droplet with a public IP, and using ipforwarding and ipchain to build a frontend for it. the droplet has the ssl cert, and dns records pointing to it. It follows the iptables rules to forward specific traffic over the zerotier virtual network to the local vm's and back.

I am trying to create a tunnel for Kavita but when I put the local URL at the Route Traffic for "TunnelName" it says URL is required despite me putting a URL into that spot. I've confirmed the service is running, and the URL is correct.

thanks for the demo and info, have a great day

Saved me for an issue I was having, thank you very much!

I get the tunnel part up and it says healthy... and if I go to Plex on my server's side... it lets me connect the Remote Access to the Internet.. ...but when I try to access that tunnel/host, i get a Cloudflare error page saying that my tunnel is ok, and it's broken from my domain to the host. I dont get it. How can I make the connections then? (like from Plex's Remote Access page) I feel like I'm missing one small part, and it's frustrating as hell.

apakah localhost webserver framework laravel bisa menggunakan cloudflare tunnel ?

I get an error at 11:33. Clicking the "public hostname" doesn't work, however, navigating to the "service" URL works as intended. Any pointers would be greatly appreciated! Thank you!

I created vlan on pfsense then connected cloudflare on vm with vlan, but I want to control it thru pfsense for example to use wan or lan ip, what am I missing

Hello, this is a great video and convinced me to use Cloudflare Tunnels instead of reverse proxy. A question though: is there a possibility to add wildcards? I want to run a Wordpress Multisite but dont want to log in to Cloudflare and add another tunnel every time I add a new site. Also, if there are issues removing a tunnel I may have to rethink this.

Hi Lawrence, thanks for your video. A question on a detail. I've installed Portainer and set a Cloudlare tunnel with Docker. When I go to the cloudflare container, to check the logs as you do, mines are empty. Which doesn't seem normal. Should I do something to make these logs visible? thanks

Excellent demo! Question do they offer an agent that would enable private tunnel access with 2fa? This way you could enable access to all containers with a wildcard and not expose all the names in public dns,

For some reason SSL wasn't enabled for me by default, nor do I see any way to enable it...

Many thanks. Will certainly be looking at this and interesting you referenced it re Bitwarden which is one of my potential use cases. Originally I was going to do bitwarden self hosted with vpn. Cisco CBD build to be done next week too.

Is there an elegant way to use cloudflare access for the whole domain, except 1 subdomain/ public hostname?

Might seem like a stupid question, but ... can you add the main domain *and* sub-domains *or* just a list of sub-domains

I run this as an add on in Home Assistant, works great!

How do you figure out what port an actual computer running unbuntunis using being banging my head trying to get cloud flair to work on Unbuntu 22.04 LTS

How could this work if I want to use a certificate to authenticate my authorization?

My IP on cloudflare always change back to the old IP after changing it to the new IP, please do you know the course? This thing happen every 24hrs

I already use this with a synologydva and Google OAuth. The only downside/ issue I have is not being able to access it via a mobile phone app DSCam.

I am still new in this field and i want to make my owncloud can be accessed outside my home, so do i still need public ip? Thanks beforehand

How does this compare to a Tailscale setup latency/throughput wise for streaming video (plex/jellyfin)?

how to delete tunnels already downloaded and deleted by cloudflare? It blocked me from loading for new ones

Hi you are great!! it's possible protect the tunnel access with mutual tls for authenticated the clients? because the apps behind the tunnel has auth. like a "MFA" cert + user + pwd

Any particular reason to use this instead of Tailscale? Apart from needing Tailscale on both the server and the client?

how to restrict the users from not opening website if they get ip and port, just make website visible to domain name only

I do use it from before it changed of name. It was in beta, right now why it is free it is for gaining clients also if they do updates it is on the free before as if it broke the payed clients wont get the error as they will correct the error before. I used it for years as I am hosting at home on DHCP from my ISP and with it changing IP wont do me any thing. It is super repliable, safe and easy to configure.

I’ve been looking at this. Would it be a safer way of self hosting a Bitwarden vault while making it accessible to clients outside your network?

Sir, Please can you help me I am trying to get RDP Access form Outside network of my home windows 10 pc from my office using Cloudflared Tunnel with out any port forrowarding of my Jio Fiver Router. Please help me sir.

very clear explanation!

Can you also block some parts of an open service? Like restricting only the admin page of a tunneled bitwarden install

Hi Lawrence, couldn't you make a video with RDP through Cloudflare.

This is great,would definitely try it, but do you need to purchase the SSL certificate for your own domain for this?

Sir, Can you help me onething I want to access my Home Pc using RDP Via ClousFlare Zero tunnel, but i cant access it, I can access 80 port or other port on web browser without port forrowarding but need to access RDP Windows 10, Can you help me Sir. Please.

and pee configure xampp if you have a local server?

What about the data transferred via client tunnel? E.g. What if I transfer a large amount of data through my application? Is there any additional payment for this?

If we are using Traefik, is it gonna work perfectly?

Great video as always. Is there a way to create a RTSP stream connection to an internal camera?

Just a quick question. Will the cloud flare docker also point to services that are not running in docker? Say a Nextcloud snap image.

Can you please provide some details on your video camera/mic setup? Video and audio are A+ [If I was to guess, Blackmagic 6K]. Do you edit with After-Effects/Premier Pro or something like DaVinci? Thanks! - big fan from neighborly ann arbor :)

Thank you for this video. Answers a lot of questions I have :-)

At 12:57 you say "this has got a self-signed certificate"...How did you do that? Can you do a video on that?

Great video, thank you very much - earned a new Subscriber here! Couple of questions: 1. Following on from your last video, I decided to ditch lastpass and am now hosting my own BitWarden, but would like to add another level of security when not going to the url from my home (which I have managed), but the sync in the app does not connect due to the Application Policy, is there a workaround to make this more secure? 2. I have a dynamic IP address at home and would like to make sure the IP in the application policy updates - is there a way to do this? Thanks and keep the great videos coming!

I feel like this would be a good solution for the Minecraft servers I host for my kids and their friends?

great video I love and use Cloudflare myself. any plans to make a video on combining it with Authelia for extra security ?

Hey Tom, love your videos. I'm trying to understand who CF tunnels is a good use case for? At the end of the day, CF tunnels essentially moves the "firewall" from the customer's datacenter to CF. The application security and group based access rules etc. kind of just replaces a SSLVPN client and firewall rules. What I'm saying is CF tunnels is basically the same concept as a firewall and SSLVPN client from any firewall vendor. A business hosting services, will need a firewall anyways at the end of the day, so isn't CF tunnels just an additional expense? I think CF tunnels may be easier to configure for the average person but modern FW rules aren't too complicated. The one benefit I do see is DDOS protection. CF tunnels definitely wins in that regard. Again, not trying to be rude or anything, I'm just wondering if using CF tunnels is actually worth it. In my opinion everything CF tunnels can do can be accomplished with a properly configured FW and a VPN client (besides DDOS protection)

What happens when you are on the same local network as the Cloudflare "endpoint" and you are requesting services on that local network with that same DNS entry... does the traffic route out of that "local" network and then back through the tunnel?

great stuff! exactly the solution I need, thanks a lot for sharing this.

Great video ! I set policies to "email" for each of my services. Is it a bug that once I succesfully accessed one service using the emailed PIN, I can then access all of the other services on the same tunnel without being challenged for an email PIN ? Or does the browser store a cookie allowing access to all services once I have successfully accessed one of them ? If I set a different email address for each service then this "bulk authorisation" disappears. I found that setting the "session duration" to "no duration" prevents this behaviour.

what about using ssh? is the same config?

has anyone been able to configure the 'IP range' as policy instead of OTP? I keep getting unauthenticated errors, even though the details in the message list the same public ip i've whitelisted in the configuration policy.

Which one will be better exposing the services with public IP address or this?

Great video again, appreciated! Someone already asked the question but so far I've not seen a response to it. How would these Cloudflare tunnels compare to other popular solutions nowadays such as Tailscale or Zerotier? Any views on that you want to share Tom?

Super helpful! Thank you!