How to use Cloudflare Tunnel in your Homelab (even with Traefik)

I would so love to meet this guy and be best friends with him and every time I watch his videos I feel so influenced to dive into technology more and more it’s crazy!

The videos on your channel have helped SO much! Any idea/question I've had, you seem to always have a video for it with answers. Awesome stuff.

This is a great video, Christian! Thank you for shouting out Warp in the beginning 👍

Awesome! Thank you, Christian, again for the great motivation :D Every time I watch your videos, I feel inspired to implement your techniques into my own homelab or at least start experimenting with them. By the way, I would be more than glad to hear your recommendations for securing access to exposed services through these tunnels. Cheers!

I watched this to learn more about the access control feature for self hosted, and that wildcard "*" was the answer I was looking for. Thank you!

Christian, your Videos get better and better. This is such a good explanation of this complex, I can only say Wow. Well done. 👍

Damn, you fixed my life with the tip of adding the double pipe for the logical OR instruction

ich wurde schon bekloppt mit vaultwarden und reverse proxy - mit cloudflare gehts so easy - DANKE !! du hast mir den feiertag gerettet

Again a great and very clear video Christian !

Been using this setup for months now. Setting up Cloudflare access to use authentik for the oidc was pretty straightforward.

hey saw a clip before on this and started to look around a bit. but you are doing much better and looking forward to your clips. Has helped a lot to get ahead and also got answers to many questions.

Excellent, exactly what I was waiting for.

Yes! Yes! Yes! on the Cloudflare video, absolutely would love to go deeper, thank you

PERFECT Timing! I've been using CloudFlare tunnel on my server for a while, but decided to do a cleanup/consolidation on my Docker networks. Realized I had used the command line to set the tunnel up originally, but wanted to set up a stack in Portainer to handle future updates. Everything I need was in the tutorial (BTW - I think there might be a typo in the command to set up the token). THANKS!

Digging the new earthy background!

I would love to see a video on the authentication recommendation and setup! Great video!

Hey buddy , thanks a lot for this exclellent tutorial. Your tshoot demonstrating the need for both fqdn's in the Traefik Ingress Route saved me a good deal of time to figure out why setup wasn't working. You're the best thanks a lot!!!👍😀

Thank you for this and all of your videos. Fantastic.

That's amazing. I have a network with the same setup, and I couldn't manage to get to work cloudfare tunnels + traefik. Thanks a lot for sharing!

Have to say, that was probably the best video I've watched on CF tunnels, very nicely explained 😁

Superb, many thanks 🎉

Hey Christian, thank you for your dedication to each video and for your great selection of new topics as well as a very intuitive explanation process. Me personally, I'm under a CGNAT on a local ISP and I'm in need to use cloudflare tunnels and its great to see that you can still use traefik for load balancing, that was a great thing you showed me with this video. I'm curious since traefik can run in the internal network, couldn't authelia be deployed with traefik inside the internal network to provide an extra 2FA layer of security? I'm also excited to learn teleport if that's a more convenient way of exposing my services than cloudflare tunnels.

As always, you are on top 👍

Awesome video Christian!

Great video. Would love to see a video on setting up the various authentication methods and creating better policies for self hosted apps (including allowing API access to them). Thanks heaps

Great video! (As always) 🎉

Great video! Thanks! 😃

Very nice video, THX.

PERFECT!!! PERFECT!!! PERFECT!!! THANK YOU!!!

Hi Christian, thanks for your good work on this nice topic! I use cloudflared on a separate ubuntu server in my dmz as connector. The publishing services are running on other servers (and dockers) in separate vlans. I only allow the configured ports, protocols and target-server in my firewall, so that other communication from tdmz to other internal networks isn´t allowed. One advantage over teleport is, that I do not need a cloud-server. Another point is, that cloudflare offers a kind of application firewall on top to the 2fa login, so access to my applications is further narrowed down. The other side is, that in this case we have to trust in cloudflare. I also like it to self host applications and solutions, so I would be happy if you make another video about teleport, how to install, configure and use it. Thanks a lot 🙂

nice tutorial. thanks

@cristian Thanks for the amazing guides
I whould love to see you setup and configure authentik with truenas scale seems there are not guides on this subject and will be very populat as a replacement for authellia that is complex to setup and manage

You're really help me . ❤

Great video! Can you do an in-depth video covering those settings in the cloudflare zero trust for exposing web application? How to allow mobile app api access while locking down web access.

youre such a amazing guy

First of all, awesome guide as always!
Now, what I kind of miss is your Traefik setup. Your other video with Traefik helps, but I somehow can't get certificates from Let's Encrypt. Are your Traefik settings different when you use it with Cloudflare Tunnel?

amazing! The 404 cost me HOURS! I couldn't figure out why it's re-routing traffic externally but not internally in the cluster. Made the same change as you did but not with labels per service, instead added a route in the ingress. 10 seconds of gold

i have been using this method for about 6 months now

Great video! I would've really liked to see the deal with those private networks you can setup in Zero Trust. Not sure if the WARP client thing is the same as a simple custom WireGuard container/VM.

Yeah! This will be my next step!

alles klaaar Danke! (from Siam)!

Thank you 👍

I literally just worked out how to do this myself last weekend. Good to see if what I was doing is what everyone does with integrating Cloudflared and Traefik.

Hi Christian. Lovely content as usual, great work! What keyboard are you using?

That's a great video I am soo excited for more videos about it about rdp with Cloudflare or access
please continue your good work
Could you do a video about authentification with Cloudflare access and a self-hosted IAM like Authelia or Keycloak (if possible with a user-friendly UI😅) or nether an existing active directory server

How to get Android apps working on the smartphone? Like Nexcloud or Synology apps. Because of the login screen for 1-time password or verification...

CF Tunnel is what I'm using to expose my Matrix and Mastodon servers endpoint so they can federate. Otherwise I still prefer accessing stuff via Tailscale (which BTW recently added Tailscale Funnel).
But Cloudflare is a different kind of beast if you want to combine Warp with Tunnel or Warp-to-Warp, but I digress 😃

Great video - thank you. Have you been able to use a Cloudflare Tunnel to access Apache Guacamole?

It would be interesteing to see how works with RPD, or CIFS/SMB works

Hey Christian,
Thank you for the valuable insights you share on your TH-cam channel.
I have a question: Is it possible to forgo Traefik's SSL termination mechanism and instead utilize Cloudflare's HTTPS termination service to manage our certificates?
I'm curious about the advantages of integrating Traefik's DNS challenge with Cloudflare, especially when we have the option to enable Cloudflare's free SSL/TLS.
Thanks.

Christian, can you make some recommendations regarding how to employ "authentication providers and other security measures" due to TLS terminating at CF? What specifically have you done to mitigate this risk? Thanks!

Great video. Finding tunnels great for home use. I would like to enable more security, but can you think of a way to do this that still allows mobile apps (nextcloud) to access the tunnel? Would like to see a video about this.

I would love to see a video about Teleport!

Hi great video, where can i find your video about local and external ssl and dns configuration? i like a lot that😀

Thanks for this. Fantastic material.
Your linked video on docker networks was great also.
However! 😂. It never explains your use and configuration of the backend and frontend networks. Where is that covered?

Brilliant

Thank you for all your videos! I did have one question, perhaps you discussed this in another video but I missed it - can you explain your rationale and usecase for your "frontend" and "backend" networks?

For someone just starting down this home lab rabbit hole would you recommend going this route for exposing services to the Internet for personal and public use or would you recommend a reverse proxy?

Thanks a lot. It worked like a charm with TrueNAS Scale as well (TrueCharts).

Hello! Great video! Can such a solution be done without a third-party service such as cloudflare? Purpose: hosting services on the open Internet without port forwarding on the router.

This looks so convenient and easier to setup compared to the traditional port forwarding method ! I'll definitely look into CF tunnels.

I have à question you know if this tunnel or other we can connect with same ip but différent port. Ex: yacht app like portainer, because need always change the tunnel ip:port for access 😢.
Ty

i would look to have a look at the settings

Hi Chris, many thanks for the detailed instructions. As always, very well explained. I wanted to ask which tool you used to create the sketches... always makes the one or other system structure a little clearer 😉, thanks in advance, greetings

Please closer look at the cloudflare authentication settings

If I'm not mistaken here. So we don't need manually add new ingress on cloudflared tunnel dashboard ? Just label all container??

hi @Christian Lempa, Thank you, I have a question, how do you install traefik plugin from Github? I also try to install it, but it's fail with invalid download

Is it possible to combine this with authelia? When ive been trying traefik isnt pushing through authelia?

Just done this before watching this video last week. I don't mind exposing my ip address, people can already guess and I had to move ssh port higher. Because it was constantly abused. It still is, but with much lower rate. But advantage is that it somewhat helps with other stuff: you don't need nginx reverse proxy, you don't need to renew let's encrypt certificates for each service every three months, you don't need to setup port forwarding on docsys modem/router and open port 443 whenever it needs factory reset.
I just haven't tried this for ssh and to have dynamic dns (script that checks local ip every 30 minutes and renews dns when it changes - which can be likely done via cloudflare api) and to for blocking access based on country.

Hi Chrisitan:
Got this working fine so long as everything is running inside the same docker container as Traefik. Is it a simple process to have Traefik function across multiple docker containers on different machines? I have programs on other servers that I would like to proxy, but Traefik cannot see them.

how I can view or monitor for example IP of the machine that connects and use my tunnel expose website? I dont see a monitor for activity on cloudfare dashboard

Any advice on allowing access to Postgres via Cloudflare tunnel??

How would you setup the custom block page as it only takes an IP and wont work with SSL. thank you

Hello, thanks for this amazing video. One question: what is the app you use to diagram on 3:13m ?

What’s the reasoning behind disabling auto update in cloudflared container and not using the latest tag?

Hello Christian, I am using container name as URL in public hostname section. But it doesn't work. Only docker network IP work for me. Can i know why ? Please..

Hi christian I have a salf hosted rust desk server that need tcp and udp ports open and exposed to the internet can this be done with a tunnel or is there a better way?

Interessanter Ansatz! Wieder ein Pluspunkt für Traefik. Würde aber sehr gerne beim NPM bleiben, da ich nicht alles in Docker-Containern habe mir der händische Weg mit GUI irgendwie besser gefällt. Bin nun dazu übergegangen eine separate Domain für Cloudflare Tunnel zu nehmen und eine andere, die weiterhin klassisch mit DynDNS läuft, für den Fall, dass Cloudflare mal nicht als Option in Frage kommt.
Nur wie mache ich das mit Nextcloud AIO o.Ä. wo die Domain hardgecoded festgelegt ist? Da funktioniert der OR-Operator || vermutlich nicht? Bin hier noch etwas überfragt. Besonders Nextcloud möchte man ja auch lokal mit Daten bespielen, ohne gleich alles durchs Internet schieben zu müssen.

Which local dns server do you use ? Please suggest some with gui

hey Christian, thanks for the great videos please I am facing the same error "404 page not found" Could you please explain more about how to change the labels as you did in the video noting that my docker containers are hosted remotely on a VPS also I am using nginx proxy manager I will try to replace it with traefik soon but i think its the same problem

It would be nice to see a video about the authentication, Because, For example, if I setup the nextcloud using the tunnel, and I enabled the one time pin authentication, then, I am not sure if the nextcloud mobile application would still connect to this nextcloud instance, as the end point would be protected by one time pin, probably the mobile app would fail to connect. Thanks for your comments.

So, I have created the tunnel and it says it is working. I added nginx container and public hostname as you suggested. I head to that URL and it says: bad gateway at host.

Great

videos good . hey man i have questions how to i look domain user data usage and how to limited data ? ....... please help

Hey Christian, just wanted to point out that your zsh history prefiller may have leaked a production token. I'm sure you probably noticed and it's all good, but just wanted to let you know

This is the exact tutorial that i was needing 🥹🥹🥹 THANK YOUUUU!! 🎉🎉

The home assistant does not work and I have added the ips of the proxy servers. What can be the problem?

Cloudflare tunnels are so good. Even have a ssh tunnel with two factor. No need to expose ports.

You need to make a video on ZeroTier one

Hello Christian what are you using for your data / network diagrams in this video?

Hi can you make a video for using cloudflare to have access to our SMB server, FTP and SSH from internet? 😢

I used it as a VPN. For some sites that only serve certain country or regions, use Cloudflare to avoid being denied access.

how to expose only certain urls from the server and not all endpoints from the server?

what if the self hosted setup includes both Træfik and Authelia? Is there something different to be done there? I can reach a simple Nginx container in the same network, but when I try to reach containers behind Træfik and Authelia, I cannot seem to reach them. Thanks for the great videos!

How do I connect the new tunnels with nginx proxy manager?

What's that application that has docker and kube environment at 0:14, TIA

Hello , first of all, let me thank you (from France) for the excellence of your videos. As a total noob, . I followed your video on creating a tunnel with Cloudflare and it worked very well, but today my two tunnels are down and I can't find any explanation anywhere. Do you have any suggestions for me? Thanks for everything you do.

If I use the container name, I get Bad gateway error. My containers are on the same network. If I use IP, it's ok. Any ideas?

Thank you for sharing this with us.. Quick question.. Can I use it in selfhosted mail server ?

If I were to self host a game server like "Project Zomboid" in a container on my ProxMox server would CloudFlare Tunnel be a good option to secure my Homelab. Or would somthing like this introduce too much latency. I have only ever seen people using this service with things that aren't that effected by latency.