I think it’s important to note that cloudflare tunnels have limitations. For exemple if you plan to use this to access stuff that require large file transfers like nextcloud, cloudflare tunnels are limited to 100mb per file.
Thank you for this info.. that adds a lot of doubt into the mix for if I want to use it. I have large photos, videos and PDF documents that exceed 100MB Maybe Cloudflare wants a client to upgrade to get a higher threshold on the file sizes?
Also see section 2.8 of the terms. "Use of the Services for serving video or a disproportionate percentage of pictures, audio files, or other non-HTML content is prohibited, unless purchased separately as part of a Paid Service or expressly allowed under our Supplemental Terms for a specific Service."
I think this is false information, Cloudflare TOS only refers to non HTML content.The 100mb limit is per connection and not per file. You can have multiple connections... I can upload 10G files just fine
No hard limit, but it's at their discretion for free accounts. "Use of the Services for serving video or a disproportionate percentage of pictures, audio files, or other non-HTML content is prohibited, unless purchased separately as part of a Paid Service or expressly allowed under our Supplemental Terms for a specific Service" www.cloudflare.com/terms/
I've been using this service for 2-3 months and I love it. Easy setup and it works very well. I'm stuck behind CG-NAT making self-hosting difficult, but Cloudflare tunnels have made life much easier.
I started using this to have my college labs accessible when out of home. Making code changes real time and see them implemented makes life a lot easier.
This is why I love this channel - first time I hear of the TLS intercept, which is okay, but you have to be aware of this. None of the other pointed this iirc...
thanks so much for your detailed videos - I have been struggling since last couple of days to fix the cloudflare tunneling problem with my docker container and continuously watching videos on youtube. But your video help me to resolve the issue, thanks again.
Excellent video, very easy to follow and I have now restructured my remote connections using cloudflare tunnels and added another layer of security.Thanks!!! One thing I noticed when testing though was that I needed to set the email rules to 'Require' rather than 'Include' for the restrictions to work as described in the video.
A few things to note: end-to-end encryption can be achieved by specifying a trusted CA and an expected hostname within the cloudflare zero trust dashboard. Also, docker isolated networks are a MUST if you're going to host other containers/services that you don't want exposed to the internet
Can you maybe please elaborate in more detail how to achieve end-to-end encryption? Unfortunaly I cant post links, but googling said it works with enterprise accounts...
@@nixxblikka So I self host my own PKI, and in the Zero Trust panel, I specify the location on the internet where cloudflare can pull the CA cert from, and then specify the host name that cloudflare expects from the certificate
@@malachis1447 The only thing I found in the docs was how to "deploy a custom certificate" which encrypts the connection between the end user and the cloudflare gateway with your own cert (and only on enterprise plans). Perhaps yare are talking about something else as the "deploy a custom certificate" doesn't prevent cloudflare from reading your data (the man in the middle issue). Can you be more specific on how you set things up to get true end to end encryption (no man in the middle concern)?
@@Zeric1 the only place that you're "deploying a custom certificate" is internally, in the webserver in your network that you want cloudflare tunnels to connect to (something like a self signed certificate that cloudflare will trust the CA and specific hostname, once you've specified that setting in Cloudflare Zero Trust). Externally (for the end user), the certificate still says Cloudflare
I'd love to see you run your ssh connections through a tunnel. I've only managed to do it with their in-browser ssh client, and not through a remote terminal.
This service is brilliant, I had superficially seen something about it, but I hadn't tested it yet, now with this video, I'm going to try to implement it in some personal project to test it and see if it fits in some current or future project!
It's hilarious how many times in the past year I've search this up to bypass ISP port blocking, and still haven't done it... maybe this will be the recemented video that makes me implement it.
Hi Tom. Thanks for this great content! I successfully use CF tunnels to expose home services a good while. Using "Applications Policies" in conjunction with "Access Groups" give me a granular way to lock down certain services to special groups of users or devices (by country, ip-address ranges, e-mail addr). Using special "identity provider"s for certain applications provides more flexibility also. The use tunnels depends a lot of "trusting" CF. Controlling the SSL-endpoints is a real responsibility for CF. Hope that CF never suffers a data breach or use our data for their own purposes. Than the "shit hits the fan"... A good an successful year 2023 for everybody! See you next year (in 1 day) 😀
Great video Lawrence! I self host Guacamole and have a custom domain pointing to it, but I think adding the extra security layer Cloudflare offers is a good idea.
all good thanks for cover it step by step. I discover also that you can combine tailscale network and cloudflare tunnel to host something that isn't on the same network
Thank you Tom, very informative. One point I missed is - how to handle HTTPS certificates and if clouldflare can handle more sophisticated URL manipulations (rewriting)? I'm trying to understand if this could replace also my reverse proxy. I wish all best in 2023🎉😊
Awesome video Lawrence, you got me out of a pickle, unfortunately, I followed another youtuber's video, but he failed to provide one very important detail regarding TLS verification..! Thanks
Also, folks should consider setting memory limits on their Docker containers in case one runs wild and starts using up all the RAM on the docker host. It helps prevent problems down the road.
@skorpion1298 Never used it tbh will need to learn it as well how to make my setup of docker compose files work without any issues. I simply used commands as well the Synology GUI of docker.
I’ve experienced the same DNS “bug” when deleting a tunnel and needed to manually delete the DNS entry to reuse the subdomain when I started setting things up and testing. However, later when I set up different tunnels and eventually deleted them after testing, the DNS entry was deleted with the tunnel. So it hasn’t been a consistent bug for me, and may be related to the process taken when deleting.
awsome. I saw it elsewhere, but not seen the additional security layer. there is only the risk that cloud flare going for the free security to paid in some years.
Damn… I already thought I must have a look at Cloudflare Zero Trust Platform, but still havent come around doing so. Thanks to this video, I now know I DEFINETILEY need to have a look at as soon as possible…
Can confirm this works well on a Raspberry Pi with the Debian Buster ARM 32-bit package 🙂 Can now access NUT UPS monitoring to see more detail of what is going on when I receive the dreaded email to say my UPS is on battery. It wasn't something I wanted to publicly expose and can't anyway due to my ISPs CG-NAT.
Hey there. Not sure if you’ve figured out the bug already, but in case you haven’t. When you create a new public hostname, it’s actually creating a new CNAME entry in your DNS records. When you delete a tunnel before the hostname, you just need to go delete the DNS entry manually before you can recreate one of the same name. Deleting the public hostname “correctly” simply removes the DNS entry for you. Hope this helps!
Lawrence, I tried what you did with uptime-kuma, but Cloudflare treated it as an http URL. It doesn't wrap it in https for me the way it did for you. The TLS tab doesn't appear when I set the target service for http. What might I be missing? Thanks.
I'll have to give this a try. I actually had to solve this exact problem for a server I was building last year. I ended up using zerotier sdn connecting the homelab vm's to a droplet with a public IP, and using ipforwarding and ipchain to build a frontend for it. the droplet has the ssl cert, and dns records pointing to it. It follows the iptables rules to forward specific traffic over the zerotier virtual network to the local vm's and back.
I encountered that small nuance of not being able to adding back/renaming to a hostname that I had previously used. When you create/add a Public Hostname under Tunnel it creates a new CNAME in your DNS, and this doesn't get automatically deleted probably more of a safety feature since DNS propagation usually takes time. Delete the CNAME entry and you can go about the rest of the day.
Would you still recommend putting the daemon in a DMZ of sorts, and filtering/monitoring the traffic from the cloudflared daemon to the internal app(s) through a NGFW?
Seems that UDP is also a supported service on the Cloudflare Tunnel so technically, you can use the tunnel to manage your Unifi setup AND have the inform URL set to point to it. Has anyone given this a go?
Cloudflare tunnels, this is the way. Also the Web Application Firewall (WAF) they offer for free only adds additinal layers of security. You can make firewall rules to block traffic before it ever hits your network/servers/applications.
Many thanks. Will certainly be looking at this and interesting you referenced it re Bitwarden which is one of my potential use cases. Originally I was going to do bitwarden self hosted with vpn. Cisco CBD build to be done next week too.
It occurs to me that this might be a way to "expose" my webserver to fellow residents of the retirement village I live in and build a community portal. I'm behind a double NAT and I'm running WordPress on IIS (because I know IIS...). Thoughts on using Cloudflare Tunnels for this purpose?
Excellent demo! Question do they offer an agent that would enable private tunnel access with 2fa? This way you could enable access to all containers with a wildcard and not expose all the names in public dns,
I do use it from before it changed of name. It was in beta, right now why it is free it is for gaining clients also if they do updates it is on the free before as if it broke the payed clients wont get the error as they will correct the error before. I used it for years as I am hosting at home on DHCP from my ISP and with it changing IP wont do me any thing. It is super repliable, safe and easy to configure.
That looks really interesting, I'm currently using wireguard on pfsense, but I'll definitely have a play with that. As always, thanks for your excellent videos.
This works with other internal thing. Like my deluge client. but with nextcloud I can't get it to work. I've added the correct ip's in the config.php allowed list. But nothing ever shows. Any ideas ?
Hello, this is a great video and convinced me to use Cloudflare Tunnels instead of reverse proxy. A question though: is there a possibility to add wildcards? I want to run a Wordpress Multisite but dont want to log in to Cloudflare and add another tunnel every time I add a new site. Also, if there are issues removing a tunnel I may have to rethink this.
Hi you are great!! it's possible protect the tunnel access with mutual tls for authenticated the clients? because the apps behind the tunnel has auth. like a "MFA" cert + user + pwd
I am wondering what could be the potential Performance of those tunnels, packet per second etc. Also how could I make them Highly Available mode, Option1 k8sbut again some many options can I run them in replica set. The intention would be complete firewall / load-balancer replacement for large busy websites. What are your thoughts based on my comments?
Hi Lawrence, thanks for your video. A question on a detail. I've installed Portainer and set a Cloudlare tunnel with Docker. When I go to the cloudflare container, to check the logs as you do, mines are empty. Which doesn't seem normal. Should I do something to make these logs visible? thanks
Great video, thank you very much - earned a new Subscriber here! Couple of questions: 1. Following on from your last video, I decided to ditch lastpass and am now hosting my own BitWarden, but would like to add another level of security when not going to the url from my home (which I have managed), but the sync in the app does not connect due to the Application Policy, is there a workaround to make this more secure? 2. I have a dynamic IP address at home and would like to make sure the IP in the application policy updates - is there a way to do this? Thanks and keep the great videos coming!
Great video again, appreciated! Someone already asked the question but so far I've not seen a response to it. How would these Cloudflare tunnels compare to other popular solutions nowadays such as Tailscale or Zerotier? Any views on that you want to share Tom?
@Nonkel: Main difference: With Tailscale / Zerotier the end point needs to be setup, here you do expose a servive to the internet, they great advantage: you do benefit from all security cloudflare provides, compared to a (mis)configured firewall at home. however without the shown security layer from Tom, you need to trust the implementation and setup with the client. Also too: The fact CF can intercept all traffic is a downside for me. Apart from media streaming I wouldnt know, what I want to share with them... although someone above explained to achieve real end2end (by pointing to a CA i think)
I get an error at 11:33. Clicking the "public hostname" doesn't work, however, navigating to the "service" URL works as intended. Any pointers would be greatly appreciated! Thank you!
I get the tunnel part up and it says healthy... and if I go to Plex on my server's side... it lets me connect the Remote Access to the Internet.. ...but when I try to access that tunnel/host, i get a Cloudflare error page saying that my tunnel is ok, and it's broken from my domain to the host. I dont get it. How can I make the connections then? (like from Plex's Remote Access page) I feel like I'm missing one small part, and it's frustrating as hell.
Can you please provide some details on your video camera/mic setup? Video and audio are A+ [If I was to guess, Blackmagic 6K]. Do you edit with After-Effects/Premier Pro or something like DaVinci? Thanks! - big fan from neighborly ann arbor :)
What about the data transferred via client tunnel? E.g. What if I transfer a large amount of data through my application? Is there any additional payment for this?
Hey Lawrence, just wondering if you've tried the client configuration option (versus configuring on the zero-trust dashboard). I suspect you'll find this more helpful and it may also address the "bug" you mentioned in the video (at end).
do keep in mind you do not have to use Cloudflare to have a secure Bitwarden instance, but it sure does make it easy. If you're not comfortable being MiTM'd by Cloudflare then there are other options.
@@sebas0469 ModSecurity is a really good option for securing websites, but it's a bit difficult to use. CrowdSec is another great option which works really well with ModSecurity.
Great video ! I set policies to "email" for each of my services. Is it a bug that once I succesfully accessed one service using the emailed PIN, I can then access all of the other services on the same tunnel without being challenged for an email PIN ? Or does the browser store a cookie allowing access to all services once I have successfully accessed one of them ? If I set a different email address for each service then this "bulk authorisation" disappears. I found that setting the "session duration" to "no duration" prevents this behaviour.
you should add or make note that the vm you made must be able to access resources. I had a firewall blocking my vm from accessing resources on different vlan from where i had tunner hosted
I am trying to create a tunnel for Kavita but when I put the local URL at the Route Traffic for "TunnelName" it says URL is required despite me putting a URL into that spot. I've confirmed the service is running, and the URL is correct.
Hey Tom, love your videos. I'm trying to understand who CF tunnels is a good use case for? At the end of the day, CF tunnels essentially moves the "firewall" from the customer's datacenter to CF. The application security and group based access rules etc. kind of just replaces a SSLVPN client and firewall rules. What I'm saying is CF tunnels is basically the same concept as a firewall and SSLVPN client from any firewall vendor. A business hosting services, will need a firewall anyways at the end of the day, so isn't CF tunnels just an additional expense? I think CF tunnels may be easier to configure for the average person but modern FW rules aren't too complicated. The one benefit I do see is DDOS protection. CF tunnels definitely wins in that regard. Again, not trying to be rude or anything, I'm just wondering if using CF tunnels is actually worth it. In my opinion everything CF tunnels can do can be accomplished with a properly configured FW and a VPN client (besides DDOS protection)
I created vlan on pfsense then connected cloudflare on vm with vlan, but I want to control it thru pfsense for example to use wan or lan ip, what am I missing
Very informative. That extra layer of security was exactly what I was looking for
I think it’s important to note that cloudflare tunnels have limitations. For exemple if you plan to use this to access stuff that require large file transfers like nextcloud, cloudflare tunnels are limited to 100mb per file.
Thank you for this info.. that adds a lot of doubt into the mix for if I want to use it. I have large photos, videos and PDF documents that exceed 100MB Maybe Cloudflare wants a client to upgrade to get a higher threshold on the file sizes?
Also see section 2.8 of the terms. "Use of the Services for serving video or a disproportionate percentage of pictures, audio files, or other non-HTML content is prohibited, unless purchased separately as part of a Paid Service or expressly allowed under our Supplemental Terms for a specific Service."
I think this is false information, Cloudflare TOS only refers to non HTML content.The 100mb limit is per connection and not per file. You can have multiple connections... I can upload 10G files just fine
I don't see that in their documentation developers.cloudflare.com/cloudflare-one/account-limits/
No hard limit, but it's at their discretion for free accounts.
"Use of the Services for serving video or a disproportionate percentage of pictures, audio files, or other non-HTML content is prohibited, unless purchased separately as part of a Paid Service or expressly allowed under our Supplemental Terms for a specific Service"
www.cloudflare.com/terms/
I've been using this service for 2-3 months and I love it. Easy setup and it works very well. I'm stuck behind CG-NAT making self-hosting difficult, but Cloudflare tunnels have made life much easier.
This was so helpful. I was having issue on the self signed certificate validation and finally got it working!
I started using this to have my college labs accessible when out of home.
Making code changes real time and see them implemented makes life a lot easier.
Could you please share with me how you did that on windows?
@@Dotcomtipsandtricks let me compose something later today and share it with you once done, but will for sure provide help!
You never fail to give me practical new information on new systems. Thanks 😀
This is why I love this channel - first time I hear of the TLS intercept, which is okay, but you have to be aware of this. None of the other pointed this iirc...
thanks so much for your detailed videos - I have been struggling since last couple of days to fix the cloudflare tunneling problem with my docker container and continuously watching videos on youtube. But your video help me to resolve the issue, thanks again.
Excellent video, very easy to follow and I have now restructured my remote connections using cloudflare tunnels and added another layer of security.Thanks!!!
One thing I noticed when testing though was that I needed to set the email rules to 'Require' rather than 'Include' for the restrictions to work as described in the video.
It won't let me save with required rule unless include rule is also present.
need both
How to transfer or copy/paste windows files/directories to novnc servers?
A few things to note: end-to-end encryption can be achieved by specifying a trusted CA and an expected hostname within the cloudflare zero trust dashboard.
Also, docker isolated networks are a MUST if you're going to host other containers/services that you don't want exposed to the internet
Can you maybe please elaborate in more detail how to achieve end-to-end encryption? Unfortunaly I cant post links, but googling said it works with enterprise accounts...
Which CA is best bang for buck? Verisign, GoDaddy, Digicert? Any other?
@@nixxblikka So I self host my own PKI, and in the Zero Trust panel, I specify the location on the internet where cloudflare can pull the CA cert from, and then specify the host name that cloudflare expects from the certificate
@@malachis1447 The only thing I found in the docs was how to "deploy a custom certificate" which encrypts the connection between the end user and the cloudflare gateway with your own cert (and only on enterprise plans). Perhaps yare are talking about something else as the "deploy a custom certificate" doesn't prevent cloudflare from reading your data (the man in the middle issue). Can you be more specific on how you set things up to get true end to end encryption (no man in the middle concern)?
@@Zeric1 the only place that you're "deploying a custom certificate" is internally, in the webserver in your network that you want cloudflare tunnels to connect to (something like a self signed certificate that cloudflare will trust the CA and specific hostname, once you've specified that setting in Cloudflare Zero Trust). Externally (for the end user), the certificate still says Cloudflare
I'd love to see you run your ssh connections through a tunnel. I've only managed to do it with their in-browser ssh client, and not through a remote terminal.
Excellent - as is your usual standard. Thank you.
With the 'bug' you mentioned at the end, you can go to your DNS settings in cloudflare, and delete the subdomain forward manually
Very good intro to bring awareness around who you bring into the trustcircle
This service is brilliant, I had superficially seen something about it, but I hadn't tested it yet, now with this video, I'm going to try to implement it in some personal project to test it and see if it fits in some current or future project!
It's hilarious how many times in the past year I've search this up to bypass ISP port blocking, and still haven't done it... maybe this will be the recemented video that makes me implement it.
It works... i self host my webpage and other services and no problems...
thank god for u, everyone missed the tls setting
@Tom thank you for this.. you solved my issue.. I wasn't activating the "No TLS Verify" so it wasn't working..
Hi Tom. Thanks for this great content! I successfully use CF tunnels to expose home services a good while. Using "Applications Policies" in conjunction with "Access Groups" give me a granular way to lock down certain services to special groups of users or devices (by country, ip-address ranges, e-mail addr). Using special "identity provider"s for certain applications provides more flexibility also. The use tunnels depends a lot of "trusting" CF. Controlling the SSL-endpoints is a real responsibility for CF. Hope that CF never suffers a data breach or use our data for their own purposes. Than the "shit hits the fan"... A good an successful year 2023 for everybody! See you next year (in 1 day) 😀
Great video Lawrence! I self host Guacamole and have a custom domain pointing to it, but I think adding the extra security layer Cloudflare offers is a good idea.
I’ve done the exact same thing for our MeshCentral instance.
If you go into your DNS settings in cloud flare for that domain you can remove them manually if you do it backwards.
all good thanks for cover it step by step.
I discover also that you can combine tailscale network and cloudflare tunnel to host something that isn't on the same network
Thank you Tom, very informative. One point I missed is - how to handle HTTPS certificates and if clouldflare can handle more sophisticated URL manipulations (rewriting)? I'm trying to understand if this could replace also my reverse proxy. I wish all best in 2023🎉😊
This is one of those awesome tools similar to ZeroTier One that once you hear about them you are super glad you know exist!
Awesome video Lawrence, you got me out of a pickle, unfortunately, I followed another youtuber's video, but he failed to provide one very important detail regarding TLS verification..! Thanks
Thank you Lawrence for the videos, please upload more Cloudflare tutorials. great content
Also, folks should consider setting memory limits on their Docker containers in case one runs wild and starts using up all the RAM on the docker host. It helps prevent problems down the road.
How do you add limits on each docket container or how to add it in a docker compose file?
@@sebas0469 use portainer. It’s super easy with it.
@skorpion1298 Never used it tbh will need to learn it as well how to make my setup of docker compose files work without any issues.
I simply used commands as well the Synology GUI of docker.
@@sebas0469 afaik you can also use compose files or commands in portainer. It’s pretty easy and there are plenty of tutorials out there :)
I’ve experienced the same DNS “bug” when deleting a tunnel and needed to manually delete the DNS entry to reuse the subdomain when I started setting things up and testing. However, later when I set up different tunnels and eventually deleted them after testing, the DNS entry was deleted with the tunnel. So it hasn’t been a consistent bug for me, and may be related to the process taken when deleting.
Same experience here... just deleted the dns and that's it
awsome. I saw it elsewhere, but not seen the additional security layer. there is only the risk that cloud flare going for the free security to paid in some years.
Best and most secure option to exposé internal services to the internet - and one that works with a cgnat, too 👍 Thanks for the video 😁
Damn… I already thought I must have a look at Cloudflare Zero Trust Platform, but still havent come around doing so. Thanks to this video, I now know I DEFINETILEY need to have a look at as soon as possible…
Can confirm this works well on a Raspberry Pi with the Debian Buster ARM 32-bit package 🙂 Can now access NUT UPS monitoring to see more detail of what is going on when I receive the dreaded email to say my UPS is on battery. It wasn't something I wanted to publicly expose and can't anyway due to my ISPs CG-NAT.
VPNs don’t exist? 😊
@@AdamsLab Not behind CGNAT without something extra in the middle.
Hey there. Not sure if you’ve figured out the bug already, but in case you haven’t. When you create a new public hostname, it’s actually creating a new CNAME entry in your DNS records. When you delete a tunnel before the hostname, you just need to go delete the DNS entry manually before you can recreate one of the same name. Deleting the public hostname “correctly” simply removes the DNS entry for you. Hope this helps!
Great Vid, what about set up for a RDP connection? I can't seem to get this to work
Lawrence, I tried what you did with uptime-kuma, but Cloudflare treated it as an http URL. It doesn't wrap it in https for me the way it did for you. The TLS tab doesn't appear when I set the target service for http. What might I be missing? Thanks.
I'll have to give this a try. I actually had to solve this exact problem for a server I was building last year. I ended up using zerotier sdn connecting the homelab vm's to a droplet with a public IP, and using ipforwarding and ipchain to build a frontend for it. the droplet has the ssl cert, and dns records pointing to it. It follows the iptables rules to forward specific traffic over the zerotier virtual network to the local vm's and back.
I run this as an add on in Home Assistant, works great!
I encountered that small nuance of not being able to adding back/renaming to a hostname that I had previously used. When you create/add a Public Hostname under Tunnel it creates a new CNAME in your DNS, and this doesn't get automatically deleted probably more of a safety feature since DNS propagation usually takes time. Delete the CNAME entry and you can go about the rest of the day.
Would you still recommend putting the daemon in a DMZ of sorts, and filtering/monitoring the traffic from the cloudflared daemon to the internal app(s) through a NGFW?
It's encrypted between Cloudflare and your system so a NGFW is not going to help that traffic.
This worked excellent. So many layers and no holes in the firewall.
Seems that UDP is also a supported service on the Cloudflare Tunnel so technically, you can use the tunnel to manage your Unifi setup AND have the inform URL set to point to it. Has anyone given this a go?
Cloudflare tunnels, this is the way. Also the Web Application Firewall (WAF) they offer for free only adds additinal layers of security. You can make firewall rules to block traffic before it ever hits your network/servers/applications.
Many thanks. Will certainly be looking at this and interesting you referenced it re Bitwarden which is one of my potential use cases. Originally I was going to do bitwarden self hosted with vpn.
Cisco CBD build to be done next week too.
Saved me for an issue I was having, thank you very much!
thanks for the demo and info, have a great day
very clear explanation!
subbed!
It occurs to me that this might be a way to "expose" my webserver to fellow residents of the retirement village I live in and build a community portal. I'm behind a double NAT and I'm running WordPress on IIS (because I know IIS...). Thoughts on using Cloudflare Tunnels for this purpose?
Excellent demo! Question do they offer an agent that would enable private tunnel access with 2fa? This way you could enable access to all containers with a wildcard and not expose all the names in public dns,
Is like the lazy man trafik? Also what happens if your internet goes out at home? Are you still able to access local services?
I already use this with a synologydva and Google OAuth. The only downside/ issue I have is not being able to access it via a mobile phone app DSCam.
I do use it from before it changed of name. It was in beta, right now why it is free it is for gaining clients also if they do updates it is on the free before as if it broke the payed clients wont get the error as they will correct the error before. I used it for years as I am hosting at home on DHCP from my ISP and with it changing IP wont do me any thing. It is super repliable, safe and easy to configure.
That looks really interesting, I'm currently using wireguard on pfsense, but I'll definitely have a play with that. As always, thanks for your excellent videos.
the plural of video is videos
@@RickMyBalls So it is, thanks, I've amended the comment.
This works with other internal thing. Like my deluge client. but with nextcloud I can't get it to work. I've added the correct ip's in the config.php allowed list. But nothing ever shows. Any ideas ?
great video I love and use Cloudflare myself. any plans to make a video on combining it with Authelia for extra security ?
No, because I don't use it or have any plans to start using it right now.
Super helpful! Thank you!
Insightful and informative video.
Hello, this is a great video and convinced me to use Cloudflare Tunnels instead of reverse proxy. A question though: is there a possibility to add wildcards? I want to run a Wordpress Multisite but dont want to log in to Cloudflare and add another tunnel every time I add a new site. Also, if there are issues removing a tunnel I may have to rethink this.
This is great,would definitely try it, but do you need to purchase the SSL certificate for your own domain for this?
nope, they handle the SSL cert
Great video as always. Is there a way to create a RTSP stream connection to an internal camera?
Hi you are great!! it's possible protect the tunnel access with mutual tls for authenticated the clients? because the apps behind the tunnel has auth. like a "MFA" cert + user + pwd
Thank you for this video. Answers a lot of questions I have :-)
I am wondering what could be the potential Performance of those tunnels, packet per second etc.
Also how could I make them Highly Available mode, Option1 k8sbut again some many options can I run them in replica set.
The intention would be complete firewall / load-balancer replacement for large busy websites.
What are your thoughts based on my comments?
Hi Lawrence, thanks for your video. A question on a detail. I've installed Portainer and set a Cloudlare tunnel with Docker. When I go to the cloudflare container, to check the logs as you do, mines are empty. Which doesn't seem normal. Should I do something to make these logs visible? thanks
At 12:57 you say "this has got a self-signed certificate"...How did you do that? Can you do a video on that?
By default Synology has a self signed certificate.
Can you make a video "How to add cloudflare tunnels to OpnSense". Please
I realy like your videos. Fantastic work !
I don't use opnsense
I need to use Traefik's reverse proxy services. Is there an option to route wildcard subdomain through cloudflare tunnel?
Great video, thank you very much - earned a new Subscriber here!
Couple of questions:
1. Following on from your last video, I decided to ditch lastpass and am now hosting my own BitWarden, but would like to add another level of security when not going to the url from my home (which I have managed), but the sync in the app does not connect due to the Application Policy, is there a workaround to make this more secure?
2. I have a dynamic IP address at home and would like to make sure the IP in the application policy updates - is there a way to do this?
Thanks and keep the great videos coming!
1. not sure, not something I have tested.
2. no way that I am aware of.
Hi Lawrence, couldn't you make a video with RDP through Cloudflare.
great stuff! exactly the solution I need, thanks a lot for sharing this.
Great video again, appreciated!
Someone already asked the question but so far I've not seen a response to it. How would these Cloudflare tunnels compare to other popular solutions nowadays such as Tailscale or Zerotier? Any views on that you want to share Tom?
Tailscale or Zerotier are overlay networks , this is a reverse proxy they are not the same thing at all.
@Nonkel: Main difference: With Tailscale / Zerotier the end point needs to be setup, here you do expose a servive to the internet, they great advantage: you do benefit from all security cloudflare provides, compared to a (mis)configured firewall at home. however without the shown security layer from Tom, you need to trust the implementation and setup with the client. Also too: The fact CF can intercept all traffic is a downside for me. Apart from media streaming I wouldnt know, what I want to share with them... although someone above explained to achieve real end2end (by pointing to a CA i think)
its possible that it was eventual concistentancy, there is also the possibilty that they just let the ttl run out ?
Thanks for this video, cloudflare is the best 💯
I get an error at 11:33. Clicking the "public hostname" doesn't work, however, navigating to the "service" URL works as intended. Any pointers would be greatly appreciated! Thank you!
Hi there,
Do a vídeo explain service access with CF, like RDP, SQL SSH. That Will be great too!
I get the tunnel part up and it says healthy... and if I go to Plex on my server's side... it lets me connect the Remote Access to the Internet..
...but when I try to access that tunnel/host, i get a Cloudflare error page saying that my tunnel is ok, and it's broken from my domain to the host. I dont get it. How can I make the connections then? (like from Plex's Remote Access page)
I feel like I'm missing one small part, and it's frustrating as hell.
Can you please provide some details on your video camera/mic setup? Video and audio are A+ [If I was to guess, Blackmagic 6K].
Do you edit with After-Effects/Premier Pro or something like DaVinci?
Thanks!
- big fan from neighborly ann arbor :)
I have a studio tour here ruclips.net/video/vgIT96iiU70/видео.html
What about the data transferred via client tunnel? E.g. What if I transfer a large amount of data through my application? Is there any additional payment for this?
They don't have any clear bandwidth limits it seems to be at their discretion
I love tunnels!!!!
Just a quick question. Will the cloud flare docker also point to services that are not running in docker? Say a Nextcloud snap image.
Yes, it can talk to anything on reachable on the network it's attached to.
Hey Lawrence, just wondering if you've tried the client configuration option (versus configuring on the zero-trust dashboard). I suspect you'll find this more helpful and it may also address the "bug" you mentioned in the video (at end).
Have not tried it, still an odd bug.
I’ve been looking at this. Would it be a safer way of self hosting a Bitwarden vault while making it accessible to clients outside your network?
Safer than just exposing it.
do keep in mind you do not have to use Cloudflare to have a secure Bitwarden instance, but it sure does make it easy.
If you're not comfortable being MiTM'd by Cloudflare then there are other options.
@@jacksoncremean1664 Any examples of the other options? Since I am interested to know those
@@sebas0469 ModSecurity is a really good option for securing websites, but it's a bit difficult to use.
CrowdSec is another great option which works really well with ModSecurity.
@@jacksoncremean1664 thanks will read about both to see the differences as well to learn even if it's difficult to use.
Might seem like a stupid question, but ... can you add the main domain *and* sub-domains *or* just a list of sub-domains
Great video ! I set policies to "email" for each of my services. Is it a bug that once I succesfully accessed one service using the emailed PIN, I can then access all of the other services on the same tunnel without being challenged for an email PIN ? Or does the browser store a cookie allowing access to all services once I have successfully accessed one of them ? If I set a different email address for each service then this "bulk authorisation" disappears. I found that setting the "session duration" to "no duration" prevents this behaviour.
Can you also block some parts of an open service? Like restricting only the admin page of a tunneled bitwarden install
Maybe, I did not test all the features.
Is there an elegant way to use cloudflare access for the whole domain, except 1 subdomain/ public hostname?
you should add or make note that the vm you made must be able to access resources. I had a firewall blocking my vm from accessing resources on different vlan from where i had tunner hosted
I did when I showed the network layout
I am trying to create a tunnel for Kavita but when I put the local URL at the Route Traffic for "TunnelName" it says URL is required despite me putting a URL into that spot. I've confirmed the service is running, and the URL is correct.
Hey Tom, love your videos. I'm trying to understand who CF tunnels is a good use case for? At the end of the day, CF tunnels essentially moves the "firewall" from the customer's datacenter to CF. The application security and group based access rules etc. kind of just replaces a SSLVPN client and firewall rules. What I'm saying is CF tunnels is basically the same concept as a firewall and SSLVPN client from any firewall vendor. A business hosting services, will need a firewall anyways at the end of the day, so isn't CF tunnels just an additional expense? I think CF tunnels may be easier to configure for the average person but modern FW rules aren't too complicated. The one benefit I do see is DDOS protection. CF tunnels definitely wins in that regard. Again, not trying to be rude or anything, I'm just wondering if using CF tunnels is actually worth it. In my opinion everything CF tunnels can do can be accomplished with a properly configured FW and a VPN client (besides DDOS protection)
Besides DDOS they also take care of the certificate, reverse proxy, solving working behind CG-NAT, client does not need to have static IP.
If we are using Traefik, is it gonna work perfectly?
I didn't test it with that but it should work
Yes, it works.
How would you use it with Traefik? isn't that just doing a double reverse proxy?
Why would you still use Traefik with CF tunnels?
Great! How is this compared to Netmaker
For some reason SSL wasn't enabled for me by default, nor do I see any way to enable it...
I am still new in this field and i want to make my owncloud can be accessed outside my home, so do i still need public ip? Thanks beforehand
This is crazy easy and cool I am gonna be using this!!! I still find it crazy its free
How does this compare to a Tailscale setup latency/throughput wise for streaming video (plex/jellyfin)?
Fantastic!
Awesome video ! Thank you very much !
I created vlan on pfsense then connected cloudflare on vm with vlan, but I want to control it thru pfsense for example to use wan or lan ip, what am I missing
yay i got the 1k like - nice video btw
My IP on cloudflare always change back to the old IP after changing it to the new IP, please do you know the course? This thing happen every 24hrs
Really good. Thanks