Using Cloudflare Tunnels For Hosting & Certificates Without Exposing Ports On Your Firewall

You never fail to give me practical new information on new systems. Thanks 😀

I think it’s important to note that cloudflare tunnels have limitations. For exemple if you plan to use this to access stuff that require large file transfers like nextcloud, cloudflare tunnels are limited to 100mb per file.

I've been using this service for 2-3 months and I love it. Easy setup and it works very well. I'm stuck behind CG-NAT making self-hosting difficult, but Cloudflare tunnels have made life much easier.

Very informative. That extra layer of security was exactly what I was looking for

thanks so much for your detailed videos - I have been struggling since last couple of days to fix the cloudflare tunneling problem with my docker container and continuously watching videos on youtube. But your video help me to resolve the issue, thanks again.

I started using this to have my college labs accessible when out of home.
Making code changes real time and see them implemented makes life a lot easier.

It's hilarious how many times in the past year I've search this up to bypass ISP port blocking, and still haven't done it... maybe this will be the recemented video that makes me implement it.

Excellent video, very easy to follow and I have now restructured my remote connections using cloudflare tunnels and added another layer of security.Thanks!!!
One thing I noticed when testing though was that I needed to set the email rules to 'Require' rather than 'Include' for the restrictions to work as described in the video.

Best and most secure option to exposé internal services to the internet - and one that works with a cgnat, too 👍 Thanks for the video 😁

This service is brilliant, I had superficially seen something about it, but I hadn't tested it yet, now with this video, I'm going to try to implement it in some personal project to test it and see if it fits in some current or future project!

Thank you Lawrence for the videos, please upload more Cloudflare tutorials. great content

This is why I love this channel - first time I hear of the TLS intercept, which is okay, but you have to be aware of this. None of the other pointed this iirc...

Great video Lawrence! I self host Guacamole and have a custom domain pointing to it, but I think adding the extra security layer Cloudflare offers is a good idea.

Very good intro to bring awareness around who you bring into the trustcircle

With the 'bug' you mentioned at the end, you can go to your DNS settings in cloudflare, and delete the subdomain forward manually

Excellent - as is your usual standard. Thank you.

all good thanks for cover it step by step.
I discover also that you can combine tailscale network and cloudflare tunnel to host something that isn't on the same network

I'd love to see you run your ssh connections through a tunnel. I've only managed to do it with their in-browser ssh client, and not through a remote terminal.

Thanks for the tutorial. I was able to set this up to point to my Plex server and Owncast instance. I previously had these behind an nginx proxy. Plex and Owncast use websockets and was tricky to configure all of that in Nginx. Using Cloudflare tunnels, everything just works! no more nginx reverse-proxy configs and struggling to get it configured correctly.

Thank you Tom, very informative. One point I missed is - how to handle HTTPS certificates and if clouldflare can handle more sophisticated URL manipulations (rewriting)? I'm trying to understand if this could replace also my reverse proxy. I wish all best in 2023🎉😊

thanks for the demo and info, have a great day

Super helpful! Thank you!

Saved me for an issue I was having, thank you very much!

Thank you for this video. Answers a lot of questions I have :-)

Awesome video Lawrence, you got me out of a pickle, unfortunately, I followed another youtuber's video, but he failed to provide one very important detail regarding TLS verification..! Thanks

Many thanks. Will certainly be looking at this and interesting you referenced it re Bitwarden which is one of my potential use cases. Originally I was going to do bitwarden self hosted with vpn.
Cisco CBD build to be done next week too.

Hi Tom. Thanks for this great content! I successfully use CF tunnels to expose home services a good while. Using "Applications Policies" in conjunction with "Access Groups" give me a granular way to lock down certain services to special groups of users or devices (by country, ip-address ranges, e-mail addr). Using special "identity provider"s for certain applications provides more flexibility also. The use tunnels depends a lot of "trusting" CF. Controlling the SSL-endpoints is a real responsibility for CF. Hope that CF never suffers a data breach or use our data for their own purposes. Than the "shit hits the fan"... A good an successful year 2023 for everybody! See you next year (in 1 day) 😀

great stuff! exactly the solution I need, thanks a lot for sharing this.

If you go into your DNS settings in cloud flare for that domain you can remove them manually if you do it backwards.

Damn… I already thought I must have a look at Cloudflare Zero Trust Platform, but still havent come around doing so. Thanks to this video, I now know I DEFINETILEY need to have a look at as soon as possible…

A few things to note: end-to-end encryption can be achieved by specifying a trusted CA and an expected hostname within the cloudflare zero trust dashboard.
Also, docker isolated networks are a MUST if you're going to host other containers/services that you don't want exposed to the internet

Lawrence, I tried what you did with uptime-kuma, but Cloudflare treated it as an http URL. It doesn't wrap it in https for me the way it did for you. The TLS tab doesn't appear when I set the target service for http. What might I be missing? Thanks.

I’ve experienced the same DNS “bug” when deleting a tunnel and needed to manually delete the DNS entry to reuse the subdomain when I started setting things up and testing. However, later when I set up different tunnels and eventually deleted them after testing, the DNS entry was deleted with the tunnel. So it hasn’t been a consistent bug for me, and may be related to the process taken when deleting.

thank god for u, everyone missed the tls setting

I run this as an add on in Home Assistant, works great!

Awesome video ! Thank you very much !

Hi Lawrence, thanks for your video. A question on a detail. I've installed Portainer and set a Cloudlare tunnel with Docker. When I go to the cloudflare container, to check the logs as you do, mines are empty. Which doesn't seem normal. Should I do something to make these logs visible? thanks

Excellent demo! Question do they offer an agent that would enable private tunnel access with 2fa? This way you could enable access to all containers with a wildcard and not expose all the names in public dns,

@Tom thank you for this.. you solved my issue.. I wasn't activating the "No TLS Verify" so it wasn't working..

It occurs to me that this might be a way to "expose" my webserver to fellow residents of the retirement village I live in and build a community portal. I'm behind a double NAT and I'm running WordPress on IIS (because I know IIS...). Thoughts on using Cloudflare Tunnels for this purpose?

This works with other internal thing. Like my deluge client. but with nextcloud I can't get it to work. I've added the correct ip's in the config.php allowed list. But nothing ever shows. Any ideas ?

I encountered that small nuance of not being able to adding back/renaming to a hostname that I had previously used. When you create/add a Public Hostname under Tunnel it creates a new CNAME in your DNS, and this doesn't get automatically deleted probably more of a safety feature since DNS propagation usually takes time. Delete the CNAME entry and you can go about the rest of the day.

This worked excellent. So many layers and no holes in the firewall.

I'll have to give this a try. I actually had to solve this exact problem for a server I was building last year. I ended up using zerotier sdn connecting the homelab vm's to a droplet with a public IP, and using ipforwarding and ipchain to build a frontend for it. the droplet has the ssl cert, and dns records pointing to it. It follows the iptables rules to forward specific traffic over the zerotier virtual network to the local vm's and back.

awsome. I saw it elsewhere, but not seen the additional security layer. there is only the risk that cloud flare going for the free security to paid in some years.

Thanks for this video, cloudflare is the best 💯

This is one of those awesome tools similar to ZeroTier One that once you hear about them you are super glad you know exist!

Any particular reason to use this instead of Tailscale? Apart from needing Tailscale on both the server and the client?

Cloudflare tunnels, this is the way. Also the Web Application Firewall (WAF) they offer for free only adds additinal layers of security. You can make firewall rules to block traffic before it ever hits your network/servers/applications.

How does this compare to a Tailscale setup latency/throughput wise for streaming video (plex/jellyfin)?

Really good. Thanks

Hi you are great!! it's possible protect the tunnel access with mutual tls for authenticated the clients? because the apps behind the tunnel has auth. like a "MFA" cert + user + pwd

I get the tunnel part up and it says healthy... and if I go to Plex on my server's side... it lets me connect the Remote Access to the Internet..
...but when I try to access that tunnel/host, i get a Cloudflare error page saying that my tunnel is ok, and it's broken from my domain to the host. I dont get it. How can I make the connections then? (like from Plex's Remote Access page)
I feel like I'm missing one small part, and it's frustrating as hell.

I need to use Traefik's reverse proxy services. Is there an option to route wildcard subdomain through cloudflare tunnel?

Great video ! I set policies to "email" for each of my services. Is it a bug that once I succesfully accessed one service using the emailed PIN, I can then access all of the other services on the same tunnel without being challenged for an email PIN ? Or does the browser store a cookie allowing access to all services once I have successfully accessed one of them ? If I set a different email address for each service then this "bulk authorisation" disappears. I found that setting the "session duration" to "no duration" prevents this behaviour.

I am wondering what could be the potential Performance of those tunnels, packet per second etc.
Also how could I make them Highly Available mode, Option1 k8sbut again some many options can I run them in replica set.
The intention would be complete firewall / load-balancer replacement for large busy websites.
What are your thoughts based on my comments?

Also, folks should consider setting memory limits on their Docker containers in case one runs wild and starts using up all the RAM on the docker host. It helps prevent problems down the road.

Is there an elegant way to use cloudflare access for the whole domain, except 1 subdomain/ public hostname?

Fantastic!

Thanks!

Seems that UDP is also a supported service on the Cloudflare Tunnel so technically, you can use the tunnel to manage your Unifi setup AND have the inform URL set to point to it. Has anyone given this a go?

I created vlan on pfsense then connected cloudflare on vm with vlan, but I want to control it thru pfsense for example to use wan or lan ip, what am I missing

Great Video 👍

How do you figure out what port an actual computer running unbuntunis using being banging my head trying to get cloud flair to work on Unbuntu 22.04 LTS

I do use it from before it changed of name. It was in beta, right now why it is free it is for gaining clients also if they do updates it is on the free before as if it broke the payed clients wont get the error as they will correct the error before. I used it for years as I am hosting at home on DHCP from my ISP and with it changing IP wont do me any thing. It is super repliable, safe and easy to configure.

Can confirm this works well on a Raspberry Pi with the Debian Buster ARM 32-bit package 🙂 Can now access NUT UPS monitoring to see more detail of what is going on when I receive the dreaded email to say my UPS is on battery. It wasn't something I wanted to publicly expose and can't anyway due to my ISPs CG-NAT.

This is crazy easy and cool I am gonna be using this!!! I still find it crazy its free

Hey Lawrence, just wondering if you've tried the client configuration option (versus configuring on the zero-trust dashboard). I suspect you'll find this more helpful and it may also address the "bug" you mentioned in the video (at end).

Hello, this is a great video and convinced me to use Cloudflare Tunnels instead of reverse proxy. A question though: is there a possibility to add wildcards? I want to run a Wordpress Multisite but dont want to log in to Cloudflare and add another tunnel every time I add a new site. Also, if there are issues removing a tunnel I may have to rethink this.

Great Vid, what about set up for a RDP connection? I can't seem to get this to work

Great video as always. Is there a way to create a RTSP stream connection to an internal camera?

I am trying to create a tunnel for Kavita but when I put the local URL at the Route Traffic for "TunnelName" it says URL is required despite me putting a URL into that spot. I've confirmed the service is running, and the URL is correct.

has anyone been able to configure the 'IP range' as policy instead of OTP? I keep getting unauthenticated errors, even though the details in the message list the same public ip i've whitelisted in the configuration policy.

What happens when you are on the same local network as the Cloudflare "endpoint" and you are requesting services on that local network with that same DNS entry... does the traffic route out of that "local" network and then back through the tunnel?

Might seem like a stupid question, but ... can you add the main domain *and* sub-domains *or* just a list of sub-domains

I already use this with a synologydva and Google OAuth. The only downside/ issue I have is not being able to access it via a mobile phone app DSCam.

Nice video, for most of use cases free plan is enough, but always it is a free so it needs to be limited, to encourage you to buy premium ;). Tom thank you for that.

Just a quick question. Will the cloud flare docker also point to services that are not running in docker? Say a Nextcloud snap image.

its possible that it was eventual concistentancy, there is also the possibilty that they just let the ttl run out ?

Would this work with pfsense to pfsense tailscale with routes exposed? Example site a has tunnel installed on local network and can see server or site b via tailscale site to site.

I feel like this would be a good solution for the Minecraft servers I host for my kids and their friends?

Hey there. Not sure if you’ve figured out the bug already, but in case you haven’t. When you create a new public hostname, it’s actually creating a new CNAME entry in your DNS records. When you delete a tunnel before the hostname, you just need to go delete the DNS entry manually before you can recreate one of the same name. Deleting the public hostname “correctly” simply removes the DNS entry for you. Hope this helps!

Hi there,
Do a vídeo explain service access with CF, like RDP, SQL SSH. That Will be great too!

I know this is a bit difficult with docker containers... but can the connections, you were using 192.168.x.y:z, be unix domain sockets?

Sir, Please can you help me I am trying to get RDP Access form Outside network of my home windows 10 pc from my office using Cloudflared Tunnel with out any port forrowarding of my Jio Fiver Router. Please help me sir.

How are requests sent to the host without exposing ports in the firewall? Does does the cloudfare daemon on the host restrict port forwarding to a specific IP source?

Awesome! Thx as always Tom. If it's free give me three (secure tunnels)

Can you please provide some details on your video camera/mic setup? Video and audio are A+ [If I was to guess, Blackmagic 6K].
Do you edit with After-Effects/Premier Pro or something like DaVinci?
Thanks!
- big fan from neighborly ann arbor :)

Can you also block some parts of an open service? Like restricting only the admin page of a tunneled bitwarden install

Great video, thank you very much - earned a new Subscriber here!
Couple of questions:
1. Following on from your last video, I decided to ditch lastpass and am now hosting my own BitWarden, but would like to add another level of security when not going to the url from my home (which I have managed), but the sync in the app does not connect due to the Application Policy, is there a workaround to make this more secure?
2. I have a dynamic IP address at home and would like to make sure the IP in the application policy updates - is there a way to do this?
Thanks and keep the great videos coming!

I love tunnels!!!!

Hey, somebody has problem using docker container WORDPRESS or in PROMOX CT container WORDPRESS and no show pictures? (domian setup in cloudflare, subdomains, all things activate), I can not find solution tu that situacion. somebody has idea, solution? thanks (and of course using Cloundflare tunnels)

What about the data transferred via client tunnel? E.g. What if I transfer a large amount of data through my application? Is there any additional payment for this?

That looks really interesting, I'm currently using wireguard on pfsense, but I'll definitely have a play with that. As always, thanks for your excellent videos.

Great! How is this compared to Netmaker

This is great,would definitely try it, but do you need to purchase the SSL certificate for your own domain for this?

How do you do this without having Cloudflare host your DNS? I got the tunnel working but I can't find any instructions anywhere on how to get a subdomain working correctly.

yay i got the 1k like - nice video btw

cn you share how can we forward the tcp traffic that arenot web services

Great video again, appreciated!
Someone already asked the question but so far I've not seen a response to it. How would these Cloudflare tunnels compare to other popular solutions nowadays such as Tailscale or Zerotier? Any views on that you want to share Tom?