Access Your Self Hosted Services WITHOUT Port Forwarding

With regards to routing streaming services like Plex, Emby, Jellyfin, etc., here is the portion of CloudFlare's TOS that covers it:
www.cloudflare.com/terms/#:~:text=2.8%20Limitation%20on%20Serving%20Non%2DHTML%20Content
I'm trying to get more information about what service(s) need to be purchased as to not break TOS with CloudFlare.

A note for those doing this fresh, cloudflare takes up to 24 hours (or more) to verify new domain names, and during this time you will NOT be able to set up a self-hosted application. However you can do the rest of the instructions.
Also if you use portainer the docker run command will show up if you run it in the host machine of portainer, so just do that. Trying to make a docker compose for this that exposed the right network correctly was a nightmare for me :D

Great Video! Thank you for sharing!

I like to know how use a path like db3tech/path, i tried simple put in public hostname setup but gives me 404 error

Can I use cloudflare tunneling with plex media server?

I've been banging my head to overcome this with wireguard for days, then I reach this video and make it work within 5~10 minutes... Great job and THANK YOU!

Great video David, thanks
Quick question: What to do with the services that need certificates to work, example adguardhome, since now that you have removed the cloudflare dns record, they cannot be requested by NPM.
Thank you.

Thank you very much! This is what I was looking for, as I was always a little uncomfortable opening ports in my router. Despite using NPM, Fail2Ban and other helpers. Thank you for your effort!

Hey David! I got this working.. kind of. All my devices keep sending IPv6 addresses, so just putting my IPv4 in like you did at 13:10 doesn't work for me, it returns the access forbidden page. The tunnel works, but I have to keep adding new v6 addresses to the policy every time my PC or phone decides to change or add a new one. Any way to "prefer using IPv4"? My v4 hardly ever changes.

Excellent video. One question though - CloudFlare has a container that let's them know if your home ID has changed, so that they can always point the domain to the correct server IP.
Is it possible to use that mechanism to restrict access to your sites to whatever is the current IP address that your ISP has given you?

I'm not sure about this under their tos.
"you hereby grant us a non-exclusive, fully sublicensable, worldwide, royalty-free right to collect, use, copy, store, transmit, modify and create derivative works of Customer Content, in each case to the extent necessary to provide the Services."
The problem with this, is they can claim all your content necessary to provide service.

I'm trying to configure cloudflare zero trust with traefik, and I can't manage. Did someone manage? If so, which address is pointing the tunnel to, as no ports are exposed? On the other hand, with nginx I have no problems.

Hi sir, I'm building a TrueNAS right now. I'm not really good at this networking thingy. Right now, I do have NGINX Proxy Manager (for nextcloud) set up. So if I decided to use Cloudflare Tunnel, I don't need NPM anymore? I can just connect cloudflare to docker and point it to portainer which contains nextcloud, some web project? Thank you in advance

I'm trying to do this on unraid and everything gets set up but I keep getting a bad gateway error and the log says: "ERR Request failed error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: x509" Can't seem to figure this out.

I already had my domain on cloud flare and I’ve been dreading setting up a reverse proxy and integrating to the CF proxy for just a home assistant instance. This was the answer I didn’t know existed!! Thank you!!!!

Thank you for this awesome tutorial! I just have a question - does this eliminate the need for nginx proxy manager totally?

I have been using this solution for just over a month now, and it works perfectly. However, how do you update the docker containers to the latest cloudflared version?
My containers are all complaingin they are running on an old version. How about a tuiturial on that :) ?

The amount of giddy I got when I accessed my self hosted stuff after disabling port forwarding... hoah yeah. HEH!
THANK YOU!

This exactly the type of solution I have been looking for! Thanks!

how about dynamic ip ? with this method the ip will be autoupdated ?
EDIT:
Worked fine with dynamic ip, i suggest to install the cloudflared docker on vm or lxc that contain Portainer, it will automatically show on portainer dashboard and it's easy to stop & restart it

Hey DBTech, really appreciate all you do for our community! Your channel was one of the main reasons that inspired me to become a content provider. Thank you for everything!

Got this working for Unraid web GUI. But how to configure for nextcloud docker as its showing bad gateway?

This is a fantastic and thoughtful guide. I set out to do exactly this on a Raspberry Pi and your instructions worked flawlessly. Thank you for posting this!

"Once you've got your domain setup and ready to go"
well I DON'T have it setup and ready to go, and I DON'T KNOW how to set it up.
So the rest of this video is useless :(
Thanks anyway.

Hi, I have followed this method. Hosting OMV on RPi 4. But only http tunnels are working. SMB is not working. SSH is working if it is browser rendered. Not working in SSH client. Please help. I have spent lots of hours but couldn't figure out. Please show how to tunnel SMB.

Cloudflare .... If you do not need video or photo thransfering from/to your site true it its ok but ... but there is limits and pretty Hard to find ind license agreements you must agree with ... so i prefer another more transparent services...

hey thanks for this awsome video
i really like this setup a lot
currently iam trying to setup some authorization method to secure my service/pages from others
for my old setup i used in NPM http-basic (simple and quick)
but this doesn't really work for cloudflare, so my idea was to use something like keycloak as Identity Provider which i can setup in cloudflare and keycloak itself is running as a docker container also
but right now i am kinda stuck, i only get the auth selection screen shown from cloudflare and no keycloak login screen
even tried SAML (guide from cloudflare itself) and OIDC
maybe you or someone else has any idea how to get this setup working that would be awesome

This is great! I can now access all of my HTTP services through Cloudflare tunnel, however, I am having issues with Wireguard. Is it possible to connect to my wireguard server through a Cloudflare tunnel? If so I haven't gotten it to work yet. :/

doesnt this break TOS? Is there a way to use this service without breaking TOS?

Things like this is exactly why I love cloudflare

is it free ? Becose it say it free and it ask for ccv or PayPal ?? Thx.

Great video David, thanks
Quick question: Does anyone have any issue when UFW is enabled ?
(Digitalocean's Docker instance works flawlessly without UFW enabled, but cannot access with UFW enabled)
Thank you.

I have followed this guide to share my Jellyfin server, but the download speed from the tunnel cap at 300KBps, streaming 1080p videos is always buffering every 1 sec

Hi can you make a tutorial how to connect ssh using cloudflare without opening ports?

Greetings my fellow Canadian ! It seems that every time I restart my computer, I lose the the data. How could I make it "persistent." If that's the correct term?,

When I want to install by the command from the Cloudflare, it says "docker: no matching manifest for linux/arm/v8 in the manifest list entries." :(

Could this be used to remotely view/access cctv nvr?

Hey, this video is fantastic! Although, I’m just wanting to make sure, with this process, you can for a fact access your media from outside of your home network.
For example, if my home server was located in California, and I went to New York, could I still access my media through the domain?
Another question I have is, can this be used for Jellyfin? If not, what’s the reasoning?

I just installed a fresh install on my RPI 4 B 2022-04-04-raspios-bullseye-arm64.img.xz . But when I go to install cloudflare/cloudflared:latest I get docker: no matching manifest for linux/arm/v7. Can you help??

Nice Cloudfare 💙😎🤘
However can I access not just the domain but my home computer without having to port forward...this seems like it's only for the domain itself and not your device...is it possible without port forwarding and SSHing ???

Thank you for all of your work…your videos have been such a help in getting my home nas running well. This video is extremely welcomed as I’d like to not forward any ports if possible. Ill definitely be trying this out….Can i use a synology domain name?

So I learned to use nginx for nothing! Great find. Any benefits to using this method over nginx? Or is it just not needing any ports open?

When trying to deploy I get Unable to find image 'cloudflare/cloudflared:latest' locally> Any thoughts or suggestions?

Can you make a video to access Windows via RDP using cloudflare tunnel? I have installed it on Windows 10 but not able to RDP.

Great video, thanks! I am using DNS Made Easy as my name server. Do I need to switch to Cloudflare DNS for the tunnels to work or can keep my existing NS?

do you know how to set it up with support for websocket?

is there any tuts for docker/portainer?

Ive followed this a few times yet always come to the same Error 502 bad gateway. Showing browser and cloudflare working but the host is not. Any thoughts on what the cause might be?

why returns " no matching manifest for linux/arm/v7 in the manifest list entries"
What can I do to solve it. I am trying in a pi.

I could not install Zero Trust because I don't have a craditcard (even though the option is free). does anyone have other options?

How can I check the url is running on tunnel?

does it automatically updates the IP address of home server, if internet provider uses dynamic IP address?

I'm using a windows 11 box. You are showing container list but you don't show how to get there. I have no idea where to go from here.

Would this work with the domain name provided by TPLink Deco?

Thank you for the video. I followed the instructions (have Ubuntu 20.04 with Portainer) but when I try to access the public URL I keep getting "Bad Request - Error code 502). Can you let me know how to debug this? I can access these locally and through NPM but accessing through tunnels is throwing up error.
The page image depicts: You Browser (working) --> Newark Cloudfare (working) --> My domain Host (not working)

Hello DB Tech, I really hope you can help me out, since i'm struggeling for a week now to get it done.
I'm running a proxmox server, where i have home assistant running in a VM (HAOS). In a LXC container i'm running nginx proxy manager, witch i'm trying to setup with a argo tunnel from cloudflare. I tried many ways, tried to setup docker swag, tried to setup a tunnel myself with all the info i could find on the web, but i don't get it to work. Everytime i get dnsprobe errors or to many redirections error. Anyway, i can't seem to make nginx proxy manager host my subdomains thru a argo tunnel. I really hope you can make a video on how to set it up, it would greatly help me out! Thanks in advance!

very cool @DBTechYT !!
Do you (or anyone else) know is this also works with running your app inside Kubernetes? Would you need to expose the cloudflare agent or your app with a ClusterIP or NodePort?

First - Excellent RUclips Channel. Did you really quick your day job to do RUclips? Kudos to your vidio editor too. 🙂 My question is. I currently expose a random port on my firewall and then use Cloudflare Origin rule to rewrite 443 to the random rule that I have open on my firewall - then port Forward from random port to 443 to my Nginx proxy server. And now for the question. With CloudflarD Tunnels, do I still need Nginx? Cuz the last two times I installed this on my Docker it broke my RPI. Thank you and keep up the good work.
Chris

Can you make a video how to use cloudflare zero trust tunnel with nginx and authelia?

Hi sir
I have an hp server installed windows server on it. I’m using some applications that users can connect to those through port forwarding. Im interesting to know whether I can use your method instead of port forwarding for my apps or this way is special for cloud based servers?

david your video is a blast bro thnaks! i have cgnat that's why I have contracted a vps with a wireguard vpn and a nginx to acces my (high videos traffic) wordpress´s and bitwarden and other stuffs... do you think this solution (free or paid) could be for me? or better than solution currently i got? or are there any kind of bandwidth limit or something bad for services of "high traffic"? hope your answer please

QQ. After setting up the docker container and making the connection with cloudflare, how can maintain running? If I ctrl+c out of the 'docker run . . .' in the terminal, the connection servers and am unable to use the tunnel anymore

do i need to do https when the pad lock is working? pros cons? how to do it as https and disable TLS 1.0

Hi There, if is possible use Cloudflared and TVHeadend Streams ?

I successfully set up a tunnel. The only issue I have is that it redirects to my domain with the port number shown. I can't seem to find any information on this. Any ideas?

Great Stuff - I will try it on my Pi first then I want to add it to my contabo vps. For that I wonder if I added FW to block all trafic will it still let the Cloudflare access tunnel through?

wordpress worked like a charm but nextcloud was having issues. so I had to resort back to NGINX

Hi, Me again :)
Do you know if i Cloudflare Tunnel will allow to set up subdomains for different local IPs instead of being one Docker IP.
Example, i would like to have DOMAIN pointed to local_ip_1 but subdomain like plex (dot) domain or cloud (dot) domain to point to local_ip_2

I'm sure I'm missing something obvious, but what do I need to do so that it will auto-start? I think I need to add the restart policy, but I'm not sure where I add it in the copy/paste I get from cloudflare. Any ideas? --restart unless-stopped

thanx for the Video! how can i tunnel "rustdesk" it needs a lot of Ports 21115-21119? any idea?

hey what's up dawg, your public ip is showing on the video.

Will this work with Kasm?

Great video, can you please show how to setup and use RDP with cloudflare zero trust. Thanks

is there any service can use for VPN ? like accessing HomeLab server using VPN without port forwading ?

I was about to deploy Cldflr tunneling for my services and specially that email authentication will come in handy. Thx.
Ps. Is it just me that seeing monitors so high I hope your neck won't break😉

Are you still using Nginx-Proxy-Manager with this solution, or does this solution eliminate the need for that component? My other question is do you have a separate cloudflare tunnel for each server where you have services that are exposed to the internet?

Port forwarding is an inconvenient mess. I still can't believe we are doing port forwarding in 2022.

The only issue i can see using this is if you decide to use it for remote access to a plex/jelly server as from what I read it is against TOS they have

I’m on cgnat, can cloudflare tunnels allow hosting a vpn access? I can’t figure it out.

Got it to work. Wanted to know how I would get this working with Authelia?

I love this tutorial. Absolutely brilliant!!
I spent the afternoon moving from NGINX to this service and switched off my port forwarding, which should lower and decrease my attack vector.
Thanks again!

Hey buddy, I’m going back to this video to see if there was a hint on how to host all applications using one tunnel. I had to instal 6 different containers to host each one of my dockers without open ports. It’s possible that you can point me on what I have to do to just use one instead of a separate one per application. Thank you.

I’ve sent this to so many people since starlink became available in our area. Have you ever considered a video targeting CG-Nat especially Starlink and fixed wireless internet?

Most important video you've done in a while. Just wish Cloudflare didn't have a monopoly on literally everything like this.

@DBTech if this feature is enable do you still use authelia?

Great video David! Can you do a video with Jellyfin on OMV6 in a cloudflare tunnel with all the paths?

Does this method still require SSL certificates being created? Im pretty new to this stuff.

Hi do you have to put the couldflare into the directory folder as your docker for your website ?

I really enjoy your videos - always cover the things most relevant to my interests!

So.. with these tunnels, could you tunnel into an Nginx Proxy and maintain all the SSL Certificates?
I am administrating a server at my Brother's house remotely (900 miles away), and he wants NextCloud. His internet is on Starlink, and they don't have any way to port forward. I tried to get SSL's to work over SSH tunnels maintained by the autossh docker image (which is how I remotely access his server), but I couldn't get it to work. If I could get reliable remote access for him, then I could open up a bunch of different services that he could use.

I'm a bit late to the party, but what options (Cloudflare or not) are available to pass through IMAP and SMTP ports?

Wonderful ... So well explained 😀✌... Thanks a lot 🙏.

Would this work to access VMs? Either over noVNC or the Spice protocol?

Great video! Can you also do this for a SQL Server?

Even with the help of this video, i still have trouble setting this up.
I can only get the / path to work. Anytime i add a path after the domain it returns a 404.
Also, i don't understand what the application is exactly. Why do we both add a Tunnel AND an application? Should applications just be considered a firewall, and tunnel considered an app?

rispek

quick question! you added the port 6999 for specific service on the same docker instance where cloudflare container is running. what if I want to use another VM with different IP and port (in my case homeassistant ip x.x.x.20:81234)?

Thank you for your content. Its really helpful and to the point no filler. I have a question for you. I was able to follow your tutorial on setting up the tunnel but I can make post requests to my url. I have tried to figure it out with no luck. Do you have a video or recommendation to fix this? Thank you.

This is amazing. Will certainly be trying it out. Is there a way the allowed IP can automatically be updated, as I don't have a fixed IP with my ISP. Thanks

For the sake of argument I’ll assume the port forwarding was for a reverse proxy. Assuming that, would this tunneling scenario take the place of a reverse proxy?