You should NOT use Cloudflare Tunnel (if you do this...)

Not only do CF tunnels convey your data unencrypted through CF, but if you use their traditional DNS and choose CF proxy to "hide" your IP, your data is again in clear text within the proxy handling path.

Was about to deploy Cloudflare and thanks to searching for deployment tutorials, the algorithm served me this video. Score one for YT - this was an excellent video I'd likely have otherwise missed.

I still think it's right for my use case, but this video was invaluable towards a better understanding of what I was doing.. It was thoughtfully laid out well explained with just enough humor to make it fun to watch. Nice job; I subbed after watching it. Thanks!

i just want to use their international network to reach my resources when international

do you have any videos on how to set up a webserver on a raspberry pi and have secure certificates etc that can be accessed externally and not open up your home to potential cyber attack?

amazing as always

What about the new ECH from cloudflare??!

Sehr schön aufbereitet, Fleischmützen der IT ftw :-)

100% get what your saying and respect the idea but......how about a what we should use video to fallow this up

So what method do you recommend for remote access to home network? VPN?

lol, the same guy did a full advertised video on twingate 😄

Could you make video with alternative way to expose internal services without public IP(CGNAT)?

I currently rent VPS with public IP and with ZeroTier (will setup my own WireGuard at some point) connect to dedicated VM at home. then on that VPS I redirect all traffic on ports 80 and 443 to my reverse proxy VM with IPtable rules. It was a bit of a pain to get it working at first before I figured out the correct IPtable rules. But works fine since then.

Do you think tailgate is a better solution than cloudflare?

I set up a DMZ vLan with Cloudflare and pf-Sense it's much more complicated to admin but at least the cloudflare vm doesn't have full network access by default just cost a bit of hair ripping during troubleshooting and setup lol

You Germans are craze about your data (c)

SKYNET!

Why twingate has not these privacy issues? I also connect to twingate and and the connector connects to twingate. So it’s the same, or what does twingate differently?

If I have NordVPN configured through my router will this have an issue with cloudflare? I’m just trying to have the safest way to connect to my nas outside my network

So if I have a wordpress container with a small website and I run the tunnel inside the docker I should be safe. Am I right?

The reason why self-hostable solutions like boundary or teleport in a free tier cloud are way better to use. When you want to businees things.

Very well explained. I use one cf tunnel with docker but is running on a oracle VPS and from there I am sending the traffic to the homeserver with haproxy through a wireguard tunnel. cf can see what I am doing on that VPS but can't see my homeserver, this the difference. I am glad that you have exposed the catch behind the hype of those cf tunnels from security perspective, congratulations for this video!

what are the 50 limit their ? can only 50 user per website ?

I dislike this

Brilliant!

Thanks for this clarification. I'm new to homelab, but watching some other yt videos I asked myself: why configuring properly my firewall and control its traffic is less secure than installing 3rd party software in my home network having no control over this software. For me it sounded like installing a backdoor (I know I'm exaggerating a bit).

Opening a single port which is protected via public key pairs and maybe username/password (aka VPNs) is still more secure than anything else IMHO.

my family is currently in a country which filters internet traffic . I am in UK and tested with them access to any UK server and it's all timing out. However access to the cloudflare test proxied website works fine. So I am thinking of using cloudflare tunnel to the anyconnect server , do you think that would work ?
I want the initial IP to be the cloudflare IP which appears not to be blocked from the filtered country

what about magic wan form Cloudflare I think it will be good for security reason

Cloudflare simply break the basics about SSL between the client and the server. Period.
If someone wants to host something, he have to know about the security basics and not rely on a third party company. If you want to secure access to your internal resources, just do MTLS.

What is the best solution?! Please help

Curious what your thoughts on cloudflare spectrum are

so which on is the best, zerotier, twingate or cloudfare ?

love

Thank you I actually didn't think about this. I was looking for a simple way to allow my wife to access our server without too much configuration on her phone snd decided to give cloudflare a try and boy it's so much easier. But I decided to configure openvpn and configure our phones so we can connect to our home network. Maybe until I find a way to segregate or limit the traffic is being passed through cloudflare?

tl:dr Privacy ... duh

How lame

Can you point out some other options similar to cloudflare tunnel which have similar services.

cloudflare tunnel is great. But just dont dump it straight into the main homelab lan.

Seperate internet facing services in a seperate DMZ compared to "LAN/VPN only" services.

I've been burned too many times by cloud hosted services. As more and more folks use their free tier, I suspect they'll eventually need to start charging for it or discontinue it entirely. I've been basically doing the same Zero Trust thing with a reverse proxy on my own network. It'll always be free, it'll always be more private, and a direct connection will always be faster and more reliable.

I've never understood how they can market their product as having end-to-end encryption when it only has point-to-point encryption.

why not just add an extra layer of encryption before sending stuff through cloudflare? excellent video btw

What is your alternative?

Cloudflare is semi trustable compared tho google.

Sound ike your describing a vpn (to me at least).

For me I am looking at it ad I switched to a cheaper isp that doesn't provide static ip addresses (found out after I signed up).

Personally, my deployment of cloudflare tunnels is by deploying it as a sidecar container on my external ingress traefik instances.

I run 2 sets of traefik deployments in my local k8s cluster, one that's exposed to internet via cloudflare tunnels, and one that's local only. Gives me pretty good control of what gets exposed where by setting the correct ingressClassName and external-dns annotations on my ingress resources. Security is enforced by the CNI via Network Policies, and the cloudflared daemon isn't initialized with cloud config, just a straight "direct all traffic to traefik on localhost" rule static configuration.

It's pretty good for punching through CGNAT while being directly accessible online. Similar things would be ngrok I guess. Tailscale funnel is nice, but a bit restrictive since you can't use your own domains.

As for bypassing the network firewalls and whatnot, that's a pretty easy workaround. Deploy the cloudflared tunnel on a separate VLAN/subnet where it has to go through the router to reach the services, then it's traffic will be monitored by the firewall / security appliance. (Though in most homelab setups it does mean the traffic will transit the router twice so... tradeoffs.)

One fundamental mistake.- Here is how to use CloudFlare Tunnel withouit opening your internal network: Put the whole shebank into a DMZ - server endpoints and the cloudflare app. Done, isolated.

clickbait for sure

Cloudflare provide data localisation for GDPR etc requirements.

great video, is their any good CDN service that I can get for free as Cloudflare ??

Has anyone measured, from the web browser's standpoint, how much latency CF adds to the round-trip transaction? Is it 10s or 100s of milliseconds?

Thanks for the info and video, have a great day