I honestly don't mind all the cons of Cloudflare Tunnel, and I definitely agree. Don't just expose all your services without another form of security like Cloudflare Access. That's the first thing I did after setting up Tunnels, and it's been great.
basic auth is indeed not allways working as first level security, so cloudflare acces is a godsend. I was finnicking with Authelia but dammn cloudflare acces "just works"
Hi Christian and thank you for this critical and informative video. You do not bypass your firewall, if you set up the cloudflared-server (or cloudflare docker-container) in a separate dmz/vlan. I can't see any difference from other VPN solutions that ends directly in the internal network. This is a general problem that can either be improved by well-documented descriptions of possible extensions or you have the necessary expertise yourself to be able to operate such solutions relatively safely. So you are right, not only the route between the endpoints has to be secure, but espesially the endpoints itself and the networks behind those endpoints always has to be secured. Your argument is still absolutely valid and many manufacturers of such solutions promise easy and secure installations, what can be very deceptive. In my opinion, Cloudflare offers one of the best and most secure solutions for accessing internal services (no published ports, MFA for accessing the Cloudflare dashboard and separate MFA and other web application rules for accessing the actual services). In addition, the actual application that you want to reach via Cloudflare Tunnel should also have its own authentication - I only use applications that can handle MFA on their own, such as Guacamole. But it always depends on how you implement it :-) If large companies trust Microsoft by running an Azure AD (most have little choice), you can trust Cloudflare for your homelab services for sure.
If you can't see "any difference" between a VPN server that you run and this then you are ignorant about the topic or just plain daft. The alternative to cloudfared (from a privacy perspective) isn't tailscale or twingate or whatever tf. Let's concede that cloudfare gives you all of those features as securely as any third party can, that's really beside the point, you're getting all those "freebies" in exchange of putting a middle man in all the traffic you tunnel through them (technically they can establish any connection they wish from inside your network since they are running an agent inside yours). Obviously a lot of very technically inclined people are willing to do this but let's not be stupid about the trade-offs here.
This is a great video that got me thinking - especially while I was mulling the obvious home network security advantages of using a Cloudflare Tunnel. But, as with everything, there has to be a catch - you have to trust Cloudflare will handle your data carefully and hopefully not leave it open to exposure. The thing is - this is inherently a problem with Cloudflare itself (as well as AWS, Azure, Google, Apple and any other public cloud offering). And in reality, so much of the internet relies on these big players - there's practically no way you can use the internet without at least some of your important data ending up in the hands of these players.
Excellent video, this is something home labbers often get wrong. Cloudflare isn't a silver bullet to your security woes, sure it helps but it comes with it's own issues. if your using a free plan then I'd argue it doesn't provide much value at least compared to using something like ModSecurity/Coraza, CrowdSec or a hardware firewall appliance.
Little workaround about the firewall issue: Put the cloudflare tunnel vm or container in a dedicated /30 vlan with only internet access to the external ips of cloudflare and create rules to internal services you want to expose via inter vlan routing
new to home lab here, are you saying to basically segment your internal network and all your exposed services will be on an isolated network along with your cloudflare tunnel vm running?
@@xavierlarosa8235 Yeah, you could do it like this. This would limit the devices cloudflare would be able to reach to this vlan. I have gone even further, got a server vlan with my internal services and an dedicated vlan for the cloudflare tunnel VM. So i get maximum control over the services cloudflare is able to reach by creating a default drop between the vlans and only dedicated allow rules for services i want to expose
This is what i am doing already to prevent cf tunnel gets access to whole my network. Cf tunnel limited to its own vlan, then get access to only the services what really need cloudflare tunnel.
6:00 one thing you could do with a cloudflare tunnel setup is put the server which the connector daemon is running on, into its own VLAN. Then setup firewall rules in pfsense to route that VLAN traffic to the appropriate servers and ports on other subnets.
Great video. I’m a huge fan of Cloudflare and think they’ve done a ton for the world on making the internet more secure. That said, having a reasonable, fair, and open analysis on the risks vs. benefits is something the homelab community should do more of. And frankly, there are a ton of packages and projects that we all install that should get the same scrutiny. Thanks again the the level headed analysis!
Hi Christian. I have one public IP with all ports available to my homelab. Obviously with a good firewall. In this configuration, I can do all I need. But here in Brazil, this type of service is very scarce, mainly due to the lack of available public IP. I've been testing the use of CHR for a few months now and I'm really enjoying it. First, the fact that I use an Amazon IP here in Brazil, where I host the mikrotik CHR, and also because I can create a tunnel with a server that is behind a restrictive firewall. What for me is very interesting due to the unavailability of public IP. Another interesting point is that I can configure my Hurricane Electrics IPv6 range in this CHR and distribute it to servers via tunnel. Great content.
Cloudflare tunnel is a tunneling protocol that does a peer-to-peer connection through a "middle-man" server such as cloudflare tunnel, same as zerotier and tailscale Using another server inherently means you have a dependency that you need to be aware of
Agreed with this post. With most cloud providers, you give up your privacy for security (well, security is subjective... providing no three letter agencies haven't already backdoored it like they did with L2TP and Juniper).
Well stated. The folks that have approached me interested in Cloudflare Tunnels are those that want to have services reachable from their CGnat. In situations where I have played with Cloudflare tunnel it has been inside of a dedicated VLAN on my network and I think that your concerns are valid. When CGNat folks want to host non-web applications, I tell them to manage their own VPS endpoint server outside of their network. This takes care of being able to host UDP connections or TCP connections to non-web ports which I don't really see a way to do on Cloudflare Zero Trust.
This is a good balanced look at it. One thing you forgot to mention are mitigations, such as being careful where in your network to deploy the tunnel endpoint. For example, a “DMZ” *(or similar) area where you provide services from but that does not have access to the rest of your network… in order to minimize the crash surface.
To be clear, at around 6:16 when firewalls might become useless because they are not intergrated into the firewall and punches a hole.... 1. If an enterprise employs applicaiton whitelisting on their laptops/servers/desktops then this will never have a chance at being deployed. 2. if an enterprises chooses to do SSL decryption, this would never have a chance at being deployed 3. If using some form of application identification {appid} this would never have a chance at being deployed 4. if you deny the outgoing port of 7844 then this will never get deployed If you choose to have lax rules or a lax security model then yeah you can bypass the network security but this isnt as easy as one would think it is.
Pro tip: You can still use the SSH tunnel and do a reverse port tunnel trough that. Cloudflare cannot see/MITM that, since only you have your certificate, which the server verifies and is thus able to perform an authenticated Diffie-Hellman exchange and guarantee your communication is confidential! (See the SSH2 protocol and TOFU security model) Also, I thought it was obvious that it works as essentially a MITM? They even advertise it as such! How else would they be able to magically HTTPSify all your services? Obviously, keep this in mind....
I use and rely on CF Tunnels for exposing resources, though they are heavily restricted and require you to have the WARP client present on your device and have authorization to my team. With WARP it creates a WireGuard tunnel connection into my network allowing me to pass UDP traffic or NON HTML traffic, It's actually a great VPN alternative since M$ has deprecated auth prompts which make OpenVPN with MFA impossible with NPS, Now you must pay for expensive services such as Duo :( P.S. Love your content and what you provide for the IT community, Thank you!
I think one of the main issues for me is the centralising of important internet infrastructure. Cloudflare offer some great services which are important. But i do not feel comfortable with so many eggs of the internet being in so few baskets. Awesome video btw dude as usual
I see it in the opposite way: cloudflare removes many points of failure. Of coarse it depends how much time, money and (electric, your) energy are you willing to invest into your infrastructure. For accessing your personal blog, nextcloud, git ... running on low power pc/sbc i'd say it's perfect.
Good point. I had to decide between zerotier which is more convenient for my application and cloudflare. I decided for cloudflare because i trust them (more). But shutting down a service is also a valid complaint.
Please do a video about best pratices to setup Sophos XG, secure the net, expose safely services, ecc. Or a video where you show us your Sophos setup. Thanks man!
Another thing I would like to mention that most RUclipsrs don’t is that if you are using cloudflare you should setup dns overwrites on your dns server on your lan so that stuff doesn’t go through cloudflare and works offline when just accessing it from lan
This is exactly what I was thinking. That’s why I run a VPS with a site2site VPN connection home to my self hosted services. It’s basically a jump box or traffic forwarder. There’s two ways for this: terminating your SSL at your VPS (which I am doing now) or forwarding the SSL traffic home (with HAProxy, experiments running as I am typing this). Video coming up in this, too
But why? xD Setup SSH Access via certificate on your VPS, use autossh on your machine, forward the ports you want to expose, write a startup rule in your .rc, done. Setup SSH Access via certificate on your VPS, create a new Service, ssh to your vps, forward the ports you want to expose, systemctl daemon-reload, service xxx enable, done.
I would love to check out that video! I use Cloudflare tunnel for hosting some sites from a mini pc that I have. But I would feel more secure if the traffic is forwarded direct from a cheap server that I can fully control.
Hmm.... Your video confirms my amateur understanding of Cloudflare tunnels. Thank you very much! I'll think more about it, get info and probably tip my tunnels and switch to a practical in-house VPN solution. I hope I can do that. Best regards.
Great video! I think homelabbers should talk more about who you trust with your data, but also the various attack surfaces these services open up. I'd be interested in a deeper dive and comparison between Cloudflare Tunnels, Twingate and Tailscale (and Headscale), as they all do similar things with subtle--but important--differences.
I liked it until I was charged a huge fee. Since they track data that's pushed, if someone goes in and starts using API's to pull massive amounts of data and you don't have rate limiting in place, there goes a few hundred dollars.
thank you for this comment! I was about to set up my homelab to record site-to-site with poe cameras, but that would send ~80/gb, I guess I will stick with my current wireguard lan to lan 😂😂
I have enough options with my FortiGate firewall to share certain parts of my network. I looked into the Cloudflare solution, but the fact that all my traffic would go through their servers stopped me from using it. However, once you have made the right settings in your firewall, it is easy to quickly provide someone with a service from the HomeLab.
I have tested CF, and i didn't choose it for a few reasons - trust, protocol limitation, and L7 protection (threath protection, AV, IPS, webfilter etc), which i can do on my SophosXG(WAF). Maybe i didnt test it well, but... ;)
If you apply this logic then AWS can also read everything at the load balancer because we add all keys to AWS ACM. In that case nothing is safe on the cloud as well. I think I trust cloudflare much more than most tech companies out there.
Great video. Probably you should have added more emphasis that similar products (Zerotier) have the same problem. US 3-letter organisations have access to all of your data, for sure.
I mean you can do something like tailscale, but that may still have similar privacy issues, so best option would be headscale with another main server on the cloud
@@Technically_Bad that's equivalent of opening a port. Hosting things on a public facing cloud. Instead what I suggested is using a VPS and a public facing connection interface. Without the Vpn to go through the first server, you can't even reach the second.
i think the issue with the internal firewall in the internal network can be mitigated with making sure that the request crossing from the cloudflared tunnel needs to cross the firewall itself prior to reaching the service being exposed. this way requests are also checked by the internal firewall. you can have a separate firewall for this or it can be the same firewall you already have the exists. what is important is that the cloudflared instance is separate from the internal application instance by the firewall. firewall rules/checks/introspection can still happen.
"... customers can serve video and other large files using the CDN so long as that content is hosted by a Cloudflare service like Stream, Images, or R2." - Cloudflare's blog. That is for the removal of section 2.8 in the Cloudflare Terms of Service, which essentially means nothing to most people unless you are paying to use their services.
Regarding your point about serving non-HTML content, I always found it was a good practice to bypass the caching with a page rule. I use the tunnel and a reverse proxy to host my plex server using a custom server access URL and the first month I had it running with no page rules I was a bit unsettled to see how much data had been cached, but nothing came of it anyway.
They said in the discord that this rule applies to ANYTHING that goes through cloudflare the network, they don't care if you cache it or not. So you can still get booted if you don't cache a thing. However they probably wont bother you if you not pushing many terabytes of data.
This is what I am thinking about doing. Do are you doing a CF tunnel to nginx to then forward to plex? Any security concerns? I feel like it is better than exposing ports on my ip
Well, I guess that one should not use this kind of services without security layers in mind. Mostly because in certain, given scenario, one could use their service's trustworthy reputation to stealthy exfiltrate data from a company's network, or gain reverse access to it. Either by somehow abusing it or installing it on purpose in a post-exploitation phase. This is a great option when your security's strategy is mature enough and capable of containing threats as mentioned before.
Very good video. I was especially interested in the security concerns to bypass you companies firewall by using such a reserve tunnel. I guess no enterprise will want to have such a thing set up by individual user. I could imagine an enterprise set up done locally with trusting Cloudflare but it's security nightmare when everyone can start a docker container and punch holes into the whole firewall setup. I would even assume that some companies block those hosts and port per default.
The big takeaway should be that if you don't understand the security implications, then don't use it. Goes for all systems though. Not fair to aim at cloudflare, but certainly fair to respond to your own content to provide better clarification.
Thanks for the video. It actually makes sense. But I would like to add something here, "home lab is for learning" right? Yes, we can check out some tools but I think ppl who have a home lab should expose their services and do some kind of research about how to secure it, for example, use some kind of firewall, ids/ips, etc. See the logs regularly, and automate some things. Maybe I am wrong, it's just my thought. Correct me if I am wrong.
Was about to deploy Cloudflare and thanks to searching for deployment tutorials, the algorithm served me this video. Score one for YT - this was an excellent video I'd likely have otherwise missed. I still think it's right for my use case, but this video was invaluable towards a better understanding of what I was doing.. It was thoughtfully laid out well explained with just enough humor to make it fun to watch. Nice job; I subbed after watching it. Thanks!
3:40 I recall a rather large, and quite shady, situation that occurred right before their sudden popularity. It was enough of a ‘something’ that it warrants caution. Some might even argue that it justifies suspecting ulterior motives.
Beutifull video. Thank you for addressing this (actually, I was close to writing you and asking about this after seeing your CloudFlare video; you were just faster). Services like this are great, but they come at a cost. At the end of the day, this is all about whom we trust. Thank you, Christian; following your channel has been worth it since the day I discovered it. You gave me a lot of nice home projects to implement in my home lab (I still have to implement reverse proxy, lol).
The branding bugs me. It's part of their "Cloudflare Zero Trust Platform", yet requires enormous amounts of trust of Cloudflare since they must decrypt your traffic. Am I missing something?
In my opinion, Cloudflare is a great (or maybe the best) solution for home labs, small businesses, and publishing simple amateur websites. If it's a big company - definitely not. For my home lab it's the only option - I have no public ip, not even a dynamic one. My ISP put me behind NAT.
@@rexeus I use ZeroTier for those services that only I use alone. Through the public space, the services that my family and friends use with me are used. For example, video surveillance, streaming services for music, cloud file sharing.
Thank you for giving so much insight in your videos that ACTUALLY matters, not only in the specific use case that you presented but even in wider use cases! I did not know that cloudflare has access to clear-text traffic between client and server. And I believe that the argument some people bring to this issue "oh, but it's designed to be that way, because it doesn't work otherwise" is nonsense. If it's designed that way, then that is bad design. It is totally possible to have true end to end encryption between client and server. So I think creating "tricks" that add other parties in between, which everyone tends to ignore (therefore, becoming fertile ground for corruption), is a blatant offense to what TLS was designed for in the first place.
Today they posted on Cloudflare Blog: "Goodbye, section 2.8 and hello to Cloudflare’s new terms of service". This is part of their Developer Week announcement. You need their services like Stream to serve video though.
Personally, my deployment of cloudflare tunnels is by deploying it as a sidecar container on my external ingress traefik instances. I run 2 sets of traefik deployments in my local k8s cluster, one that's exposed to internet via cloudflare tunnels, and one that's local only. Gives me pretty good control of what gets exposed where by setting the correct ingressClassName and external-dns annotations on my ingress resources. Security is enforced by the CNI via Network Policies, and the cloudflared daemon isn't initialized with cloud config, just a straight "direct all traffic to traefik on localhost" rule static configuration. It's pretty good for punching through CGNAT while being directly accessible online. Similar things would be ngrok I guess. Tailscale funnel is nice, but a bit restrictive since you can't use your own domains. As for bypassing the network firewalls and whatnot, that's a pretty easy workaround. Deploy the cloudflared tunnel on a separate VLAN/subnet where it has to go through the router to reach the services, then it's traffic will be monitored by the firewall / security appliance. (Though in most homelab setups it does mean the traffic will transit the router twice so... tradeoffs.)
When first I saw these "how-to" videos with the CF Tunnel product I was instantly mortified for anyone trying to establish even basic enterprise security on a network especially if they're not well resourced; prosumer and consultant type users tend to slap this stuff onto their workstation so they can go home and "work from home", I've seen that time and again over the decades. This type of system exposes both hubris of users and also demonstrates a really really serious "failure of imagination" - I guarantee to you that in the brief 3-4 seconds you consider any security implications you won't even be remotely close to a team who has perhaps spent months figuring out how to exploit this new method or even adjust their existing methods to use it as an exploit. You might not be the end target but you might end up being a very convenient relay for an attack (perhaps even with subsequent ransomware intrusion afterwards to help cover forensic tracks). Zoning is utterly critical with these things - this might be ok to expose services in a proper DMZ which you were going to expose anyway but that's not how it's being sold to viewers by excited tech youtubers who gleefully outline how they opened up their production network to others so they could dish out parcels of editing work, clip libraries, etc. The impressive sounding authentication and encryption technologies bypasses the not-so-subtle fact that you're giving someone outside a direct inroad into your network and that security is instantly as strong as the weakest chain in that link. Any compromise or misuse upstream - intentional or otherwise - and you're instantly exposed. Not just by flaws, corporate misadventure and especially state agencies who mandate backdoor access either, add to that the fact that this is a concentrator putting all those lovely access points into one place... I suspect at some point we're going to see an indexing site of poorly secured relays like that site that lists insecure webcams. Those are spread all over the public IP address space but have common flaws from default configuration and open ports that draws unwanted interest that an unsuspecting, uneducated retail user would never have considered. Sure, it does look cool and all but please - limit your use to things you were going to out-zone and present to the internet anyway. Anything else needs to be hardened and require as many authentication steps as a fully externally presented service. Compromised networks like these are extremely hard for everyone to deal with especially if you have some kind of operational relationship with an affected party. This is all going to get so so so so so much worse too as we all invariably head towards "hot war" in either the Pacific or Europe too.
Well that's a problem with all tutorials on networks for amateurs. They by necessity skim over the subject because this format does not encourage deep evaluation. An amateur might believe something is a silver bullet as a result, without understanding the ramifications of the solution he's copy-pasting. So for a layman, is best to outsource this, but then another problem comes up - finding the right professional, it's like with plumbers/electricians - hard to find a good guy, and to see if he's really good you can't really depends on referrals as most people don't have enough understanding to see if he really is good. So you have to gain at least basic understanding of networking and hope to find someone who is both good and ready to spend his time for what you're offering.
@@BoraHorzaGobuchul I think also the product itself and how it's been designed and targeted has an impact. I saw this and wondered first and foremost - why? Why is Cloudflare doing this, what commercial benefit or industry status does this confer upon them? I am genuinely curious to see what comes of that question indeed.
Hi Christian, excellent video. I'm using cloundlare tunnel to expose a web application (Django + React) to a handful of clients. I don't care about the data, I found cloudflared easy to do what I wanted, I should look for another approach?. To access my homelab I still use wireguard + adguardhome + npm.
sounds like a thing that needs to be isolated on it's on network segment and all traffic coming out from the agent still going through the main firewall
Thanks for the great vid. But on 9:15 no "two endpoints" will ever be under your "full controll" not even physically (but even one endpoint could be disagreed about how much it is under your "full controll" as soon as any network connection - not allone wireless network connection is involved).
What if you ran cloudflare on a small separate machine, outside of your firewall? So that all cloudflare traffic still had to go through your firewall?
I wonder what make you stop creating simple VPN setup with trusted provider and expose it securely. If you able to host vaultwarden locally, you should be able to setup VPN as well
@@semirauthsala6001 There are situations where the device you want to connect from can’t connect over a vpn because it is managed by someone else. A company device for example.
Thank you! As far as I know, Twingate uses a different protocol, and does not hook into TLS, however, it also likes to punch a hole into your firewall, so while the 1st and 3rd problem won't apply, 2nd will...
@@christianlempa That's great!!! It's my own hole, so fine!!! :))))) Unfortunately my IP address is not public, so I can't use any port forwarding solutions. Thanks a lot for your reply
it might blow security engineers mind but AWS and other cloud providers also have access to your data (physically ...) but they don't care to detach and inspect the disks it lives on , unlike the tunnel which runs on your own machine and experts can inspect *especially if it's open source* what actually is going on ... I am no expert but my logic tells me that there will be performance overhead if such "sniffing" happens , I also think SSL's does not work this back and forward way
So, what to use? what is the free, professional alternative to cloudflare tunnels? reverse proxy, local DNS and what else? Like, how would you add subdomains to your domain to expose your services? The only reason most people use cloudflare tunnels is because they don't know how to set it up on a different way.
cloudflare tunnel is great. But just dont dump it straight into the main homelab lan. Seperate internet facing services in a seperate DMZ compared to "LAN/VPN only" services.
I set up a DMZ vLan with Cloudflare and pf-Sense it's much more complicated to admin but at least the cloudflare vm doesn't have full network access by default just cost a bit of hair ripping during troubleshooting and setup lol
I've been burned too many times by cloud hosted services. As more and more folks use their free tier, I suspect they'll eventually need to start charging for it or discontinue it entirely. I've been basically doing the same Zero Trust thing with a reverse proxy on my own network. It'll always be free, it'll always be more private, and a direct connection will always be faster and more reliable. I've never understood how they can market their product as having end-to-end encryption when it only has point-to-point encryption.
I personally really only use Cloudflare WARP client, which is in fact a fully fledged vpn-like solution with full tcp/udp support... I use tunnels to only expose apps temporarily for friends to see when I'm testing them.
is this a segue to setting up a VPN with traefik? I definitely hope so! I am not sure if tailscale would be the same situation or if wireguard would be the better choice for privacy. a video about that would be a nice addition.
I skipped using cloudflare very shortly because their DNS you can setup for your location has on their side rules implemented which you can’t see adjust, or bypass. You should request the release of domains they mis-configured and that is not a valid DNS solution for me. Especially when I need a domain instantaneous and in my on prem solution: I login, whitelist what needs to be whitelisted and click on safe and boom I can use it. Imagine your ISP’s would act like cloudflare on DNS requests, that would be a nightmare.
One fundamental mistake.- Here is how to use CloudFlare Tunnel withouit opening your internal network: Put the whole shebank into a DMZ - server endpoints and the cloudflare app. Done, isolated.
I scanned through all the comments to see if there was any mention of this but didn't ... When you mentioned that Cloudflare decrypts the traffic, this is specific to if they're handling SSL for you and not if you're handling your own SSL termination? I don't use CF tunnels, but I do use Cloudflare. My internal services that get exposed connect to a Nginx reverse proxy that's in the cloud via a Nebula mesh overlay. The reverse proxy handles the SSL termination. That reverse proxy though is also connected to Cloudflare for caching, speed improvements, etc.
Cloudflare decrypts the connection between the web browser and their servers. It then re-encrypts the connection when communicating to your backend. In the middle, within the Cloudflare network, the data is unencrypted and visible to them. You can verify this. Take a look at the SSL certificate your browser uses when connected via Cloudflare and compare it to the SSL certificate used when your browser connects to your service directly. The key fingerprints/hashes won't be the same. Cloudfare owns the private key for their certificate. They are the only ones who can decrypt it. It must be decrypted and then re-encrypted before sending to your backend service.
Why does every video with these tech RUclipsrs require me to grab a drink?
They're paid by the Big Drink lobby that wants you hydrated, and your piss translucent
Just once, I'd like to see a video start with: "So get ready, grab yourself a five course dinner and let's figure this out together!"
Great question. Why don't we talk more about it....over a cup of coffee!
to be honest I wouldn't be able to sit through most of them without a stiff one.
@@xConundrumx for me I need a stiffy
Yup, these are the same issues I brought up in my Cloudflare Tunnel video.
I honestly don't mind all the cons of Cloudflare Tunnel, and I definitely agree. Don't just expose all your services without another form of security like Cloudflare Access. That's the first thing I did after setting up Tunnels, and it's been great.
basic auth is indeed not allways working as first level security, so cloudflare acces is a godsend. I was finnicking with Authelia but dammn cloudflare acces "just works"
Too many eggs in the Cloudflare basket for reasonable comfort I think.
Hi Christian and thank you for this critical and informative video. You do not bypass your firewall, if you set up the cloudflared-server (or cloudflare docker-container) in a separate dmz/vlan. I can't see any difference from other VPN solutions that ends directly in the internal network. This is a general problem that can either be improved by well-documented descriptions of possible extensions or you have the necessary expertise yourself to be able to operate such solutions relatively safely.
So you are right, not only the route between the endpoints has to be secure, but espesially the endpoints itself and the networks behind those endpoints always has to be secured. Your argument is still absolutely valid and many manufacturers of such solutions promise easy and secure installations, what can be very deceptive.
In my opinion, Cloudflare offers one of the best and most secure solutions for accessing internal services (no published ports, MFA for accessing the Cloudflare dashboard and separate MFA and other web application rules for accessing the actual services). In addition, the actual application that you want to reach via Cloudflare Tunnel should also have its own authentication - I only use applications that can handle MFA on their own, such as Guacamole. But it always depends on how you implement it :-)
If large companies trust Microsoft by running an Azure AD (most have little choice), you can trust Cloudflare for your homelab services for sure.
If you can't see "any difference" between a VPN server that you run and this then you are ignorant about the topic or just plain daft. The alternative to cloudfared (from a privacy perspective) isn't tailscale or twingate or whatever tf. Let's concede that cloudfare gives you all of those features as securely as any third party can, that's really beside the point, you're getting all those "freebies" in exchange of putting a middle man in all the traffic you tunnel through them (technically they can establish any connection they wish from inside your network since they are running an agent inside yours). Obviously a lot of very technically inclined people are willing to do this but let's not be stupid about the trade-offs here.
@@ShaferHart Hosting a VPN server primarily just means having an encrypted connection between 2 points, nothing else!
This is a great video that got me thinking - especially while I was mulling the obvious home network security advantages of using a Cloudflare Tunnel. But, as with everything, there has to be a catch - you have to trust Cloudflare will handle your data carefully and hopefully not leave it open to exposure.
The thing is - this is inherently a problem with Cloudflare itself (as well as AWS, Azure, Google, Apple and any other public cloud offering). And in reality, so much of the internet relies on these big players - there's practically no way you can use the internet without at least some of your important data ending up in the hands of these players.
Excellent video, this is something home labbers often get wrong.
Cloudflare isn't a silver bullet to your security woes, sure it helps but it comes with it's own issues. if your using a free plan then I'd argue it doesn't provide much value at least compared to using something like ModSecurity/Coraza, CrowdSec or a hardware firewall appliance.
Little workaround about the firewall issue:
Put the cloudflare tunnel vm or container in a dedicated /30 vlan with only internet access to the external ips of cloudflare and create rules to internal services you want to expose via inter vlan routing
new to home lab here, are you saying to basically segment your internal network and all your exposed services will be on an isolated network along with your cloudflare tunnel vm running?
@@xavierlarosa8235
Yeah, you could do it like this. This would limit the devices cloudflare would be able to reach to this vlan.
I have gone even further, got a server vlan with my internal services and an dedicated vlan for the cloudflare tunnel VM. So i get maximum control over the services cloudflare is able to reach by creating a default drop between the vlans and only dedicated allow rules for services i want to expose
This is what i am doing already to prevent cf tunnel gets access to whole my network. Cf tunnel limited to its own vlan, then get access to only the services what really need cloudflare tunnel.
@@rb-max Could you share how this can be done?
@@tonyho4512
Depends on your firewall.
What firewall do you have?
6:00 one thing you could do with a cloudflare tunnel setup is put the server which the connector daemon is running on, into its own VLAN. Then setup firewall rules in pfsense to route that VLAN traffic to the appropriate servers and ports on other subnets.
Was Waiting For Someone To Make This Video Great To See Someone Talking About This . We Should See Both Sides.
Same here
Great video. I’m a huge fan of Cloudflare and think they’ve done a ton for the world on making the internet more secure. That said, having a reasonable, fair, and open analysis on the risks vs. benefits is something the homelab community should do more of. And frankly, there are a ton of packages and projects that we all install that should get the same scrutiny. Thanks again the the level headed analysis!
Hi Christian. I have one public IP with all ports available to my homelab. Obviously with a good firewall. In this configuration, I can do all I need. But here in Brazil, this type of service is very scarce, mainly due to the lack of available public IP. I've been testing the use of CHR for a few months now and I'm really enjoying it. First, the fact that I use an Amazon IP here in Brazil, where I host the mikrotik CHR, and also because I can create a tunnel with a server that is behind a restrictive firewall. What for me is very interesting due to the unavailability of public IP. Another interesting point is that I can configure my Hurricane Electrics IPv6 range in this CHR and distribute it to servers via tunnel. Great content.
Very good point. You could always put the Cloudflare endpoint in its own vlan so that you can still build firewall rules for the traffic.
Thank you Christian for taking a critical take on this. 👍
Cloudflare tunnel is a tunneling protocol that does a peer-to-peer connection through a "middle-man" server such as cloudflare tunnel, same as zerotier and tailscale
Using another server inherently means you have a dependency that you need to be aware of
For tailscale if it can do P2P no middle man
If it can't it will use a middle man
Agreed with this post. With most cloud providers, you give up your privacy for security (well, security is subjective... providing no three letter agencies haven't already backdoored it like they did with L2TP and Juniper).
Well stated. The folks that have approached me interested in Cloudflare Tunnels are those that want to have services reachable from their CGnat. In situations where I have played with Cloudflare tunnel it has been inside of a dedicated VLAN on my network and I think that your concerns are valid. When CGNat folks want to host non-web applications, I tell them to manage their own VPS endpoint server outside of their network. This takes care of being able to host UDP connections or TCP connections to non-web ports which I don't really see a way to do on Cloudflare Zero Trust.
I try to avoid using someone else's cloud services. I'm not 100% opposed, but I prefer to manage my own stuff with my own stuff.
This is a good balanced look at it. One thing you forgot to mention are mitigations, such as being careful where in your network to deploy the tunnel endpoint. For example, a “DMZ” *(or similar) area where you provide services from but that does not have access to the rest of your network… in order to minimize the crash surface.
To be clear, at around 6:16 when firewalls might become useless because they are not intergrated into the firewall and punches a hole....
1. If an enterprise employs applicaiton whitelisting on their laptops/servers/desktops then this will never have a chance at being deployed.
2. if an enterprises chooses to do SSL decryption, this would never have a chance at being deployed
3. If using some form of application identification {appid} this would never have a chance at being deployed
4. if you deny the outgoing port of 7844 then this will never get deployed
If you choose to have lax rules or a lax security model then yeah you can bypass the network security but this isnt as easy as one would think it is.
Pro tip: You can still use the SSH tunnel and do a reverse port tunnel trough that. Cloudflare cannot see/MITM that, since only you have your certificate, which the server verifies and is thus able to perform an authenticated Diffie-Hellman exchange and guarantee your communication is confidential! (See the SSH2 protocol and TOFU security model)
Also,
I thought it was obvious that it works as essentially a MITM? They even advertise it as such! How else would they be able to magically HTTPSify all your services? Obviously, keep this in mind....
I like how he kept a neutral stance but provided info so we can make our own choice.
i just recently deployed cloudflare tunnel with my home lab services and it’s been working fantastic but after watching this i’m very conflicted
Like I said, it's not a bad service at all. Just depends on what matters most to you, simplicity, or privacy :)
I use and rely on CF Tunnels for exposing resources, though they are heavily restricted and require you to have the WARP client present on your device and have authorization to my team. With WARP it creates a WireGuard tunnel connection into my network allowing me to pass UDP traffic or NON HTML traffic, It's actually a great VPN alternative since M$ has deprecated auth prompts which make OpenVPN with MFA impossible with NPS, Now you must pay for expensive services such as Duo :(
P.S. Love your content and what you provide for the IT community, Thank you!
I think one of the main issues for me is the centralising of important internet infrastructure. Cloudflare offer some great services which are important. But i do not feel comfortable with so many eggs of the internet being in so few baskets.
Awesome video btw dude as usual
I see it in the opposite way: cloudflare removes many points of failure. Of coarse it depends how much time, money and (electric, your) energy are you willing to invest into your infrastructure. For accessing your personal blog, nextcloud, git ... running on low power pc/sbc i'd say it's perfect.
Glad someone else finally said it!
Good point. I had to decide between zerotier which is more convenient for my application and cloudflare. I decided for cloudflare because i trust them (more). But shutting down a service is also a valid complaint.
Please do a video about best pratices to setup Sophos XG, secure the net, expose safely services, ecc. Or a video where you show us your Sophos setup. Thanks man!
Another thing I would like to mention that most RUclipsrs don’t is that if you are using cloudflare you should setup dns overwrites on your dns server on your lan so that stuff doesn’t go through cloudflare and works offline when just accessing it from lan
How do you do that? And if you use something like pihole, is this still a concern or especially then?
@@jayzn1931 Pihole is the dns server I used, just add in local dns the address of the website and the server ip
@@jayzn1931Google split dns
The reason why self-hostable solutions like boundary or teleport in a free tier cloud are way better to use. When you want to businees things.
This is exactly what I was thinking. That’s why I run a VPS with a site2site VPN connection home to my self hosted services. It’s basically a jump box or traffic forwarder. There’s two ways for this: terminating your SSL at your VPS (which I am doing now) or forwarding the SSL traffic home (with HAProxy, experiments running as I am typing this).
Video coming up in this, too
But why? xD Setup SSH Access via certificate on your VPS, use autossh on your machine, forward the ports you want to expose, write a startup rule in your .rc, done.
Setup SSH Access via certificate on your VPS, create a new Service, ssh to your vps, forward the ports you want to expose, systemctl daemon-reload, service xxx enable, done.
@@MrOnePieceRuffy because ssh reduces the performance by a lot because it’s double tcp encapsulation
This is actually what I do too, also gets around CGNAT for my backup 4G internet connection
I would love to check out that video! I use Cloudflare tunnel for hosting some sites from a mini pc that I have. But I would feel more secure if the traffic is forwarded direct from a cheap server that I can fully control.
Hmm.... Your video confirms my amateur understanding of Cloudflare tunnels. Thank you very much! I'll think more about it, get info and probably tip my tunnels and switch to a practical in-house VPN solution. I hope I can do that. Best regards.
Great video! I think homelabbers should talk more about who you trust with your data, but also the various attack surfaces these services open up.
I'd be interested in a deeper dive and comparison between Cloudflare Tunnels, Twingate and Tailscale (and Headscale), as they all do similar things with subtle--but important--differences.
You forgot zerotier. Would really love to see an in depth comparison of these
Glad I watched this. I will abandon Cloudflare before I get too involved. Much appreciated.
Thanks! Glad it helped
I liked it until I was charged a huge fee. Since they track data that's pushed, if someone goes in and starts using API's to pull massive amounts of data and you don't have rate limiting in place, there goes a few hundred dollars.
thank you for this comment! I was about to set up my homelab to record site-to-site with poe cameras, but that would send ~80/gb, I guess I will stick with my current wireguard lan to lan 😂😂
hmmm isn't it free? the free plan?
I have enough options with my FortiGate firewall to share certain parts of my network. I looked into the Cloudflare solution, but the fact that all my traffic would go through their servers stopped me from using it. However, once you have made the right settings in your firewall, it is easy to quickly provide someone with a service from the HomeLab.
finally...someone said the truth
I have tested CF, and i didn't choose it for a few reasons - trust, protocol limitation, and L7 protection (threath protection, AV, IPS, webfilter etc), which i can do on my SophosXG(WAF). Maybe i didnt test it well, but... ;)
I like that you are correcting it.
What do you mean?
If you apply this logic then AWS can also read everything at the load balancer because we add all keys to AWS ACM. In that case nothing is safe on the cloud as well.
I think I trust cloudflare much more than most tech companies out there.
Great video. Probably you should have added more emphasis that similar products (Zerotier) have the same problem.
US 3-letter organisations have access to all of your data, for sure.
What's the alternative to it though? If the option is either opening a port or using cloudflare, is that really a viable alternative?
IPv6
I mean you can do something like tailscale, but that may still have similar privacy issues, so best option would be headscale with another main server on the cloud
You can host your own service on a VPS, or use a remote access VPN.
@@Technically_Bad that's equivalent of opening a port. Hosting things on a public facing cloud. Instead what I suggested is using a VPS and a public facing connection interface. Without the Vpn to go through the first server, you can't even reach the second.
@@damiendye6623 true, but hard to implement currently
i think the issue with the internal firewall in the internal network can be mitigated with making sure that the request crossing from the cloudflared tunnel needs to cross the firewall itself prior to reaching the service being exposed. this way requests are also checked by the internal firewall. you can have a separate firewall for this or it can be the same firewall you already have the exists. what is important is that the cloudflared instance is separate from the internal application instance by the firewall. firewall rules/checks/introspection can still happen.
"... customers can serve video and other large files using the CDN so long as that content is hosted by a Cloudflare service like Stream, Images, or R2." - Cloudflare's blog.
That is for the removal of section 2.8 in the Cloudflare Terms of Service, which essentially means nothing to most people unless you are paying to use their services.
Thanks for another great video as usual!
You're welcome! Thanks for watching :)
thanks for sharing your knowledge, planning my home lab and use your videos as a research.
Good video. I self-host to have control over my data, I don't want to give it to a company again.
True ;)
Regarding your point about serving non-HTML content, I always found it was a good practice to bypass the caching with a page rule. I use the tunnel and a reverse proxy to host my plex server using a custom server access URL and the first month I had it running with no page rules I was a bit unsettled to see how much data had been cached, but nothing came of it anyway.
They said in the discord that this rule applies to ANYTHING that goes through cloudflare the network, they don't care if you cache it or not. So you can still get booted if you don't cache a thing. However they probably wont bother you if you not pushing many terabytes of data.
This is what I am thinking about doing. Do are you doing a CF tunnel to nginx to then forward to plex? Any security concerns? I feel like it is better than exposing ports on my ip
It's literally a description of how a malware would work :) Whether one trusts CF or not is up to everyone to decide for themselves.
Well, I guess that one should not use this kind of services without security layers in mind.
Mostly because in certain, given scenario, one could use their service's trustworthy reputation to stealthy exfiltrate data from a company's network, or gain reverse access to it. Either by somehow abusing it or installing it on purpose in a post-exploitation phase.
This is a great option when your security's strategy is mature enough and capable of containing threats as mentioned before.
Very good video. I was especially interested in the security concerns to bypass you companies firewall by using such a reserve tunnel. I guess no enterprise will want to have such a thing set up by individual user. I could imagine an enterprise set up done locally with trusting Cloudflare but it's security nightmare when everyone can start a docker container and punch holes into the whole firewall setup. I would even assume that some companies block those hosts and port per default.
Thank you man! :)
The big takeaway should be that if you don't understand the security implications, then don't use it. Goes for all systems though. Not fair to aim at cloudflare, but certainly fair to respond to your own content to provide better clarification.
Vielen Dank Christian! I've been considering haproxy or the CF tunnel. This helped me make my decision.
Thank you. I was wondering the implications of using it
Great content Christian! Your channel rocks!
Thank you buddy :)
Thanks for the video. It actually makes sense. But I would like to add something here, "home lab is for learning" right? Yes, we can check out some tools but I think ppl who have a home lab should expose their services and do some kind of research about how to secure it, for example, use some kind of firewall, ids/ips, etc. See the logs regularly, and automate some things. Maybe I am wrong, it's just my thought. Correct me if I am wrong.
Was about to deploy Cloudflare and thanks to searching for deployment tutorials, the algorithm served me this video. Score one for YT - this was an excellent video I'd likely have otherwise missed.
I still think it's right for my use case, but this video was invaluable towards a better understanding of what I was doing.. It was thoughtfully laid out well explained with just enough humor to make it fun to watch. Nice job; I subbed after watching it. Thanks!
3:40 I recall a rather large, and quite shady, situation that occurred right before their sudden popularity. It was enough of a ‘something’ that it warrants caution. Some might even argue that it justifies suspecting ulterior motives.
Thanks for pointing out this issue.
Beutifull video. Thank you for addressing this (actually, I was close to writing you and asking about this after seeing your CloudFlare video; you were just faster). Services like this are great, but they come at a cost. At the end of the day, this is all about whom we trust.
Thank you, Christian; following your channel has been worth it since the day I discovered it. You gave me a lot of nice home projects to implement in my home lab (I still have to implement reverse proxy, lol).
Just use a reverse SSH tunnel to the device hosting the cloudflared, that's encrypted end-to-end.
Is this some kind of SSL passthrough setting in Cloudflare?
I switched from ngrok to cloud flare tunnels and i don't regret it
The branding bugs me. It's part of their "Cloudflare Zero Trust Platform", yet requires enormous amounts of trust of Cloudflare since they must decrypt your traffic.
Am I missing something?
Hmm true 😃 however the Zero-Trust concept refers to something different, it’s a new concept in IT to create more secure environments.
In my opinion, Cloudflare is a great (or maybe the best) solution for home labs, small businesses, and publishing simple amateur websites.
If it's a big company - definitely not.
For my home lab it's the only option - I have no public ip, not even a dynamic one. My ISP put me behind NAT.
tailscale or zerotier may be a solution
Keep in mind, VPNs also have their drawbacks, maybe a topic for a second video :P
@@christianlempa "Why you should NOT use a VPN (if you do this)" lol
@@rexeus I use ZeroTier for those services that only I use alone.
Through the public space, the services that my family and friends use with me are used. For example, video surveillance, streaming services for music, cloud file sharing.
@@christianlempa Then we look forward to the video!
First! Thanks for keeping sharing your knowledge Christian!
Thank you so much :)
Thank you for giving so much insight in your videos that ACTUALLY matters, not only in the specific use case that you presented but even in wider use cases! I did not know that cloudflare has access to clear-text traffic between client and server. And I believe that the argument some people bring to this issue "oh, but it's designed to be that way, because it doesn't work otherwise" is nonsense. If it's designed that way, then that is bad design. It is totally possible to have true end to end encryption between client and server. So I think creating "tricks" that add other parties in between, which everyone tends to ignore (therefore, becoming fertile ground for corruption), is a blatant offense to what TLS was designed for in the first place.
Thank you so much, this is great feedback :)
Today they posted on Cloudflare Blog: "Goodbye, section 2.8 and hello to Cloudflare’s new terms of service". This is part of their Developer Week announcement. You need their services like Stream to serve video though.
Thanks for the info and video, have a great day
Personally, my deployment of cloudflare tunnels is by deploying it as a sidecar container on my external ingress traefik instances.
I run 2 sets of traefik deployments in my local k8s cluster, one that's exposed to internet via cloudflare tunnels, and one that's local only. Gives me pretty good control of what gets exposed where by setting the correct ingressClassName and external-dns annotations on my ingress resources. Security is enforced by the CNI via Network Policies, and the cloudflared daemon isn't initialized with cloud config, just a straight "direct all traffic to traefik on localhost" rule static configuration.
It's pretty good for punching through CGNAT while being directly accessible online. Similar things would be ngrok I guess. Tailscale funnel is nice, but a bit restrictive since you can't use your own domains.
As for bypassing the network firewalls and whatnot, that's a pretty easy workaround. Deploy the cloudflared tunnel on a separate VLAN/subnet where it has to go through the router to reach the services, then it's traffic will be monitored by the firewall / security appliance. (Though in most homelab setups it does mean the traffic will transit the router twice so... tradeoffs.)
When first I saw these "how-to" videos with the CF Tunnel product I was instantly mortified for anyone trying to establish even basic enterprise security on a network especially if they're not well resourced; prosumer and consultant type users tend to slap this stuff onto their workstation so they can go home and "work from home", I've seen that time and again over the decades. This type of system exposes both hubris of users and also demonstrates a really really serious "failure of imagination" - I guarantee to you that in the brief 3-4 seconds you consider any security implications you won't even be remotely close to a team who has perhaps spent months figuring out how to exploit this new method or even adjust their existing methods to use it as an exploit. You might not be the end target but you might end up being a very convenient relay for an attack (perhaps even with subsequent ransomware intrusion afterwards to help cover forensic tracks).
Zoning is utterly critical with these things - this might be ok to expose services in a proper DMZ which you were going to expose anyway but that's not how it's being sold to viewers by excited tech youtubers who gleefully outline how they opened up their production network to others so they could dish out parcels of editing work, clip libraries, etc.
The impressive sounding authentication and encryption technologies bypasses the not-so-subtle fact that you're giving someone outside a direct inroad into your network and that security is instantly as strong as the weakest chain in that link. Any compromise or misuse upstream - intentional or otherwise - and you're instantly exposed. Not just by flaws, corporate misadventure and especially state agencies who mandate backdoor access either, add to that the fact that this is a concentrator putting all those lovely access points into one place... I suspect at some point we're going to see an indexing site of poorly secured relays like that site that lists insecure webcams. Those are spread all over the public IP address space but have common flaws from default configuration and open ports that draws unwanted interest that an unsuspecting, uneducated retail user would never have considered.
Sure, it does look cool and all but please - limit your use to things you were going to out-zone and present to the internet anyway. Anything else needs to be hardened and require as many authentication steps as a fully externally presented service. Compromised networks like these are extremely hard for everyone to deal with especially if you have some kind of operational relationship with an affected party. This is all going to get so so so so so much worse too as we all invariably head towards "hot war" in either the Pacific or Europe too.
Well that's a problem with all tutorials on networks for amateurs. They by necessity skim over the subject because this format does not encourage deep evaluation. An amateur might believe something is a silver bullet as a result, without understanding the ramifications of the solution he's copy-pasting.
So for a layman, is best to outsource this, but then another problem comes up - finding the right professional, it's like with plumbers/electricians - hard to find a good guy, and to see if he's really good you can't really depends on referrals as most people don't have enough understanding to see if he really is good. So you have to gain at least basic understanding of networking and hope to find someone who is both good and ready to spend his time for what you're offering.
@@BoraHorzaGobuchul I think also the product itself and how it's been designed and targeted has an impact. I saw this and wondered first and foremost - why? Why is Cloudflare doing this, what commercial benefit or industry status does this confer upon them? I am genuinely curious to see what comes of that question indeed.
Can you point out some other options similar to cloudflare tunnel which have similar services.
Hi Christian, excellent video.
I'm using cloundlare tunnel to expose a web application (Django + React) to a handful of clients. I don't care about the data, I found cloudflared easy to do what I wanted, I should look for another approach?. To access my homelab I still use wireguard + adguardhome + npm.
Another good video sir !!
Thank you so much :)
sounds like a thing that needs to be isolated on it's on network segment and all traffic coming out from the agent still going through the main firewall
Simple: set the cloudflaretunnel to a dedicated vlan - so you can still control the connection to your internal ips
Thank you christian for the video.. kindly we need to know what the alternative’s solutions in your opinion?
Thanks for the great vid. But on 9:15 no "two endpoints" will ever be under your "full controll" not even physically (but even one endpoint could be disagreed about how much it is under your "full controll" as soon as any network connection - not allone wireless network connection is involved).
Healthy criticism is always good 🎉
Agreed :)
This was very informative, danke sehr
What if you ran cloudflare on a small separate machine, outside of your firewall? So that all cloudflare traffic still had to go through your firewall?
I applaud you for also pointing out the drawbacks of CF tunnels. What is your opinion on exposing something like vaultwarden on CF tunnels?
I wonder what make you stop creating simple VPN setup with trusted provider and expose it securely. If you able to host vaultwarden locally, you should be able to setup VPN as well
@@semirauthsala6001 There are situations where the device you want to connect from can’t connect over a vpn because it is managed by someone else. A company device for example.
hey Christian thanks for your videos. Does the same thing applies for Twingate? Any insights on this solution? Thanks
Thank you! As far as I know, Twingate uses a different protocol, and does not hook into TLS, however, it also likes to punch a hole into your firewall, so while the 1st and 3rd problem won't apply, 2nd will...
@@christianlempa That's great!!! It's my own hole, so fine!!! :))))) Unfortunately my IP address is not public, so I can't use any port forwarding solutions. Thanks a lot for your reply
it might blow security engineers mind but AWS and other cloud providers also have access to your data (physically ...) but they don't care to detach and inspect the disks it lives on , unlike the tunnel which runs on your own machine and experts can inspect *especially if it's open source* what actually is going on ... I am no expert but my logic tells me that there will be performance overhead if such "sniffing" happens , I also think SSL's does not work this back and forward way
do you have a video on what to use instead of cloudflare tunnels to access my homelab applications?
There will be more videos about these topics. Currently I can recommend tailscale or teleport videos.
Thank you! Just in time, as for me.
Why do you use something where somebody has his hands on? You can build your own reverse proxy and have full control. You only have no fancy UI.
So what method do you recommend for remote access to home network? VPN?
CF is a definite to go for an MVP (minimum viable product)
You should do a video about Twingate. Very cool tool
So, what to use? what is the free, professional alternative to cloudflare tunnels? reverse proxy, local DNS and what else? Like, how would you add subdomains to your domain to expose your services? The only reason most people use cloudflare tunnels is because they don't know how to set it up on a different way.
cloudflare tunnel is great. But just dont dump it straight into the main homelab lan.
Seperate internet facing services in a seperate DMZ compared to "LAN/VPN only" services.
I set up a DMZ vLan with Cloudflare and pf-Sense it's much more complicated to admin but at least the cloudflare vm doesn't have full network access by default just cost a bit of hair ripping during troubleshooting and setup lol
I've been burned too many times by cloud hosted services. As more and more folks use their free tier, I suspect they'll eventually need to start charging for it or discontinue it entirely. I've been basically doing the same Zero Trust thing with a reverse proxy on my own network. It'll always be free, it'll always be more private, and a direct connection will always be faster and more reliable.
I've never understood how they can market their product as having end-to-end encryption when it only has point-to-point encryption.
Great insight thanks
I personally really only use Cloudflare WARP client, which is in fact a fully fledged vpn-like solution with full tcp/udp support...
I use tunnels to only expose apps temporarily for friends to see when I'm testing them.
is this a segue to setting up a VPN with traefik? I definitely hope so! I am not sure if tailscale would be the same situation or if wireguard would be the better choice for privacy. a video about that would be a nice addition.
I skipped using cloudflare very shortly because their DNS you can setup for your location has on their side rules implemented which you can’t see adjust, or bypass.
You should request the release of domains they mis-configured and that is not a valid DNS solution for me.
Especially when I need a domain instantaneous and in my on prem solution: I login, whitelist what needs to be whitelisted and click on safe and boom I can use it.
Imagine your ISP’s would act like cloudflare on DNS requests, that would be a nightmare.
One fundamental mistake.- Here is how to use CloudFlare Tunnel withouit opening your internal network: Put the whole shebank into a DMZ - server endpoints and the cloudflare app. Done, isolated.
I scanned through all the comments to see if there was any mention of this but didn't ...
When you mentioned that Cloudflare decrypts the traffic, this is specific to if they're handling SSL for you and not if you're handling your own SSL termination? I don't use CF tunnels, but I do use Cloudflare. My internal services that get exposed connect to a Nginx reverse proxy that's in the cloud via a Nebula mesh overlay. The reverse proxy handles the SSL termination. That reverse proxy though is also connected to Cloudflare for caching, speed improvements, etc.
Someone said, you can host your own PKI and point CF to it. However I am not sure, what is the point then, of having it at all?
Cloudflare decrypts the connection between the web browser and their servers. It then re-encrypts the connection when communicating to your backend. In the middle, within the Cloudflare network, the data is unencrypted and visible to them.
You can verify this. Take a look at the SSL certificate your browser uses when connected via Cloudflare and compare it to the SSL certificate used when your browser connects to your service directly. The key fingerprints/hashes won't be the same. Cloudfare owns the private key for their certificate. They are the only ones who can decrypt it. It must be decrypted and then re-encrypted before sending to your backend service.
why not just add an extra layer of encryption before sending stuff through cloudflare? excellent video btw
OMG Where did you get your animated matrix wallpaper?? also thanks for this, I've been looking at using Cloudflare due to RUclips videos etc.