You should NOT use Cloudflare Tunnel (if you do this...)

Why does every video with these tech TH-camrs require me to grab a drink?

Yup, these are the same issues I brought up in my Cloudflare Tunnel video.

I honestly don't mind all the cons of Cloudflare Tunnel, and I definitely agree. Don't just expose all your services without another form of security like Cloudflare Access. That's the first thing I did after setting up Tunnels, and it's been great.

Hi Christian. I have one public IP with all ports available to my homelab. Obviously with a good firewall. In this configuration, I can do all I need. But here in Brazil, this type of service is very scarce, mainly due to the lack of available public IP. I've been testing the use of CHR for a few months now and I'm really enjoying it. First, the fact that I use an Amazon IP here in Brazil, where I host the mikrotik CHR, and also because I can create a tunnel with a server that is behind a restrictive firewall. What for me is very interesting due to the unavailability of public IP. Another interesting point is that I can configure my Hurricane Electrics IPv6 range in this CHR and distribute it to servers via tunnel. Great content.

thanks for sharing your knowledge, planning my home lab and use your videos as a research.

Little workaround about the firewall issue:
Put the cloudflare tunnel vm or container in a dedicated /30 vlan with only internet access to the external ips of cloudflare and create rules to internal services you want to expose via inter vlan routing

This is a great video that got me thinking - especially while I was mulling the obvious home network security advantages of using a Cloudflare Tunnel. But, as with everything, there has to be a catch - you have to trust Cloudflare will handle your data carefully and hopefully not leave it open to exposure.
The thing is - this is inherently a problem with Cloudflare itself (as well as AWS, Azure, Google, Apple and any other public cloud offering). And in reality, so much of the internet relies on these big players - there's practically no way you can use the internet without at least some of your important data ending up in the hands of these players.

Well stated. The folks that have approached me interested in Cloudflare Tunnels are those that want to have services reachable from their CGnat. In situations where I have played with Cloudflare tunnel it has been inside of a dedicated VLAN on my network and I think that your concerns are valid. When CGNat folks want to host non-web applications, I tell them to manage their own VPS endpoint server outside of their network. This takes care of being able to host UDP connections or TCP connections to non-web ports which I don't really see a way to do on Cloudflare Zero Trust.

Hmm.... Your video confirms my amateur understanding of Cloudflare tunnels. Thank you very much! I'll think more about it, get info and probably tip my tunnels and switch to a practical in-house VPN solution. I hope I can do that. Best regards.

Vielen Dank Christian! I've been considering haproxy or the CF tunnel. This helped me make my decision.

I use and rely on CF Tunnels for exposing resources, though they are heavily restricted and require you to have the WARP client present on your device and have authorization to my team. With WARP it creates a WireGuard tunnel connection into my network allowing me to pass UDP traffic or NON HTML traffic, It's actually a great VPN alternative since M$ has deprecated auth prompts which make OpenVPN with MFA impossible with NPS, Now you must pay for expensive services such as Duo :(
P.S. Love your content and what you provide for the IT community, Thank you!

Excellent video, this is something home labbers often get wrong.
Cloudflare isn't a silver bullet to your security woes, sure it helps but it comes with it's own issues. if your using a free plan then I'd argue it doesn't provide much value at least compared to using something like ModSecurity/Coraza, CrowdSec or a hardware firewall appliance.

Thanks for the info and video, have a great day

Great video. I’m a huge fan of Cloudflare and think they’ve done a ton for the world on making the internet more secure. That said, having a reasonable, fair, and open analysis on the risks vs. benefits is something the homelab community should do more of. And frankly, there are a ton of packages and projects that we all install that should get the same scrutiny. Thanks again the the level headed analysis!

Very good point. You could always put the Cloudflare endpoint in its own vlan so that you can still build firewall rules for the traffic.

Thank you. I was wondering the implications of using it

Beutifull video. Thank you for addressing this (actually, I was close to writing you and asking about this after seeing your CloudFlare video; you were just faster). Services like this are great, but they come at a cost. At the end of the day, this is all about whom we trust.
Thank you, Christian; following your channel has been worth it since the day I discovered it. You gave me a lot of nice home projects to implement in my home lab (I still have to implement reverse proxy, lol).

6:00 one thing you could do with a cloudflare tunnel setup is put the server which the connector daemon is running on, into its own VLAN. Then setup firewall rules in pfsense to route that VLAN traffic to the appropriate servers and ports on other subnets.

Hi Christian and thank you for this critical and informative video. You do not bypass your firewall, if you set up the cloudflared-server (or cloudflare docker-container) in a separate dmz/vlan. I can't see any difference from other VPN solutions that ends directly in the internal network. This is a general problem that can either be improved by well-documented descriptions of possible extensions or you have the necessary expertise yourself to be able to operate such solutions relatively safely.
So you are right, not only the route between the endpoints has to be secure, but espesially the endpoints itself and the networks behind those endpoints always has to be secured. Your argument is still absolutely valid and many manufacturers of such solutions promise easy and secure installations, what can be very deceptive.
In my opinion, Cloudflare offers one of the best and most secure solutions for accessing internal services (no published ports, MFA for accessing the Cloudflare dashboard and separate MFA and other web application rules for accessing the actual services). In addition, the actual application that you want to reach via Cloudflare Tunnel should also have its own authentication - I only use applications that can handle MFA on their own, such as Guacamole. But it always depends on how you implement it :-)
If large companies trust Microsoft by running an Azure AD (most have little choice), you can trust Cloudflare for your homelab services for sure.

Please do a video about best pratices to setup Sophos XG, secure the net, expose safely services, ecc. Or a video where you show us your Sophos setup. Thanks man!

Thanks for pointing out this issue.

Thanks for another great video as usual!

Was about to deploy Cloudflare and thanks to searching for deployment tutorials, the algorithm served me this video. Score one for YT - this was an excellent video I'd likely have otherwise missed.
I still think it's right for my use case, but this video was invaluable towards a better understanding of what I was doing.. It was thoughtfully laid out well explained with just enough humor to make it fun to watch. Nice job; I subbed after watching it. Thanks!

Was Waiting For Someone To Make This Video Great To See Someone Talking About This . We Should See Both Sides.

Great video! I think homelabbers should talk more about who you trust with your data, but also the various attack surfaces these services open up.
I'd be interested in a deeper dive and comparison between Cloudflare Tunnels, Twingate and Tailscale (and Headscale), as they all do similar things with subtle--but important--differences.

Hi Christian, excellent video.
I'm using cloundlare tunnel to expose a web application (Django + React) to a handful of clients. I don't care about the data, I found cloudflared easy to do what I wanted, I should look for another approach?. To access my homelab I still use wireguard + adguardhome + npm.

This is a good balanced look at it. One thing you forgot to mention are mitigations, such as being careful where in your network to deploy the tunnel endpoint. For example, a “DMZ” *(or similar) area where you provide services from but that does not have access to the rest of your network… in order to minimize the crash surface.

Thank you Christian for taking a critical take on this. 👍

Good point. I had to decide between zerotier which is more convenient for my application and cloudflare. I decided for cloudflare because i trust them (more). But shutting down a service is also a valid complaint.

I try to avoid using someone else's cloud services. I'm not 100% opposed, but I prefer to manage my own stuff with my own stuff.

Thank you christian for the video.. kindly we need to know what the alternative’s solutions in your opinion?

Hi Christian, thanks for all of your awesome video that explains complicated things in a easily way. But after following your previous video on setting up my homelab with Traefic, Cloudflare tunnel, and Zero Trust Authentication on a bare-metal Truenas Scale Server, I was worried about getting ban from cloudflare by having high bandwidth and other security issues.
I'm planning to let my family in Taiwan to use Nextcloud and PhotoPrism remotely and share family video, photos, or probably sensitive documents as well.
So will VPN like Tailscale be the best solution here? Or is there a better solution in my case? Thanks in advance!!

I have tested CF, and i didn't choose it for a few reasons - trust, protocol limitation, and L7 protection (threath protection, AV, IPS, webfilter etc), which i can do on my SophosXG(WAF). Maybe i didnt test it well, but... ;)

Glad someone else finally said it!

Agreed with this post. With most cloud providers, you give up your privacy for security (well, security is subjective... providing no three letter agencies haven't already backdoored it like they did with L2TP and Juniper).

I have enough options with my FortiGate firewall to share certain parts of my network. I looked into the Cloudflare solution, but the fact that all my traffic would go through their servers stopped me from using it. However, once you have made the right settings in your firewall, it is easy to quickly provide someone with a service from the HomeLab.

Thanks for the video. It actually makes sense. But I would like to add something here, "home lab is for learning" right? Yes, we can check out some tools but I think ppl who have a home lab should expose their services and do some kind of research about how to secure it, for example, use some kind of firewall, ids/ips, etc. See the logs regularly, and automate some things. Maybe I am wrong, it's just my thought. Correct me if I am wrong.

I think one of the main issues for me is the centralising of important internet infrastructure. Cloudflare offer some great services which are important. But i do not feel comfortable with so many eggs of the internet being in so few baskets.
Awesome video btw dude as usual

Hi Christian, I have been thinking about it again, especially with regard to my self-hosted 'Vaultwarden' which is accessible externally via Cloudflare tunnel. As far as I know - and I am a layman - Vaultwarden encrypts the data locally. When synchronising with an external client via the CF tunnel, the data should actually be securely encrypted. CF doesn't know the key of my Vaultwarden. Or am I wrong?

Great insight thanks

is this a segue to setting up a VPN with traefik? I definitely hope so! I am not sure if tailscale would be the same situation or if wireguard would be the better choice for privacy. a video about that would be a nice addition.

This was very informative, danke sehr

Pro tip: You can still use the SSH tunnel and do a reverse port tunnel trough that. Cloudflare cannot see/MITM that, since only you have your certificate, which the server verifies and is thus able to perform an authenticated Diffie-Hellman exchange and guarantee your communication is confidential! (See the SSH2 protocol and TOFU security model)
Also,
I thought it was obvious that it works as essentially a MITM? They even advertise it as such! How else would they be able to magically HTTPSify all your services? Obviously, keep this in mind....

OMG Where did you get your animated matrix wallpaper?? also thanks for this, I've been looking at using Cloudflare due to TH-cam videos etc.

Cloudflare tunnel is a tunneling protocol that does a peer-to-peer connection through a "middle-man" server such as cloudflare tunnel, same as zerotier and tailscale
Using another server inherently means you have a dependency that you need to be aware of

Thank you! Just in time, as for me.

i just recently deployed cloudflare tunnel with my home lab services and it’s been working fantastic but after watching this i’m very conflicted

To be clear, at around 6:16 when firewalls might become useless because they are not intergrated into the firewall and punches a hole....
1. If an enterprise employs applicaiton whitelisting on their laptops/servers/desktops then this will never have a chance at being deployed.
2. if an enterprises chooses to do SSL decryption, this would never have a chance at being deployed
3. If using some form of application identification {appid} this would never have a chance at being deployed
4. if you deny the outgoing port of 7844 then this will never get deployed
If you choose to have lax rules or a lax security model then yeah you can bypass the network security but this isnt as easy as one would think it is.

Another good video sir !!

Regarding your point about serving non-HTML content, I always found it was a good practice to bypass the caching with a page rule. I use the tunnel and a reverse proxy to host my plex server using a custom server access URL and the first month I had it running with no page rules I was a bit unsettled to see how much data had been cached, but nothing came of it anyway.

Very good video. I was especially interested in the security concerns to bypass you companies firewall by using such a reserve tunnel. I guess no enterprise will want to have such a thing set up by individual user. I could imagine an enterprise set up done locally with trusting Cloudflare but it's security nightmare when everyone can start a docker container and punch holes into the whole firewall setup. I would even assume that some companies block those hosts and port per default.

So what method do you recommend for remote access to home network? VPN?

Thanks for the great vid. But on 9:15 no "two endpoints" will ever be under your "full controll" not even physically (but even one endpoint could be disagreed about how much it is under your "full controll" as soon as any network connection - not allone wireless network connection is involved).

Personally, my deployment of cloudflare tunnels is by deploying it as a sidecar container on my external ingress traefik instances.
I run 2 sets of traefik deployments in my local k8s cluster, one that's exposed to internet via cloudflare tunnels, and one that's local only. Gives me pretty good control of what gets exposed where by setting the correct ingressClassName and external-dns annotations on my ingress resources. Security is enforced by the CNI via Network Policies, and the cloudflared daemon isn't initialized with cloud config, just a straight "direct all traffic to traefik on localhost" rule static configuration.
It's pretty good for punching through CGNAT while being directly accessible online. Similar things would be ngrok I guess. Tailscale funnel is nice, but a bit restrictive since you can't use your own domains.
As for bypassing the network firewalls and whatnot, that's a pretty easy workaround. Deploy the cloudflared tunnel on a separate VLAN/subnet where it has to go through the router to reach the services, then it's traffic will be monitored by the firewall / security appliance. (Though in most homelab setups it does mean the traffic will transit the router twice so... tradeoffs.)

Just use a reverse SSH tunnel to the device hosting the cloudflared, that's encrypted end-to-end.

Can you point out some other options similar to cloudflare tunnel which have similar services.

Well, I guess that one should not use this kind of services without security layers in mind.
Mostly because in certain, given scenario, one could use their service's trustworthy reputation to stealthy exfiltrate data from a company's network, or gain reverse access to it. Either by somehow abusing it or installing it on purpose in a post-exploitation phase.
This is a great option when your security's strategy is mature enough and capable of containing threats as mentioned before.

I set up a DMZ vLan with Cloudflare and pf-Sense it's much more complicated to admin but at least the cloudflare vm doesn't have full network access by default just cost a bit of hair ripping during troubleshooting and setup lol

Great explanation, thanks!

Not only do CF tunnels convey your data unencrypted through CF, but if you use their traditional DNS and choose CF proxy to "hide" your IP, your data is again in clear text within the proxy handling path.

I applaud you for also pointing out the drawbacks of CF tunnels. What is your opinion on exposing something like vaultwarden on CF tunnels?

Very informative, but what will be the alternative of VPN, if we are not willing to use Cloudflare as an alternative of VPN. Is there is any Web Application Firewall, which fulfill all the requirement of a secure tunnel.

What if you ran cloudflare on a small separate machine, outside of your firewall? So that all cloudflare traffic still had to go through your firewall?

Today they posted on Cloudflare Blog: "Goodbye, section 2.8 and hello to Cloudflare’s new terms of service". This is part of their Developer Week announcement. You need their services like Stream to serve video though.

Is this tunnel recommend to use for proxmox server for remote access ? Thank you.

do you have any videos on how to set up a webserver on a raspberry pi and have secure certificates etc that can be accessed externally and not open up your home to potential cyber attack?

So if I have a wordpress container with a small website and I run the tunnel inside the docker I should be safe. Am I right?

so which on is the best, zerotier, twingate or cloudfare ?

First! Thanks for keeping sharing your knowledge Christian!

I've been burned too many times by cloud hosted services. As more and more folks use their free tier, I suspect they'll eventually need to start charging for it or discontinue it entirely. I've been basically doing the same Zero Trust thing with a reverse proxy on my own network. It'll always be free, it'll always be more private, and a direct connection will always be faster and more reliable.
I've never understood how they can market their product as having end-to-end encryption when it only has point-to-point encryption.

Not so sure about that firewall punching you talk about Christian..I have PFSense and could not get the cloudflare pod to properly connect to cloudflare because my pfsense was blocking port 7844 to the outside world.
Once I created a rule that allowed the traffic, the CloudFlare tunnel started working but no way it worked "automagically" :)

hey Christian thanks for your videos. Does the same thing applies for Twingate? Any insights on this solution? Thanks

What's the alternative to it though? If the option is either opening a port or using cloudflare, is that really a viable alternative?

Does Cloudflare allow connecting to local service with only subdomain setup? I was setting up my service through Cloudflare tunnel(free tier), then I realized I cannot add subdomain only to Cloudflare for the public hostname. I don't want to do full setup for the zone because of the way my setup works. Quite wasted my time, I wish they will be clearer on the in the documentation very early on. So annoying to do until the end, only to realize it doesn't work for subdomain only setups.

I use their warp client, i added in the local domain fallback, my local subdomain to route those requests to my bind9 dns, i then have A and CNAME records that sends those requests to traefik. Traefik serves ssl certs using let's encrypt, that way i get ssl certs both locally and remotely using traefik and warp client. For me my biggest concern was opening ports in my firewall. Until i can find a better solution it's perfect 👌.

can you do a video on PfSense or something similar and how we would go about securing our home lab?

amazing as always

Could you make video with alternative way to expose internal services without public IP(CGNAT)?
I currently rent VPS with public IP and with ZeroTier (will setup my own WireGuard at some point) connect to dedicated VM at home. then on that VPS I redirect all traffic on ports 80 and 443 to my reverse proxy VM with IPtable rules. It was a bit of a pain to get it working at first before I figured out the correct IPtable rules. But works fine since then.

You should do a video about Twingate. Very cool tool

Has anyone measured, from the web browser's standpoint, how much latency CF adds to the round-trip transaction? Is it 10s or 100s of milliseconds?

sounds like a thing that needs to be isolated on it's on network segment and all traffic coming out from the agent still going through the main firewall

The reason why self-hostable solutions like boundary or teleport in a free tier cloud are way better to use. When you want to businees things.

"... customers can serve video and other large files using the CDN so long as that content is hosted by a Cloudflare service like Stream, Images, or R2." - Cloudflare's blog.
That is for the removal of section 2.8 in the Cloudflare Terms of Service, which essentially means nothing to most people unless you are paying to use their services.

Well, I do use Cloudflare for a lot of my services and it works great. But I'm also using it for my selfhosted Vaultwarden-instance 😅. So... Yeah. I don't know if it's that good ...

I think when other content creators talk about Cloudflare being a VPN killer they talking about WARP / access which is setup in the same Cloudflare portal page, zero trust. Tunnels though is no means a VPN killer I agree.

Another thing I would like to mention that most TH-camrs don’t is that if you are using cloudflare you should setup dns overwrites on your dns server on your lan so that stuff doesn’t go through cloudflare and works offline when just accessing it from lan

Great video, I have a question if I use cloudflare proxy on my website does that mean my website is not gdpr?

Hi! Thank you for this very important piece of information about CF tunnels, I'm now considering to use it in a business environment.
I'm trying to understand how using CF might be violating GDPR here? As I understand GDPR is all about handling any PII data carefully, as needed and be transparent in how you're using it.
So AFAIR CF has SOC2 compliance, and listing it as one of data processors should be enough to fit GDPR criteria.
Would appreciate your insight on whether I'm correct here.

What about cloudflare Zero Trust with WARP
Would that be better than tunnels?

why use cloudflare tunnels, aka reverse proxy, if your router supports port forwarding?

Brilliant!

The only app I expose to the external internet is Portainer, which is protected by a very strong password. As far as I understand, Portainer does have a built-in lock-in mechanism. Additionally, I use fail2ban to block suspicious connection attempts. All incoming connections are denied by firewall rules. However, is there still a risk?

why not just add an extra layer of encryption before sending stuff through cloudflare? excellent video btw

Great video! Are the same problems exist in Twingate? I asked Bard (the AI tool of Google) the following same question (can XXXXXX read my password?) for cloudflare the bottom line was YES and for twingate NO.

Okay what other option do we have for game servers? Great video btw

This is exactly what I was thinking. That’s why I run a VPS with a site2site VPN connection home to my self hosted services. It’s basically a jump box or traffic forwarder. There’s two ways for this: terminating your SSL at your VPS (which I am doing now) or forwarding the SSL traffic home (with HAProxy, experiments running as I am typing this).
Video coming up in this, too

Exactly the video is was searching for!!! Thanks alot fo making this and everything you say totally makes sense!

It`s any posibility to expose tcp or ssh over claudflare tunel?

Hey Christian. Can you make video about Twingate service?

do you have a video on what to use instead of cloudflare tunnels to access my homelab applications?