Why does every video with these tech KZbinrs require me to grab a drink?

Yup, these are the same issues I brought up in my Cloudflare Tunnel video.

I honestly don't mind all the cons of Cloudflare Tunnel, and I definitely agree. Don't just expose all your services without another form of security like Cloudflare Access. That's the first thing I did after setting up Tunnels, and it's been great.

Hi Christian. I have one public IP with all ports available to my homelab. Obviously with a good firewall. In this configuration, I can do all I need. But here in Brazil, this type of service is very scarce, mainly due to the lack of available public IP. I've been testing the use of CHR for a few months now and I'm really enjoying it. First, the fact that I use an Amazon IP here in Brazil, where I host the mikrotik CHR, and also because I can create a tunnel with a server that is behind a restrictive firewall. What for me is very interesting due to the unavailability of public IP. Another interesting point is that I can configure my Hurricane Electrics IPv6 range in this CHR and distribute it to servers via tunnel. Great content.

Excellent video, this is something home labbers often get wrong. Cloudflare isn't a silver bullet to your security woes, sure it helps but it comes with it's own issues. if your using a free plan then I'd argue it doesn't provide much value at least compared to using something like ModSecurity/Coraza, CrowdSec or a hardware firewall appliance.

This is a great video that got me thinking - especially while I was mulling the obvious home network security advantages of using a Cloudflare Tunnel. But, as with everything, there has to be a catch - you have to trust Cloudflare will handle your data carefully and hopefully not leave it open to exposure. The thing is - this is inherently a problem with Cloudflare itself (as well as AWS, Azure, Google, Apple and any other public cloud offering). And in reality, so much of the internet relies on these big players - there's practically no way you can use the internet without at least some of your important data ending up in the hands of these players.

Very good point. You could always put the Cloudflare endpoint in its own vlan so that you can still build firewall rules for the traffic.

thanks for sharing your knowledge, planning my home lab and use your videos as a research.

Vielen Dank Christian! I've been considering haproxy or the CF tunnel. This helped me make my decision.

Well stated. The folks that have approached me interested in Cloudflare Tunnels are those that want to have services reachable from their CGnat. In situations where I have played with Cloudflare tunnel it has been inside of a dedicated VLAN on my network and I think that your concerns are valid. When CGNat folks want to host non-web applications, I tell them to manage their own VPS endpoint server outside of their network. This takes care of being able to host UDP connections or TCP connections to non-web ports which I don't really see a way to do on Cloudflare Zero Trust.

Great video. I’m a huge fan of Cloudflare and think they’ve done a ton for the world on making the internet more secure. That said, having a reasonable, fair, and open analysis on the risks vs. benefits is something the homelab community should do more of. And frankly, there are a ton of packages and projects that we all install that should get the same scrutiny. Thanks again the the level headed analysis!

6:00 one thing you could do with a cloudflare tunnel setup is put the server which the connector daemon is running on, into its own VLAN. Then setup firewall rules in pfsense to route that VLAN traffic to the appropriate servers and ports on other subnets.

Little workaround about the firewall issue: Put the cloudflare tunnel vm or container in a dedicated /30 vlan with only internet access to the external ips of cloudflare and create rules to internal services you want to expose via inter vlan routing

I use and rely on CF Tunnels for exposing resources, though they are heavily restricted and require you to have the WARP client present on your device and have authorization to my team. With WARP it creates a WireGuard tunnel connection into my network allowing me to pass UDP traffic or NON HTML traffic, It's actually a great VPN alternative since M$ has deprecated auth prompts which make OpenVPN with MFA impossible with NPS, Now you must pay for expensive services such as Duo :( P.S. Love your content and what you provide for the IT community, Thank you!

Hi Christian and thank you for this critical and informative video. You do not bypass your firewall, if you set up the cloudflared-server (or cloudflare docker-container) in a separate dmz/vlan. I can't see any difference from other VPN solutions that ends directly in the internal network. This is a general problem that can either be improved by well-documented descriptions of possible extensions or you have the necessary expertise yourself to be able to operate such solutions relatively safely. So you are right, not only the route between the endpoints has to be secure, but espesially the endpoints itself and the networks behind those endpoints always has to be secured. Your argument is still absolutely valid and many manufacturers of such solutions promise easy and secure installations, what can be very deceptive. In my opinion, Cloudflare offers one of the best and most secure solutions for accessing internal services (no published ports, MFA for accessing the Cloudflare dashboard and separate MFA and other web application rules for accessing the actual services). In addition, the actual application that you want to reach via Cloudflare Tunnel should also have its own authentication - I only use applications that can handle MFA on their own, such as Guacamole. But it always depends on how you implement it :-) If large companies trust Microsoft by running an Azure AD (most have little choice), you can trust Cloudflare for your homelab services for sure.

Hmm.... Your video confirms my amateur understanding of Cloudflare tunnels. Thank you very much! I'll think more about it, get info and probably tip my tunnels and switch to a practical in-house VPN solution. I hope I can do that. Best regards.

Thank you. I was wondering the implications of using it

Please do a video about best pratices to setup Sophos XG, secure the net, expose safely services, ecc. Or a video where you show us your Sophos setup. Thanks man!

Thanks for the info and video, have a great day

Thanks for pointing out this issue.

Beutifull video. Thank you for addressing this (actually, I was close to writing you and asking about this after seeing your CloudFlare video; you were just faster). Services like this are great, but they come at a cost. At the end of the day, this is all about whom we trust. Thank you, Christian; following your channel has been worth it since the day I discovered it. You gave me a lot of nice home projects to implement in my home lab (I still have to implement reverse proxy, lol).

This is a good balanced look at it. One thing you forgot to mention are mitigations, such as being careful where in your network to deploy the tunnel endpoint. For example, a “DMZ” *(or similar) area where you provide services from but that does not have access to the rest of your network… in order to minimize the crash surface.

Great video! I think homelabbers should talk more about who you trust with your data, but also the various attack surfaces these services open up. I'd be interested in a deeper dive and comparison between Cloudflare Tunnels, Twingate and Tailscale (and Headscale), as they all do similar things with subtle--but important--differences.

Was about to deploy Cloudflare and thanks to searching for deployment tutorials, the algorithm served me this video. Score one for YT - this was an excellent video I'd likely have otherwise missed. I still think it's right for my use case, but this video was invaluable towards a better understanding of what I was doing.. It was thoughtfully laid out well explained with just enough humor to make it fun to watch. Nice job; I subbed after watching it. Thanks!

Good point. I had to decide between zerotier which is more convenient for my application and cloudflare. I decided for cloudflare because i trust them (more). But shutting down a service is also a valid complaint.

I try to avoid using someone else's cloud services. I'm not 100% opposed, but I prefer to manage my own stuff with my own stuff.

Hi Christian, excellent video. I'm using cloundlare tunnel to expose a web application (Django + React) to a handful of clients. I don't care about the data, I found cloudflared easy to do what I wanted, I should look for another approach?. To access my homelab I still use wireguard + adguardhome + npm.

Thank you christian for the video.. kindly we need to know what the alternative’s solutions in your opinion?

Thanks for another great video as usual!

I have tested CF, and i didn't choose it for a few reasons - trust, protocol limitation, and L7 protection (threath protection, AV, IPS, webfilter etc), which i can do on my SophosXG(WAF). Maybe i didnt test it well, but... ;)

Thank you Christian for taking a critical take on this. 👍

Hi Christian, I have been thinking about it again, especially with regard to my self-hosted 'Vaultwarden' which is accessible externally via Cloudflare tunnel. As far as I know - and I am a layman - Vaultwarden encrypts the data locally. When synchronising with an external client via the CF tunnel, the data should actually be securely encrypted. CF doesn't know the key of my Vaultwarden. Or am I wrong?

I have enough options with my FortiGate firewall to share certain parts of my network. I looked into the Cloudflare solution, but the fact that all my traffic would go through their servers stopped me from using it. However, once you have made the right settings in your firewall, it is easy to quickly provide someone with a service from the HomeLab.

Hi Christian, thanks for all of your awesome video that explains complicated things in a easily way. But after following your previous video on setting up my homelab with Traefic, Cloudflare tunnel, and Zero Trust Authentication on a bare-metal Truenas Scale Server, I was worried about getting ban from cloudflare by having high bandwidth and other security issues. I'm planning to let my family in Taiwan to use Nextcloud and PhotoPrism remotely and share family video, photos, or probably sensitive documents as well. So will VPN like Tailscale be the best solution here? Or is there a better solution in my case? Thanks in advance!!

Agreed with this post. With most cloud providers, you give up your privacy for security (well, security is subjective... providing no three letter agencies haven't already backdoored it like they did with L2TP and Juniper).

This was very informative, danke sehr

To be clear, at around 6:16 when firewalls might become useless because they are not intergrated into the firewall and punches a hole.... 1. If an enterprise employs applicaiton whitelisting on their laptops/servers/desktops then this will never have a chance at being deployed. 2. if an enterprises chooses to do SSL decryption, this would never have a chance at being deployed 3. If using some form of application identification {appid} this would never have a chance at being deployed 4. if you deny the outgoing port of 7844 then this will never get deployed If you choose to have lax rules or a lax security model then yeah you can bypass the network security but this isnt as easy as one would think it is.

Great explanation, thanks!

I think one of the main issues for me is the centralising of important internet infrastructure. Cloudflare offer some great services which are important. But i do not feel comfortable with so many eggs of the internet being in so few baskets. Awesome video btw dude as usual

Thanks for the video. It actually makes sense. But I would like to add something here, "home lab is for learning" right? Yes, we can check out some tools but I think ppl who have a home lab should expose their services and do some kind of research about how to secure it, for example, use some kind of firewall, ids/ips, etc. See the logs regularly, and automate some things. Maybe I am wrong, it's just my thought. Correct me if I am wrong.

i just recently deployed cloudflare tunnel with my home lab services and it’s been working fantastic but after watching this i’m very conflicted

Thanks for the great vid. But on 9:15 no "two endpoints" will ever be under your "full controll" not even physically (but even one endpoint could be disagreed about how much it is under your "full controll" as soon as any network connection - not allone wireless network connection is involved).

Glad someone else finally said it!

Was Waiting For Someone To Make This Video Great To See Someone Talking About This . We Should See Both Sides.

Great insight thanks

is this a segue to setting up a VPN with traefik? I definitely hope so! I am not sure if tailscale would be the same situation or if wireguard would be the better choice for privacy. a video about that would be a nice addition.

OMG Where did you get your animated matrix wallpaper?? also thanks for this, I've been looking at using Cloudflare due to KZbin videos etc.

Cloudflare tunnel is a tunneling protocol that does a peer-to-peer connection through a "middle-man" server such as cloudflare tunnel, same as zerotier and tailscale Using another server inherently means you have a dependency that you need to be aware of

Very good video. I was especially interested in the security concerns to bypass you companies firewall by using such a reserve tunnel. I guess no enterprise will want to have such a thing set up by individual user. I could imagine an enterprise set up done locally with trusting Cloudflare but it's security nightmare when everyone can start a docker container and punch holes into the whole firewall setup. I would even assume that some companies block those hosts and port per default.

Pro tip: You can still use the SSH tunnel and do a reverse port tunnel trough that. Cloudflare cannot see/MITM that, since only you have your certificate, which the server verifies and is thus able to perform an authenticated Diffie-Hellman exchange and guarantee your communication is confidential! (See the SSH2 protocol and TOFU security model) Also, I thought it was obvious that it works as essentially a MITM? They even advertise it as such! How else would they be able to magically HTTPSify all your services? Obviously, keep this in mind....

Thank you! Just in time, as for me.

Regarding your point about serving non-HTML content, I always found it was a good practice to bypass the caching with a page rule. I use the tunnel and a reverse proxy to host my plex server using a custom server access URL and the first month I had it running with no page rules I was a bit unsettled to see how much data had been cached, but nothing came of it anyway.

What if you ran cloudflare on a small separate machine, outside of your firewall? So that all cloudflare traffic still had to go through your firewall?

Just use a reverse SSH tunnel to the device hosting the cloudflared, that's encrypted end-to-end.

So what method do you recommend for remote access to home network? VPN?

Not only do CF tunnels convey your data unencrypted through CF, but if you use their traditional DNS and choose CF proxy to "hide" your IP, your data is again in clear text within the proxy handling path.

Another good video sir !!

Very informative, but what will be the alternative of VPN, if we are not willing to use Cloudflare as an alternative of VPN. Is there is any Web Application Firewall, which fulfill all the requirement of a secure tunnel.

I set up a DMZ vLan with Cloudflare and pf-Sense it's much more complicated to admin but at least the cloudflare vm doesn't have full network access by default just cost a bit of hair ripping during troubleshooting and setup lol

Hi! Thank you for this very important piece of information about CF tunnels, I'm now considering to use it in a business environment. I'm trying to understand how using CF might be violating GDPR here? As I understand GDPR is all about handling any PII data carefully, as needed and be transparent in how you're using it. So AFAIR CF has SOC2 compliance, and listing it as one of data processors should be enough to fit GDPR criteria. Would appreciate your insight on whether I'm correct here.

I applaud you for also pointing out the drawbacks of CF tunnels. What is your opinion on exposing something like vaultwarden on CF tunnels?

Does Cloudflare allow connecting to local service with only subdomain setup? I was setting up my service through Cloudflare tunnel(free tier), then I realized I cannot add subdomain only to Cloudflare for the public hostname. I don't want to do full setup for the zone because of the way my setup works. Quite wasted my time, I wish they will be clearer on the in the documentation very early on. So annoying to do until the end, only to realize it doesn't work for subdomain only setups.

sounds like a thing that needs to be isolated on it's on network segment and all traffic coming out from the agent still going through the main firewall

What's the alternative to it though? If the option is either opening a port or using cloudflare, is that really a viable alternative?

The only app I expose to the external internet is Portainer, which is protected by a very strong password. As far as I understand, Portainer does have a built-in lock-in mechanism. Additionally, I use fail2ban to block suspicious connection attempts. All incoming connections are denied by firewall rules. However, is there still a risk?

Could you make video with alternative way to expose internal services without public IP(CGNAT)? I currently rent VPS with public IP and with ZeroTier (will setup my own WireGuard at some point) connect to dedicated VM at home. then on that VPS I redirect all traffic on ports 80 and 443 to my reverse proxy VM with IPtable rules. It was a bit of a pain to get it working at first before I figured out the correct IPtable rules. But works fine since then.

First! Thanks for keeping sharing your knowledge Christian!

The reason why self-hostable solutions like boundary or teleport in a free tier cloud are way better to use. When you want to businees things.

why use cloudflare tunnels, aka reverse proxy, if your router supports port forwarding?

Great video, I have a question if I use cloudflare proxy on my website does that mean my website is not gdpr?

Personally, my deployment of cloudflare tunnels is by deploying it as a sidecar container on my external ingress traefik instances. I run 2 sets of traefik deployments in my local k8s cluster, one that's exposed to internet via cloudflare tunnels, and one that's local only. Gives me pretty good control of what gets exposed where by setting the correct ingressClassName and external-dns annotations on my ingress resources. Security is enforced by the CNI via Network Policies, and the cloudflared daemon isn't initialized with cloud config, just a straight "direct all traffic to traefik on localhost" rule static configuration. It's pretty good for punching through CGNAT while being directly accessible online. Similar things would be ngrok I guess. Tailscale funnel is nice, but a bit restrictive since you can't use your own domains. As for bypassing the network firewalls and whatnot, that's a pretty easy workaround. Deploy the cloudflared tunnel on a separate VLAN/subnet where it has to go through the router to reach the services, then it's traffic will be monitored by the firewall / security appliance. (Though in most homelab setups it does mean the traffic will transit the router twice so... tradeoffs.)

amazing as always

You should do a video about Twingate. Very cool tool

do you have any videos on how to set up a webserver on a raspberry pi and have secure certificates etc that can be accessed externally and not open up your home to potential cyber attack?

I like how he kept a neutral stance but provided info so we can make our own choice.

Well, I guess that one should not use this kind of services without security layers in mind. Mostly because in certain, given scenario, one could use their service's trustworthy reputation to stealthy exfiltrate data from a company's network, or gain reverse access to it. Either by somehow abusing it or installing it on purpose in a post-exploitation phase. This is a great option when your security's strategy is mature enough and capable of containing threats as mentioned before.

So if I have a wordpress container with a small website and I run the tunnel inside the docker I should be safe. Am I right?

It's literally a description of how a malware would work :) Whether one trusts CF or not is up to everyone to decide for themselves.

Is this tunnel recommend to use for proxmox server for remote access ? Thank you.

Has anyone measured, from the web browser's standpoint, how much latency CF adds to the round-trip transaction? Is it 10s or 100s of milliseconds?

Not so sure about that firewall punching you talk about Christian..I have PFSense and could not get the cloudflare pod to properly connect to cloudflare because my pfsense was blocking port 7844 to the outside world. Once I created a rule that allowed the traffic, the CloudFlare tunnel started working but no way it worked "automagically" :)

so which on is the best, zerotier, twingate or cloudfare ?

The big takeaway should be that if you don't understand the security implications, then don't use it. Goes for all systems though. Not fair to aim at cloudflare, but certainly fair to respond to your own content to provide better clarification.

hey Christian thanks for your videos. Does the same thing applies for Twingate? Any insights on this solution? Thanks

"... customers can serve video and other large files using the CDN so long as that content is hosted by a Cloudflare service like Stream, Images, or R2." - Cloudflare's blog. That is for the removal of section 2.8 in the Cloudflare Terms of Service, which essentially means nothing to most people unless you are paying to use their services.

Can you point out some other options similar to cloudflare tunnel which have similar services.

can you do a video on PfSense or something similar and how we would go about securing our home lab?

What about cloudflare Zero Trust with WARP Would that be better than tunnels?

Okay what other option do we have for game servers? Great video btw

Another thing I would like to mention that most KZbinrs don’t is that if you are using cloudflare you should setup dns overwrites on your dns server on your lan so that stuff doesn’t go through cloudflare and works offline when just accessing it from lan

I use their warp client, i added in the local domain fallback, my local subdomain to route those requests to my bind9 dns, i then have A and CNAME records that sends those requests to traefik. Traefik serves ssl certs using let's encrypt, that way i get ssl certs both locally and remotely using traefik and warp client. For me my biggest concern was opening ports in my firewall. Until i can find a better solution it's perfect 👌.

A few hours after setting up a cloud flare tunnel, Windows defender found a threat. It usually never does. On top of disabling the tunnel and removing the threat, do you have suggestions to fix my problem?

Today they posted on Cloudflare Blog: "Goodbye, section 2.8 and hello to Cloudflare’s new terms of service". This is part of their Developer Week announcement. You need their services like Stream to serve video though.

It`s any posibility to expose tcp or ssh over claudflare tunel?

I've been burned too many times by cloud hosted services. As more and more folks use their free tier, I suspect they'll eventually need to start charging for it or discontinue it entirely. I've been basically doing the same Zero Trust thing with a reverse proxy on my own network. It'll always be free, it'll always be more private, and a direct connection will always be faster and more reliable. I've never understood how they can market their product as having end-to-end encryption when it only has point-to-point encryption.

Hey Christian. Can you make video about Twingate service?

Simple: set the cloudflaretunnel to a dedicated vlan - so you can still control the connection to your internal ips

Brilliant!

Any luck with publishing SSH via Cloudflare? I tried couple months ago and it was simply not publishing anything. Any link to video guide will be much appreciated.

Exactly the video is was searching for!!! Thanks alot fo making this and everything you say totally makes sense!