You're one of the few channels that has given me a better outlook on my homelab and how to make it all tick. Many content creators only scratch the surface, but you manage to go in depth and explain how this is all set up, why it should be set up, the pros and cons, and specifics like what rules you should be setting up in your firewall. Keep up the great work!!
Haha, I agree. So many tutorials feel the need to put in cheesy distracting techno music. Your music is better and less distracting than most, but still somewhat distracting. Nevertheless, your videos are top quality, and thank you very much.
Really excellent job explaining. You can’t explain everything in one video and everyone is on a different part of the learning journey. You approach that challenge intentionally by adding brief explanations for each component and referencing other content for further explanation. Well done, sir.
I've been using cloudflare for a while, but I couldn't figure out how to limit it to a few containers. What I really wanted was to find a way to limit docker to only use a single interface on my server, but it has proven impossible. It was possible to use incus to create a vm for docker to run in, and that could be limited. However it feels a little cumbersome. Your video really helped me find the right solution using macvlan. 👍
Great tutorial! However at 02:38 you mentioned not getting the visitor IP through the tunnel, is this not still exposed via the Cf-Connecting-Ip HTTP header similar to when using a standard Cloudflare proxy without the tunnel?
Yes, good point. That will work for http headers but not for non-http (at least from my testing and the docs)
9 หลายเดือนก่อน +1
Thanks for the video, good content! Now correct me if I'm wrong, but using this technique will allow me to block all traffic that is not using a FQDN (i.e. IP scanners) if I disable normal port forwarding on the my UDM SE firewall and then open ports for the incoming traffic from the Cloudflare tunnel? If so, is there any other way that I could accomplish that without using Cloudflare tunnels? Alt. provider of similar functionality, or with some firewall configuration...? Or is this a unique combination of functionality?
8 หลายเดือนก่อน
I was hoping you would honor me with an answer, would really appreciate it! I'm thinking it might work to host stuff through a tunnel this way, having a public facing server without actually opening any ports on it, and that the combination of DNS management (having a proper DNS entry for public access) and a tunnel (connected to that entry) is something that I have't seen elsewhere and might be unique. You can have CNAME entries pointing to TailScale network nodes, but that would require access to the TailScale network, which is different from this...
I had also this concern about the "privacy" of these services when they became available! Mac-Vlans are pretty powerful feature! Thanks for the solution and the fantastic tutorial!
By the way, as I said, I don't use docker, but debian. The virtual machine is located in virtualbox, which is installed on windows 10. Because when I used docker, I couldn't figure out how to set up a network connection. Rather, I did not understand why there is no connectivity between the docker, which is installed on the Ubuntu virtual machine and the local network. The virtual machine was also on virtualbox, ubuntu was installed, there was a docker in it. There was connectivity between Ubuntu and the local network, there was a connection between docker and Ubuntu - the network worked. But there is no connection between docker and LAN. I couldn't ping or anything. It was as if Docker was isolated. That's why I used debian, because it's very simple there. Just one team.
It's probably the network setting you gave the VM in virtual box. You'll want to create a bridge so that VMs can access the lan. I recommend a dedicated hypervisor like proxmox or esxi if you can.
@@Jims-Garage @antoniomax3163 - it seems to me that in your case you have two NAT's, which causes that you just can't use the target networks, behind the second nat on the docker, but you should rather point to the first network on your virtualbox, and then perform a bit of port forwarding, or disable the nat and bridge the network, so you are receiving the IP addresses transparently, that should do the trick. you can even go with the simplest mikrotik device and setup a hypervisor behind it, probably it will be just easier than getting to know the meandres of the networking, in this case. cheers
Very interesting video. Now I have to realize how setup this without docker, as I installed CF tunnel for a Jellyfin service hosted in my proxmox server. I wonder if proxmox firewall could also be used for this. 🤔
wow great guide on how to secure using Cloudflare tunnel, has been one of the guide i been looking for, is there anyway you can do a guide for an extra layer of protection? example: cloudflare tunnel to vlan 4, then reverse proxy to vlan 5 using nginx proxy manager, then only reach to portainer vlan 200?
@@Jims-Garage makes sense. Thank you. I really appreciate the response. Last question. Do you have a preferred DDNS service? Like do you use DuckDNS, Cloudflare DDNS or something else?
Are you running this along side the pihole/cloudflare you showed in an earlier video? Tried this but kept getting errors on the 2nd cloudflare container
@@Jims-Garage ahh ok. Yeah I tunnel out services on a different machine. Thought you might have had it so you could tunnel DNS queries through it but also tunnel internal services
Can you make a guide on adding these firewall rules in OPNsense? They are vastly different and don't seem to correlate with the ones you entered in sophos.
Newbie to networking and docker here! For this to work i assume i need to create a Vlan interface in the firewall for vlan 4 to act as a gateway for vlan memebers right? And does the switchport connected to the docker host must be configured as a trunkport to accept vlan 4 (cloudflare tunnel docker) and the watherver vlan the host is part of? Thank you for this video.
Thank you for the video, this is truly amazing. I just have one question. Would it be better if I also run my application docker client from within the macvlan and assign it its own ip? that way their network would be entirely isolated and I wouldn't have to make any rules in the firewall.
@@Jims-Garage I am trying to expose a simple golang website, and I can't afford to set up a firewall. If I isolate the tunnel and the application in their own macvlan, would that be okay? or do I absolutely need to isolate my host entirely? If so, what would you recommend for a third-world student who can't afford any network isolation hardware?
@@randyclark7433 the cheapest option is likely to use Cloudflare proxy (free) or Cloudflare tunnel (has privacy issues but likely scans all traffic). As someone in security it's hard to escape a hard recommendation for a firewall though. You can virtualize it like I do to use the same hardware.
@@Jims-Garage I have a homelab running Proxmox hosting several VMs and LX Containers. (And Docker's in there as well.) I use a CloudFlare Tunnel to provide remote access to the VMs and Containers without needing to open any ports on my router. I then have CloudFlare Applications pointing to various services providing authentication. My understanding is that no one will be able to even get to my server until/unless they pass authentication through the Application. Do you think this is a good idea? I'd love to have a self-hosted alternative, but honestly, CF Tunnels & Applications seem to provide the access and security I need. Thoughts?
@@jbarr if the authentication is required before accessing the container that sounds good from an accessibility perspective. As long as you're happy with zero privacy (Cloudflare sees all traffic in plain text) then it's also fine from a security perspective.
Im just getting into this type of stuff since I started a homeassistant on my pi. I've ordered a minipc where im looking to run homeassistant aswell as dockers and would like to access both my homeassistant and maybe also my 3dprinter remotely. Plan was to use cloudflare tunnel, then after watching some videos I was under the understanding that it would be good to add traefik as a reverse proxy for the local ip and then point the subdomain tunnels to the traefik dns which then goes my internal ips, now I see this but I don't have any fancy router capable of vlans and such, so I'm starting to question if it's a bad idea doing it the way I was thinking or if it's gonna be safe enough anyways
mm wouldnt a another option be to limit access to your web domains. I have setup limited access to my sub domains to two locations. Ill never be in AUS or Fiji accessing my sub domains.
Yea, but Portainer controls everything (a bad example for a tunnel tbh, never expose Portainer to the web). The key problems are zero privacy, complete offloading of security to Cloudflare (no firewall), and if something is missed a compromised container could allow lateral movement. Use a VPN for accessing Portainer if possible.
@@Jims-Garage yea I wouldn't ever expose portainer. But say I was exposing a simple app (Trilium Notes for example); the only security concern would be a bug on either cloudflared or trilium notes itself, right? A vulnerability on the app itself wouldn't be saved by the introduction of vlan. So I guess the vlan just protects from a security bug in cloudflared ...?
@@andherium first concern is privacy, Cloudflare sees everything you do in plain text. vLAN can help to prevent network propagation but it wouldn't do anything against the host being compromised. I recommend having a firewall internally to scan the traffic, it's a free service after all.
@@Jims-Garage So basically the macvlan4 is only so cloudflared isnt able to scan traffic outside the macvlan4?, because in theory anything thats on macvlan4 could also access vlan 200 if its breached?Is this the purpose of setting two separate vlans? One for privacy, one for security/net segregation?
But the problem here is, what to do, where to start? I was also looking into Cloudflare, and thought it was safe. But now you put an extra layer on top of it. And you’re even having Traefik (I think it was?) also?? I’m confused. What to do? Where to start? And end?!
why is the parent interface enp6s18.4...what's the .4 part? It looks like you're naming it macvlan4, but you're not assigning it a vlan ID. How's this a vlan?
Really interesting video! Seems like Cloudflare tunnel is not the solution I was hoping for. I just need the option to grant different specific external people access to very specific devices of my home network (with 2FA/passkey etc.) . Do you know of a solution that is halfway user friendly (as near to plug and play as possible)? Thanks a lot!
Sadly that two are often at odds. Wg-easy can do part of that, otherwise it'll be something like headscale/tailscale I guess you could use something like Authentik and Authelia to restrict access by user accounts
How would you set something similar on a cloud where you don't have the possibility to filter the traffic between devices (like hetzner)? Any way to achieve something similar with subnets?
Just wanted to pop in and say awesome series - this has really made all the difference in my homelab journey. Thanks and keep up the good work! Question - does this still have value if you already host all your external accessible apps on a DMZ?
http_status, bastion -what is it? By the way, CF has the ability to install rdp on windows, and in the tunnel settings, choose an rdp tunnel, do you have a video or instructions on how to do this and how to secure such a tunnel?
As with SMB, I don't recommend exposing RDP to the internet, it'll likely be brute force attacked. You're better off putting this behind a proper VPN like WireGuard (I have a video on that, or headscale if you're unable to port forward - see other video)
Would adding a user defined bridge network be just as secure? I have my cloudflare docker on a bridge network that only communicates with Traefik. All of my docker services have their own user defined bridge network that communicates with Traefik. The goal is that none of my services can be aware of the others and that all traffic must go through Traefik with crowdsec monitoring. Is there a flaw in my understanding of these bridge networks?
That's probably the worst case scenario. All depends how much you care about privacy and how much risk you're willing to take, perhaps for your use case it's fine.
@@Jims-Garage yeah i moved back to a VPS. my ISP is very stingy. no bridge mode, no vLANs, hell i can't even change dns on router and have to do it on device-by-device bases :/
Dude aewesome video. Iknow it’s lots of work but could you make a tutorial of implementing this on a casaos environment? I have one server with all my apps and I want to set another one to run firewall tunnels and monitoring. As I’m not a security professional I need more details on it lol.if you can point ,e to a tutorial or create one would be amazing
I've used Cloudflare tunnels before and it's too easy to setup. Unaware users don't know what security layers they lost... I'd rather use nginx rproxy over a VPN into a VPS.
How exactly could network engineers at a company prevent someone from hosting an internal company service externally over their own domain through cloudflare tunnels? Block all Cloudflare traffic and break the company internet? 😅
@@Clarence-Homelab several ways. A couple of obvious ones, Block access to production, docker, kubernetes etc through privileged access management. Block egress traffic. Monitor and alert on new containers etc
I too use an XG firewall, i have CF tunnel working with Nginx. Unfortunately when i put the tunnel on it own vlan the tunnel now report error TLS handshake timeout, cannot reach origin server. I have the firewall rule setup to allow traffic from the tunnel vlan to NPM vlan just like the video. I can ping my Nginx proxy from the tunnel vlan. Not sure why its not working when they are on separate vlan.
@Jims-Garage the firewall rule in place is pretty open, I am not blocking any ports. In fact, I have it set to allow traffic from one vlan subnet to the other subnet with no service or IP restrictions or IPS during my testing. I am going to remove the NPM out of the equation to see if that's the issue. I will instead use cloudflare as the proxy on the tunnel. I would prefer to use an internal proxy, though.
@Jims-Garage DNS for what's behind the NPM proxy? If so, not yet. I was stuck on the tunnel error about it reaching my proxy, so most of my troubleshooting was making sure NPM and cloudflared can communicate.
Great video and lovely of you to give Christian a shout-out. Have you thought about collabing with him or any of the other homelab tech youtubers (TechnoTim, LawrenceSystems, LearnLinuxTV etc.)?
I appreciate your videos! You have been a lot of help on my journey. However, this isn't working for me. In my Sophos log, I see the my rule being used, and the traffic gets routed to the correct IP. However, it seems to end there. My Traefik access logs don't show any entries. So the traffic is being dropped somewhere between my firewall and the Traefik container. Any troubleshooting advice? I feel like somehow I am losing the name resolution, so Traefik ignores it. But I don't know how to check for that.
What is smb? I know that this is a protocol for a local network to share files. But how does it work through the tunnel? As far as I know, smb is very critical of delays. At least it works very slowly through the VPN, even though the VPN channel is quite high-speed.
SMB is short for samba, you're right, it's a network share protocol. I would advise against using it in a Cloudflare Tunnel, you don't want to be exposing shares this way (i.e. to the internet - use a VPN instead).
Watched it like 20 times and still can't recreate it. I just left it unsecure, bought a backup server that I sync once a week and keep it offline. If I get hacked, I just wipe it and bring up my backup server. Simples.
@@Tmacs-yp6vv Nope, but thanks for your concern anyways d1ckhead. Turns out that my ISP’s “passthrough mode” modem isn’t really passthrough and won’t allow anything to hit my firewall and it’s impossible to connect my gateway directly. We’re still troubleshooting what middleware on their side of the network is screwing this up. In addition, adding CF firewall filtering rules blocked 99% of traffic and only allowed the tiny amount of valid traffic through the tunnel.
Thanks for the honest feedback. I prefer videos without, but apparently most people like some ambient background music. I'll mix it up on future videos and see how it goes.
Thanks, I don't watch your videos as entertainment, rather as technical information and tutorials. I find any kind of background music totally distracting.
@@EduardoSantanaSeverino That's great, just imagine, if you use your own device for listening to music, you can even chose which song you want to play in the background ;-)
When you say you're punchunig a hole in your home security, do you understand that no one has any security rather than anything standard included. And I don't even know if anything is included in macos by default
Agreed. But most people running a Mac aren't exposing it directly to the internet. Moreover, most homelabbers will have a 3rd party firewall that they control tunnel. With a Cloudflare Tunnel you're effectively handing all trust over to Cloudflare. Granted, they're one of the biggest players in the game and therefore advanced, but it does also make them a prime target for attack. I feel it's worth taking control and doing it yourself, or doing both as I illustrate.
@@Jims-Garage I mean, I don't have any firewall in my router, so anyone can break inside my lcoal network. I'm exposing my Synology NAS by trusting Synology to do that. I'm exposing my homeassistant by trusting nabucasa. I always trusting someone.
I have an internal reverse proxy (traefik) that routes all of my internal hosts by name i.e: proxmox.local.home.lan docker.local.home.lan portainer.local.home.lan Which is great as I don't have to put in port numbers or anything and everything all the time is https even inside my network. Is it more secure to point my cloudflare tunnel at one of those? In other words I would like to set this up exactly as you have outlined here (great job by the way) but not go to the actual server just go to my interal proxy. Is this better? Does cloudflare still see my traffic this way?
Routing through a proxy won't really do much. In my video I'm making sure the traffic goes through a firewall, and is scanned by crowdsec. Those are the two bits that add back some security.
@@Jims-Garage the reverse proxy is also behind my firewall ( it isn't meant for external access) so I'll just make all the rules and see how it goes. Thanks again!
You're one of the few channels that has given me a better outlook on my homelab and how to make it all tick. Many content creators only scratch the surface, but you manage to go in depth and explain how this is all set up, why it should be set up, the pros and cons, and specifics like what rules you should be setting up in your firewall. Keep up the great work!!
Thanks, appreciate the feedback
Well said. Getting the scope on a video right can be a challenge, and a lot of creators stay too high level.
Haha, I agree. So many tutorials feel the need to put in cheesy distracting techno music. Your music is better and less distracting than most, but still somewhat distracting. Nevertheless, your videos are top quality, and thank you very much.
Really excellent job explaining. You can’t explain everything in one video and everyone is on a different part of the learning journey. You approach that challenge intentionally by adding brief explanations for each component and referencing other content for further explanation.
Well done, sir.
I appreciate that! Thanks.
Very good and important content! Thanks for making this video.
Nice video mate. You explained it well and didn't go too far into the weeds. I'm keen to loop through your other videos. Keep making content!
Thanks 👍
Thank you for such a clear and succinct explanation. This has been most helpful!
You're welcome
Thanks for the demo and info, have a great day
You too, Chris.
Very well explained. Thanks
@@Galasuy thanks 👍
I've been using cloudflare for a while, but I couldn't figure out how to limit it to a few containers.
What I really wanted was to find a way to limit docker to only use a single interface on my server, but it has proven impossible.
It was possible to use incus to create a vm for docker to run in, and that could be limited. However it feels a little cumbersome.
Your video really helped me find the right solution using macvlan. 👍
@@madeyeQ that's great. Macvlans are an awesome tool.
Like the way your explain everything in your videos. Keep up the good work.
Great video! Thanks for reaching me how to secure my self hosted server!
You're welcome 😁
Christian is doing some very good work but so do you James. clear video's also the good stuff i want to learn
Thanks, appreciate the feedback 😃
Amazing video, thanks for your work.
Thanks!
Thanks a lot, this is what I was looking for, you did such a great job explaning things clear and precisely, keep up the good work sir!
Thanks 😊
Great video, thank you!
Thanks!
Great tutorial! However at 02:38 you mentioned not getting the visitor IP through the tunnel, is this not still exposed via the Cf-Connecting-Ip HTTP header similar to when using a standard Cloudflare proxy without the tunnel?
Yes, good point. That will work for http headers but not for non-http (at least from my testing and the docs)
Thanks for the video, good content!
Now correct me if I'm wrong, but using this technique will allow me to block all traffic that is not using a FQDN (i.e. IP scanners) if I disable normal port forwarding on the my UDM SE firewall and then open ports for the incoming traffic from the Cloudflare tunnel?
If so, is there any other way that I could accomplish that without using Cloudflare tunnels? Alt. provider of similar functionality, or with some firewall configuration...? Or is this a unique combination of functionality?
I was hoping you would honor me with an answer, would really appreciate it! I'm thinking it might work to host stuff through a tunnel this way, having a public facing server without actually opening any ports on it, and that the combination of DNS management (having a proper DNS entry for public access) and a tunnel (connected to that entry) is something that I have't seen elsewhere and might be unique. You can have CNAME entries pointing to TailScale network nodes, but that would require access to the TailScale network, which is different from this...
I had also this concern about the "privacy" of these services when they became available! Mac-Vlans are pretty powerful feature!
Thanks for the solution and the fantastic tutorial!
Thanks 👍
So is there no way to solve problem 1 then? Which is that they’re still seeing all of your traffic?
No, if you use a Tunnel they see everything. The normal thing would be to open a port, otherwise use a VPN/Mesh.
Just implemented this for my cloudflare tunnel. great content. so easy to understand!
Great, thanks for the feedback 👍
By the way, as I said, I don't use docker, but debian. The virtual machine is located in virtualbox, which is installed on windows 10. Because when I used docker, I couldn't figure out how to set up a network connection. Rather, I did not understand why there is no connectivity between the docker, which is installed on the Ubuntu virtual machine and the local network. The virtual machine was also on virtualbox, ubuntu was installed, there was a docker in it. There was connectivity between Ubuntu and the local network, there was a connection between docker and Ubuntu - the network worked. But there is no connection between docker and LAN. I couldn't ping or anything. It was as if Docker was isolated. That's why I used debian, because it's very simple there. Just one team.
It's probably the network setting you gave the VM in virtual box. You'll want to create a bridge so that VMs can access the lan. I recommend a dedicated hypervisor like proxmox or esxi if you can.
@@Jims-Garage @antoniomax3163 - it seems to me that in your case you have two NAT's, which causes that you just can't use the target networks, behind the second nat on the docker, but you should rather point to the first network on your virtualbox, and then perform a bit of port forwarding, or disable the nat and bridge the network, so you are receiving the IP addresses transparently, that should do the trick.
you can even go with the simplest mikrotik device and setup a hypervisor behind it, probably it will be just easier than getting to know the meandres of the networking, in this case. cheers
Very interesting video. Now I have to realize how setup this without docker, as I installed CF tunnel for a Jellyfin service hosted in my proxmox server. I wonder if proxmox firewall could also be used for this. 🤔
Thanks, yes you could probably control access with Proxmox firewall
Thank you, exactly what I was looking for! Great info and points here!
Glad it was helpful!
wow great guide on how to secure using Cloudflare tunnel, has been one of the guide i been looking for, is there anyway you can do a guide for an extra layer of protection?
example: cloudflare tunnel to vlan 4, then reverse proxy to vlan 5 using nginx proxy manager, then only reach to portainer vlan 200?
Would you recommend using this set up or a DDNS with a reverse proxy for a homelab?
I only use a reverse proxy
@@Jims-Garage so does that mean you have a static IP address?
@@dino.hurricane978 no, I use ddns
@@Jims-Garage makes sense. Thank you. I really appreciate the response. Last question. Do you have a preferred DDNS service? Like do you use DuckDNS, Cloudflare DDNS or something else?
@@dino.hurricane978 I use Cloudflare for DDNS and as my registrar
Dear Jim, looking at your network topology, after ISP modem, what firewall are you using? Hardware or software ?
I used to use Sophos XG, it's great and user friendly. I've since moved to OPNSense
Are you running this along side the pihole/cloudflare you showed in an earlier video? Tried this but kept getting errors on the 2nd cloudflare container
No, I only run the one which is for outbound PiHole DNS queries. This was aimed more at people who use them for internal access.
@@Jims-Garage ahh ok. Yeah I tunnel out services on a different machine. Thought you might have had it so you could tunnel DNS queries through it but also tunnel internal services
Thanks! Nice video a very well explained.
Much appreciated 👍
excellent tutorial regarding added security. i’ll be adding mac vlan soon to my setup soon. i might also add 2fa and sso using authelia.
Awesome, always good to have multiple layers.
Can you make a guide on adding these firewall rules in OPNsense? They are vastly different and don't seem to correlate with the ones you entered in sophos.
Newbie to networking and docker here! For this to work i assume i need to create a Vlan interface in the firewall for vlan 4 to act as a gateway for vlan memebers right? And does the switchport connected to the docker host must be configured as a trunkport to accept vlan 4 (cloudflare tunnel docker) and the watherver vlan the host is part of? Thank you for this video.
That's correct
Thank you for the video, this is truly amazing. I just have one question. Would it be better if I also run my application docker client from within the macvlan and assign it its own ip? that way their network would be entirely isolated and I wouldn't have to make any rules in the firewall.
@@randyclark7433 you can do that, sure. It will help to isolate traffic. Note that if your host is compromised though it won't save you.
@@Jims-Garage I am trying to expose a simple golang website, and I can't afford to set up a firewall. If I isolate the tunnel and the application in their own macvlan, would that be okay? or do I absolutely need to isolate my host entirely? If so, what would you recommend for a third-world student who can't afford any network isolation hardware?
@@randyclark7433 the cheapest option is likely to use Cloudflare proxy (free) or Cloudflare tunnel (has privacy issues but likely scans all traffic).
As someone in security it's hard to escape a hard recommendation for a firewall though. You can virtualize it like I do to use the same hardware.
Where it says Routes on the tunnel its empty for me. What shal i do?
Interesting! What are your thoughts on a CF Application in front of a CF Tunnel? I that putting too many eggs in one basket?
How do you mean? Can you give an example?
@@Jims-Garage I have a homelab running Proxmox hosting several VMs and LX Containers. (And Docker's in there as well.) I use a CloudFlare Tunnel to provide remote access to the VMs and Containers without needing to open any ports on my router. I then have CloudFlare Applications pointing to various services providing authentication. My understanding is that no one will be able to even get to my server until/unless they pass authentication through the Application. Do you think this is a good idea? I'd love to have a self-hosted alternative, but honestly, CF Tunnels & Applications seem to provide the access and security I need. Thoughts?
@@jbarr if the authentication is required before accessing the container that sounds good from an accessibility perspective. As long as you're happy with zero privacy (Cloudflare sees all traffic in plain text) then it's also fine from a security perspective.
Again, great video Jim. My cloudflare container do not get the ip. Running "ip add" it shows no ipv4. Any help?
Try putting it on a vlan with DHCP enabled or manually specify the IP in the macvlan settings (what I do).
Im just getting into this type of stuff since I started a homeassistant on my pi. I've ordered a minipc where im looking to run homeassistant aswell as dockers and would like to access both my homeassistant and maybe also my 3dprinter remotely. Plan was to use cloudflare tunnel, then after watching some videos I was under the understanding that it would be good to add traefik as a reverse proxy for the local ip and then point the subdomain tunnels to the traefik dns which then goes my internal ips, now I see this but I don't have any fancy router capable of vlans and such, so I'm starting to question if it's a bad idea doing it the way I was thinking or if it's gonna be safe enough anyways
What do you think about Cloudflare authentication for the tunnel versus this option?
That's good for access control, but I still like the added comfort of having the traffic scanned by my firewall and crowdsec.
Can I ask something?
if I run the docker-compose with maclan configuration, the cloudflare tunnel will be down.
is that right?
mm wouldnt a another option be to limit access to your web domains. I have setup limited access to my sub domains to two locations. Ill never be in AUS or Fiji accessing my sub domains.
Agreed, and mentioned with reference to using Cloudflare WAF. Why not add more 'transparent' layers though?
Can you please elaborate on why we needed to do this? The cloudlfare tunnel only communicates to your portainer instance at 192.168.200.X anyway no?
Yea, but Portainer controls everything (a bad example for a tunnel tbh, never expose Portainer to the web). The key problems are zero privacy, complete offloading of security to Cloudflare (no firewall), and if something is missed a compromised container could allow lateral movement. Use a VPN for accessing Portainer if possible.
@@Jims-Garage yea I wouldn't ever expose portainer.
But say I was exposing a simple app (Trilium Notes for example); the only security concern would be a bug on either cloudflared or trilium notes itself, right?
A vulnerability on the app itself wouldn't be saved by the introduction of vlan.
So I guess the vlan just protects from a security bug in cloudflared ...?
@@andherium first concern is privacy, Cloudflare sees everything you do in plain text.
vLAN can help to prevent network propagation but it wouldn't do anything against the host being compromised. I recommend having a firewall internally to scan the traffic, it's a free service after all.
@@Jims-Garage thanks!
@@Jims-Garage So basically the macvlan4 is only so cloudflared isnt able to scan traffic outside the macvlan4?, because in theory anything thats on macvlan4 could also access vlan 200 if its breached?Is this the purpose of setting two separate vlans? One for privacy, one for security/net segregation?
But the problem here is, what to do, where to start? I was also looking into Cloudflare, and thought it was safe. But now you put an extra layer on top of it. And you’re even having Traefik (I think it was?) also??
I’m confused. What to do? Where to start? And end?!
Can you port forward? If so, you don't need to use tunnels, use their proxy.
@@Jims-Garage and with "their proxy" you mean Cloudflare??
@@JGNiDKYes, the cloudflare proxy
@@Jims-Garageis this any more secure than the tunnel? Are they still reading all of your stuff and bypassing your DMZ?
@JeronimoStilton14 it adds some security if you're running through Traefik and crowdsec but it doesn't add privacy. They see everything.
why is the parent interface enp6s18.4...what's the .4 part? It looks like you're naming it macvlan4, but you're not assigning it a vlan ID. How's this a vlan?
The .4 is vlan 4 (the dot is the vLAN notation). You can read more here: docs.docker.com/network/drivers/macvlan/
Really interesting video! Seems like Cloudflare tunnel is not the solution I was hoping for.
I just need the option to grant different specific external people access to very specific devices of my home network (with 2FA/passkey etc.) .
Do you know of a solution that is halfway user friendly (as near to plug and play as possible)?
Thanks a lot!
Sadly that two are often at odds. Wg-easy can do part of that, otherwise it'll be something like headscale/tailscale
I guess you could use something like Authentik and Authelia to restrict access by user accounts
@@Jims-Garage thanks a lot for that super fast reply! I will look into these tools.
Do you have a suggestion for a product for easy segmentation?
@@Krieger1883 running WireGuard on OPNSense should be able to achieve this
my biggest complaint with all the "How to" videos is the fact that no one talks about TLS and the importance of the Origin cert.
How would you set something similar on a cloud where you don't have the possibility to filter the traffic between devices (like hetzner)?
Any way to achieve something similar with subnets?
Just wanted to pop in and say awesome series - this has really made all the difference in my homelab journey. Thanks and keep up the good work! Question - does this still have value if you already host all your external accessible apps on a DMZ?
Thanks 👍 this is only relevant if you use Cloudflare tunnels without a DMZ
http_status, bastion -what is it? By the way, CF has the ability to install rdp on windows, and in the tunnel settings, choose an rdp tunnel, do you have a video or instructions on how to do this and how to secure such a tunnel?
As with SMB, I don't recommend exposing RDP to the internet, it'll likely be brute force attacked. You're better off putting this behind a proper VPN like WireGuard (I have a video on that, or headscale if you're unable to port forward - see other video)
What is unix/unix+tls? I don't understand the logic of the work, why is it necessary?
Hi Antonio, which part of the video are you referring to, I don't remember saying that?
youtube deleted my comments. I don't understand what I violated. Because of this, you didn't see all my comments@@Jims-Garage
@@antoniomax3163 you said "what is Unix/Unix+TLS" . I'm not sure what that means.
Would adding a user defined bridge network be just as secure? I have my cloudflare docker on a bridge network that only communicates with Traefik.
All of my docker services have their own user defined bridge network that communicates with Traefik. The goal is that none of my services can be aware of the others and that all traffic must go through Traefik with crowdsec monitoring.
Is there a flaw in my understanding of these bridge networks?
Did you learn more about this? I'm currently running CF also with a bridge network which only has CF & my reverse proxy.
i html-only website, should i be fine without securing the tunnel?
That's probably the worst case scenario. All depends how much you care about privacy and how much risk you're willing to take, perhaps for your use case it's fine.
@@Jims-Garage yeah i moved back to a VPS. my ISP is very stingy. no bridge mode, no vLANs, hell i can't even change dns on router and have to do it on device-by-device bases :/
Any chance you know how to add the macvlan when docker is running rootless?
Dude aewesome video. Iknow it’s lots of work but could you make a tutorial of implementing this on a casaos environment? I have one server with all my apps and I want to set another one to run firewall tunnels and monitoring. As I’m not a security professional I need more details on it lol.if you can point ,e to a tutorial or create one would be amazing
Casa OS is on the to-do list. Hope to get round to it soon, thanks for the feedback.
I've used Cloudflare tunnels before and it's too easy to setup. Unaware users don't know what security layers they lost...
I'd rather use nginx rproxy over a VPN into a VPS.
Exactly, simplicity is often at the cost of security. Hopefully this helps people to add some control back.
How exactly could network engineers at a company prevent someone from hosting an internal company service externally over their own domain through cloudflare tunnels? Block all Cloudflare traffic and break the company internet? 😅
@@Clarence-Homelab several ways. A couple of obvious ones, Block access to production, docker, kubernetes etc through privileged access management. Block egress traffic. Monitor and alert on new containers etc
I too use an XG firewall, i have CF tunnel working with Nginx. Unfortunately when i put the tunnel on it own vlan the tunnel now report error TLS handshake timeout, cannot reach origin server. I have the firewall rule setup to allow traffic from the tunnel vlan to NPM vlan just like the video. I can ping my Nginx proxy from the tunnel vlan. Not sure why its not working when they are on separate vlan.
What firewall rules do you have in place? Why not put an any any rule in place to troubleshoot the firewall?
@Jims-Garage the firewall rule in place is pretty open, I am not blocking any ports. In fact, I have it set to allow traffic from one vlan subnet to the other subnet with no service or IP restrictions or IPS during my testing. I am going to remove the NPM out of the equation to see if that's the issue. I will instead use cloudflare as the proxy on the tunnel. I would prefer to use an internal proxy, though.
@@cloud2050Hav eyou checked that it can resolve internal DNS?
@Jims-Garage DNS for what's behind the NPM proxy? If so, not yet. I was stuck on the tunnel error about it reaching my proxy, so most of my troubleshooting was making sure NPM and cloudflared can communicate.
You need to check on cloudflare tunnel Dashboard the option to not check TLS (in the TLS section).
Great video and lovely of you to give Christian a shout-out.
Have you thought about collabing with him or any of the other homelab tech youtubers (TechnoTim, LawrenceSystems, LearnLinuxTV etc.)?
Thanks! Yeah, would love to. Those guys are the homelab luminaries! Think I need to earn my stripes a little first though.
@@Jims-Garage the quality of your content is right up there with theirs!
@@Clarence-Homelab thanks, that's high praise!
I agree, Jim’s content is awesome. But I guess if he wants to be up there with the big boys, he needs RGB!! 😂
@@eug1 lol! Red hair, check! Green jumper, check! Hmmm, something blue...
I appreciate your videos! You have been a lot of help on my journey. However, this isn't working for me. In my Sophos log, I see the my rule being used, and the traffic gets routed to the correct IP. However, it seems to end there. My Traefik access logs don't show any entries. So the traffic is being dropped somewhere between my firewall and the Traefik container. Any troubleshooting advice? I feel like somehow I am losing the name resolution, so Traefik ignores it. But I don't know how to check for that.
Thanks! You likely need an internal NAT rule for 80 and 443 (to redirect internally to 81 and 444).
What is smb? I know that this is a protocol for a local network to share files. But how does it work through the tunnel? As far as I know, smb is very critical of delays. At least it works very slowly through the VPN, even though the VPN channel is quite high-speed.
SMB is short for samba, you're right, it's a network share protocol. I would advise against using it in a Cloudflare Tunnel, you don't want to be exposing shares this way (i.e. to the internet - use a VPN instead).
Watched it like 20 times and still can't recreate it. I just left it unsecure, bought a backup server that I sync once a week and keep it offline. If I get hacked, I just wipe it and bring up my backup server. Simples.
have you been hacked yet? lol
@@Tmacs-yp6vv Nope, but thanks for your concern anyways d1ckhead. Turns out that my ISP’s “passthrough mode” modem isn’t really passthrough and won’t allow anything to hit my firewall and it’s impossible to connect my gateway directly. We’re still troubleshooting what middleware on their side of the network is screwing this up. In addition, adding CF firewall filtering rules blocked 99% of traffic and only allowed the tiny amount of valid traffic through the tunnel.
Thank you! ❤🍕
You're welcome 😊
I hope 5 Months on you progressed a little towards a "Makro TH-cam Career" 😇🤪
I love the video, but I can't seem to match up your process with my pfSense fw.
I figured it out.
NEVER expose ANYTHING admin based like Portainer. Point it to the application it selfs. AND, in Cloudflare block ALL IP's except your own.
@@hakaiyou4532 good advice 👍
Good video,but I really hate, very much any background music, why in the world would anyone need this?
Thanks for the honest feedback. I prefer videos without, but apparently most people like some ambient background music. I'll mix it up on future videos and see how it goes.
Thanks, I don't watch your videos as entertainment, rather as technical information and tutorials. I find any kind of background music totally distracting.
I personally prefer the background music. And also enjoy this video. Thank you.
@@EduardoSantanaSeverino That's great, just imagine, if you use your own device for listening to music, you can even chose which song you want to play in the background ;-)
Bro you must have crazy good hearing for me it's so low I don't really notice it besides Jim has the voice on an angel ;p
When you say you're punchunig a hole in your home security, do you understand that no one has any security rather than anything standard included. And I don't even know if anything is included in macos by default
Agreed. But most people running a Mac aren't exposing it directly to the internet. Moreover, most homelabbers will have a 3rd party firewall that they control tunnel. With a Cloudflare Tunnel you're effectively handing all trust over to Cloudflare. Granted, they're one of the biggest players in the game and therefore advanced, but it does also make them a prime target for attack. I feel it's worth taking control and doing it yourself, or doing both as I illustrate.
@@Jims-Garage I mean, I don't have any firewall in my router, so anyone can break inside my lcoal network. I'm exposing my Synology NAS by trusting Synology to do that. I'm exposing my homeassistant by trusting nabucasa. I always trusting someone.
I have an internal reverse proxy (traefik) that routes all of my internal hosts by name
i.e:
proxmox.local.home.lan
docker.local.home.lan
portainer.local.home.lan
Which is great as I don't have to put in port numbers or anything and everything all the time is https even inside my network.
Is it more secure to point my cloudflare tunnel at one of those?
In other words I would like to set this up exactly as you have outlined here (great job by the way) but not go to the actual server just go to my interal proxy. Is this better? Does cloudflare still see my traffic this way?
Routing through a proxy won't really do much. In my video I'm making sure the traffic goes through a firewall, and is scanned by crowdsec. Those are the two bits that add back some security.
@@Jims-Garage the reverse proxy is also behind my firewall ( it isn't meant for external access) so I'll just make all the rules and see how it goes.
Thanks again!
@@rickhernandez2114 the problem is the tunnel bypasses the firewall. You want to route traffic back through it to scan it and control access.