How to use Cloudflare Tunnel in your Homelab (even with Traefik)
This is a tutorial on how to use Cloudflare Tunnels in a Homelab to make internal applications easily accessible on the public internet securely. The video covers the benefits of using Cloudflare Tunnels for personal websites, Homelab dashboards, or any web-based application that needs to be accessed from outside the network without complicated router configuration. And it also discusses the security of Cloudflare Tunnels and shares best practices for exposing administrative interfaces. #homelab #cloudflare #cloudflaretunnel
DOCS: github.com/ChristianLempa/vid...
Warp-*: www.warp.dev/?...
Docker-Networking Tutorial: • Docker Networking Tuto...
Follow me:
TWITTER: / christianlempa
INSTAGRAM: / christianlempa
TWITCH: / christianlempa
DISCORD: / discord
GITHUB: github.com/christianlempa
PATREON: / christianlempa
MY EQUIPMENT: kit.co/christianlempa
Timestamps:
00:00 - Introduction
00:47 - Advertisement-*
01:42 - How Cloudflare Tunnel works
03:13 - Getting started
04:49 - Set up first Cloudflare Tunnel
05:49 - Deploy Cloudflare Tunnel in Docker-Compose
10:50 - Set up first public hostname
13:12 - Use Cloudflare Tunnel with Traefik
19:18 - Access Control
________________
All links with "*" are affiliate links.
Пікірлер: 250
The videos on your channel have helped SO much! Any idea/question I've had, you seem to always have a video for it with answers. Awesome stuff.
@christianlempa
Жыл бұрын
Thank you so much! I'm glad the channels helps you :)
This is a great video, Christian! Thank you for shouting out Warp in the beginning 👍
I would so love to meet this guy and be best friends with him and every time I watch his videos I feel so influenced to dive into technology more and more it’s crazy!
@christianlempa
Жыл бұрын
This is such a nice compliment! Thank you buddy :)
@GrimSpec
Жыл бұрын
Right :) "Evening conversations over beer at a pub" with Jeff Geerling, Timothy Stewart and Lewis Barclay
@jasenwar
Жыл бұрын
It’s ze accent for meee!!!
@Andreas360dk
Жыл бұрын
I would just love to have friends to nerd talk with. I work in IT and I am not even sure my colleagues know what Docker is. IT in my country is influenced too much by our education system that still teaches token ring, WIC-2A/S ports for data between routers. Even our vendors that deliver software/web solutions act confused if I ask them what programming languages they use e.g Python, GO, Rust, PHP like they have not even heard of anything besides Visual Basics 2000 The closet I think I have is my engineer friends who are very up to date :) Sorry for the semi rant guys. Have a nice weekend :D
ich wurde schon bekloppt mit vaultwarden und reverse proxy - mit cloudflare gehts so easy - DANKE !! du hast mir den feiertag gerettet
Awesome! Thank you, Christian, again for the great motivation :D Every time I watch your videos, I feel inspired to implement your techniques into my own homelab or at least start experimenting with them. By the way, I would be more than glad to hear your recommendations for securing access to exposed services through these tunnels. Cheers!
Been using this setup for months now. Setting up Cloudflare access to use authentik for the oidc was pretty straightforward.
I watched this to learn more about the access control feature for self hosted, and that wildcard "*" was the answer I was looking for. Thank you!
PERFECT Timing! I've been using CloudFlare tunnel on my server for a while, but decided to do a cleanup/consolidation on my Docker networks. Realized I had used the command line to set the tunnel up originally, but wanted to set up a stack in Portainer to handle future updates. Everything I need was in the tutorial (BTW - I think there might be a typo in the command to set up the token). THANKS!
@SabreToothedSam
Жыл бұрын
Can't agree more, this is perfect timining! I just setup docker and a CloudFlare tunnel for the first time on my home server. This guide has definitely showed me a few more things I'll want in my setup.
@darrenoshaughnessy3921
Жыл бұрын
@@SabreToothedSam this guide showed me a few things I had to FIX in my setup - Christian's videos are the best 👍
Christian, your Videos get better and better. This is such a good explanation of this complex, I can only say Wow. Well done. 👍
@christianlempa
Жыл бұрын
Thank you so much 😊
hey saw a clip before on this and started to look around a bit. but you are doing much better and looking forward to your clips. Has helped a lot to get ahead and also got answers to many questions.
@christianlempa
Жыл бұрын
Thank you 😊
Excellent, exactly what I was waiting for.
@christianlempa
Жыл бұрын
Great to hear! I hope you like it! :)
Again a great and very clear video Christian !
Yes! Yes! Yes! on the Cloudflare video, absolutely would love to go deeper, thank you
Damn, you fixed my life with the tip of adding the double pipe for the logical OR instruction
That's amazing. I have a network with the same setup, and I couldn't manage to get to work cloudfare tunnels + traefik. Thanks a lot for sharing!
@christianlempa
Жыл бұрын
You’re welcome :)
Digging the new earthy background!
Hey Christian, thank you for your dedication to each video and for your great selection of new topics as well as a very intuitive explanation process. Me personally, I'm under a CGNAT on a local ISP and I'm in need to use cloudflare tunnels and its great to see that you can still use traefik for load balancing, that was a great thing you showed me with this video. I'm curious since traefik can run in the internal network, couldn't authelia be deployed with traefik inside the internal network to provide an extra 2FA layer of security? I'm also excited to learn teleport if that's a more convenient way of exposing my services than cloudflare tunnels.
Great video. Would love to see a video on setting up the various authentication methods and creating better policies for self hosted apps (including allowing API access to them). Thanks heaps
Hey buddy , thanks a lot for this exclellent tutorial. Your tshoot demonstrating the need for both fqdn's in the Traefik Ingress Route saved me a good deal of time to figure out why setup wasn't working. You're the best thanks a lot!!!👍😀
@christianlempa
4 ай бұрын
Glad it was helpful
As always, you are on top 👍
@christianlempa
Жыл бұрын
Thanks! 😃
Thank you for this and all of your videos. Fantastic.
@christianlempa
Жыл бұрын
Thank you for this feedback! :)
Superb, many thanks 🎉
Awesome video Christian!
@christianlempa
Жыл бұрын
Thx!
Hi Christian, thanks for your good work on this nice topic! I use cloudflared on a separate ubuntu server in my dmz as connector. The publishing services are running on other servers (and dockers) in separate vlans. I only allow the configured ports, protocols and target-server in my firewall, so that other communication from tdmz to other internal networks isn´t allowed. One advantage over teleport is, that I do not need a cloud-server. Another point is, that cloudflare offers a kind of application firewall on top to the 2fa login, so access to my applications is further narrowed down. The other side is, that in this case we have to trust in cloudflare. I also like it to self host applications and solutions, so I would be happy if you make another video about teleport, how to install, configure and use it. Thanks a lot 🙂
I would love to see a video on the authentication recommendation and setup! Great video!
@christianlempa
Жыл бұрын
Thank you!
@dbishop9085
Жыл бұрын
@@christianlempa yes! I have authelia set up and I cannot get it to work with anything other than the local domain setup. It does not work at all for the cloudflare tunnel portion of the rule. :( If there is a suggestion on how to do that, I am all ears as I have been trying for about 2 days now.
@dbishop9085
Жыл бұрын
i was able to get it working finally lol
Great video! (As always) 🎉
@christianlempa
Жыл бұрын
🙏 thanks
Have to say, that was probably the best video I've watched on CF tunnels, very nicely explained 😁
@christianlempa
Жыл бұрын
Thank you so much, what a nice statement! :)
I literally just worked out how to do this myself last weekend. Good to see if what I was doing is what everyone does with integrating Cloudflared and Traefik.
@christianlempa
Жыл бұрын
Nice! I knew I was doing it right :D
Great video! Thanks! 😃
@christianlempa
Жыл бұрын
Thx :)
amazing! The 404 cost me HOURS! I couldn't figure out why it's re-routing traffic externally but not internally in the cluster. Made the same change as you did but not with labels per service, instead added a route in the ingress. 10 seconds of gold
@christianlempa
Жыл бұрын
Haha, it did cost me ~4 hours, too! 😂 but glad we could sort it out :)
@cristian Thanks for the amazing guides I whould love to see you setup and configure authentik with truenas scale seems there are not guides on this subject and will be very populat as a replacement for authellia that is complex to setup and manage
Great video! Can you do an in-depth video covering those settings in the cloudflare zero trust for exposing web application? How to allow mobile app api access while locking down web access.
Great video! I would've really liked to see the deal with those private networks you can setup in Zero Trust. Not sure if the WARP client thing is the same as a simple custom WireGuard container/VM.
PERFECT!!! PERFECT!!! PERFECT!!! THANK YOU!!!
@christianlempa
Жыл бұрын
Thank you :)
That's a great video I am soo excited for more videos about it about rdp with Cloudflare or access please continue your good work Could you do a video about authentification with Cloudflare access and a self-hosted IAM like Authelia or Keycloak (if possible with a user-friendly UI😅) or nether an existing active directory server
@dbishop9085
Жыл бұрын
This ^^
Very nice video, THX.
@christianlempa
Жыл бұрын
Thanks bro :)
nice tutorial. thanks
@christianlempa
6 ай бұрын
Glad you liked it!
youre such a amazing guy
@christianlempa
Жыл бұрын
Thx xD
i have been using this method for about 6 months now
Yeah! This will be my next step!
@christianlempa
Жыл бұрын
Nice! Let us know how it goes :)
@mykyar9142
Жыл бұрын
@@christianlempa Update. I've bought a domain on Cloudflare. Connected it to my dedicated IP. And with configuring the firewall on the Mikrotik router I passed the traffic to my Kubernetes cluster on the Orange Pi5 boards. I'm a developer and just started to learn self-hosted Kubernetes. Danke schön for your videos! They really help me a lot!
You're really help me . ❤
@christianlempa
Жыл бұрын
Glad it was helpful :)
This looks so convenient and easier to setup compared to the traditional port forwarding method ! I'll definitely look into CF tunnels.
@christianlempa
Жыл бұрын
Nice! :D Hope it works great for you
alles klaaar Danke! (from Siam)!
CF Tunnel is what I'm using to expose my Matrix and Mastodon servers endpoint so they can federate. Otherwise I still prefer accessing stuff via Tailscale (which BTW recently added Tailscale Funnel). But Cloudflare is a different kind of beast if you want to combine Warp with Tunnel or Warp-to-Warp, but I digress 😃
@gmsipe
Жыл бұрын
I agree and just switched from CF tunnel to Tailscale/traefik. It's simpler, faster, and at least as secure.
@ultravioletiris6241
Жыл бұрын
@@gmsipe Im learning how to set up Tailscale with Traefik. Was it difficult for you?
I would love to see a video about Teleport!
@christianlempa
Жыл бұрын
Coming soon :)
Great video. Finding tunnels great for home use. I would like to enable more security, but can you think of a way to do this that still allows mobile apps (nextcloud) to access the tunnel? Would like to see a video about this.
First of all, awesome guide as always! Now, what I kind of miss is your Traefik setup. Your other video with Traefik helps, but I somehow can't get certificates from Let's Encrypt. Are your Traefik settings different when you use it with Cloudflare Tunnel?
Just done this before watching this video last week. I don't mind exposing my ip address, people can already guess and I had to move ssh port higher. Because it was constantly abused. It still is, but with much lower rate. But advantage is that it somewhat helps with other stuff: you don't need nginx reverse proxy, you don't need to renew let's encrypt certificates for each service every three months, you don't need to setup port forwarding on docsys modem/router and open port 443 whenever it needs factory reset. I just haven't tried this for ssh and to have dynamic dns (script that checks local ip every 30 minutes and renews dns when it changes - which can be likely done via cloudflare api) and to for blocking access based on country.
Thanks for this. Fantastic material. Your linked video on docker networks was great also. However! 😂. It never explains your use and configuration of the backend and frontend networks. Where is that covered?
Thank you 👍
@christianlempa
Жыл бұрын
You're welcome! :)
Hi Christian. Lovely content as usual, great work! What keyboard are you using?
@christianlempa
Жыл бұрын
Thanks! :) Keychron K3
It would be interesteing to see how works with RPD, or CIFS/SMB works
Great video - thank you. Have you been able to use a Cloudflare Tunnel to access Apache Guacamole?
i would look to have a look at the settings
Christian, can you make some recommendations regarding how to employ "authentication providers and other security measures" due to TLS terminating at CF? What specifically have you done to mitigate this risk? Thanks!
Thank you for all your videos! I did have one question, perhaps you discussed this in another video but I missed it - can you explain your rationale and usecase for your "frontend" and "backend" networks?
@Ohamdaoui
11 ай бұрын
Have you figured out how to do that ? I have the same question, how to create the network service backend or fronted. I have created one in portainer but it does not work.
Brilliant
@christianlempa
Жыл бұрын
Thx :)
Hi great video, where can i find your video about local and external ssl and dns configuration? i like a lot that😀
For someone just starting down this home lab rabbit hole would you recommend going this route for exposing services to the Internet for personal and public use or would you recommend a reverse proxy?
It would be nice to see a video about the authentication, Because, For example, if I setup the nextcloud using the tunnel, and I enabled the one time pin authentication, then, I am not sure if the nextcloud mobile application would still connect to this nextcloud instance, as the end point would be protected by one time pin, probably the mobile app would fail to connect. Thanks for your comments.
@EduardoSantanaSeverino
Жыл бұрын
I was able to setup SSH access, and it works like a charm.
Please closer look at the cloudflare authentication settings
What’s the reasoning behind disabling auto update in cloudflared container and not using the latest tag?
Hey Christian, Thank you for the valuable insights you share on your KZread channel. I have a question: Is it possible to forgo Traefik's SSL termination mechanism and instead utilize Cloudflare's HTTPS termination service to manage our certificates? I'm curious about the advantages of integrating Traefik's DNS challenge with Cloudflare, especially when we have the option to enable Cloudflare's free SSL/TLS. Thanks.
Hello! Great video! Can such a solution be done without a third-party service such as cloudflare? Purpose: hosting services on the open Internet without port forwarding on the router.
Hi Chris, many thanks for the detailed instructions. As always, very well explained. I wanted to ask which tool you used to create the sketches... always makes the one or other system structure a little clearer 😉, thanks in advance, greetings
@christianlempa
6 ай бұрын
I think it was excalidraw at that time
Is it possible to combine this with authelia? When ive been trying traefik isnt pushing through authelia?
I have à question you know if this tunnel or other we can connect with same ip but différent port. Ex: yacht app like portainer, because need always change the tunnel ip:port for access 😢. Ty
How to get Android apps working on the smartphone? Like Nexcloud or Synology apps. Because of the login screen for 1-time password or verification...
Which local dns server do you use ? Please suggest some with gui
Thanks a lot. It worked like a charm with TrueNAS Scale as well (TrueCharts).
@christianlempa
Жыл бұрын
Thank you 🙏
@MehranZiadloo
Жыл бұрын
@@christianlempa Question: I've successfully installed the TailScale on my TrueNAS Scale and I can ping it using the IP TailScale is assigning to it. But when I add that same IP as an alias to network interface and then set that IP as the Kubernetes' Node IP, I cannot access my apps through VPN. I'm trying to make it so whenever I'm connected to the VPN, I can use my TrueNAS Scales apps. Do you know how I can make this work?
how I can view or monitor for example IP of the machine that connects and use my tunnel expose website? I dont see a monitor for activity on cloudfare dashboard
How would you setup the custom block page as it only takes an IP and wont work with SSL. thank you
Hi Chrisitan: Got this working fine so long as everything is running inside the same docker container as Traefik. Is it a simple process to have Traefik function across multiple docker containers on different machines? I have programs on other servers that I would like to proxy, but Traefik cannot see them.
If I'm not mistaken here. So we don't need manually add new ingress on cloudflared tunnel dashboard ? Just label all container??
Hi christian I have a salf hosted rust desk server that need tcp and udp ports open and exposed to the internet can this be done with a tunnel or is there a better way?
Hello Christian, I am using container name as URL in public hostname section. But it doesn't work. Only docker network IP work for me. Can i know why ? Please..
Any advice on allowing access to Postgres via Cloudflare tunnel??
The home assistant does not work and I have added the ips of the proxy servers. What can be the problem?
hi @Christian Lempa, Thank you, I have a question, how do you install traefik plugin from Github? I also try to install it, but it's fail with invalid download
Hey Christian, just wanted to point out that your zsh history prefiller may have leaked a production token. I'm sure you probably noticed and it's all good, but just wanted to let you know
How do I connect the new tunnels with nginx proxy manager?
I used it as a VPN. For some sites that only serve certain country or regions, use Cloudflare to avoid being denied access.
hey Christian, thanks for the great videos please I am facing the same error "404 page not found" Could you please explain more about how to change the labels as you did in the video noting that my docker containers are hosted remotely on a VPS also I am using nginx proxy manager I will try to replace it with traefik soon but i think its the same problem
how to expose only certain urls from the server and not all endpoints from the server?
videos good . hey man i have questions how to i look domain user data usage and how to limited data ? ....... please help
So, I have created the tunnel and it says it is working. I added nginx container and public hostname as you suggested. I head to that URL and it says: bad gateway at host.
Hello , first of all, let me thank you (from France) for the excellence of your videos. As a total noob, . I followed your video on creating a tunnel with Cloudflare and it worked very well, but today my two tunnels are down and I can't find any explanation anywhere. Do you have any suggestions for me? Thanks for everything you do.
@christianlempa
Жыл бұрын
Thanks mate! Join our discord and share some details about your setup and logs, maybe we can help you :)
Hello, thanks for this amazing video. One question: what is the app you use to diagram on 3:13m ?
@christianlempa
Жыл бұрын
You're welcome! That was excalidraw
You need to make a video on ZeroTier one
Hi can you make a video for using cloudflare to have access to our SMB server, FTP and SSH from internet? 😢
Cloudflare tunnels are so good. Even have a ssh tunnel with two factor. No need to expose ports.
What's that application that has docker and kube environment at 0:14, TIA
Hello Christian what are you using for your data / network diagrams in this video?
@christianlempa
Жыл бұрын
excalidraw
Good video, many hints on what to follow - but you missed the disclaimer that CF is able to access all the traffic due to man in the middle, might be okay for pictures wouldn't want to put my nextcloud there...
@christianlempa
Жыл бұрын
Thanks mate, I left this part out because it didn’t felt well placed in here. I might do other videos on this part and alternative solutions though.
I somehow get a 502 Bad gateway error, Host Error, any ideas?
What’s the software you use while creating diagrams document in real time ? Thanks !
@planeetpaul
6 ай бұрын
I'd love to know this as well!
Can I use this with a FTP client ? Like Transmit ?
what if the self hosted setup includes both Træfik and Authelia? Is there something different to be done there? I can reach a simple Nginx container in the same network, but when I try to reach containers behind Træfik and Authelia, I cannot seem to reach them. Thanks for the great videos!
@christianlempa
Жыл бұрын
Haven't tried it with Authelia, yet.
@dbishop9085
Жыл бұрын
@@christianlempa This would be great to know how to do
If I use the container name, I get Bad gateway error. My containers are on the same network. If I use IP, it's ok. Any ideas?
What are you using to draw the details out?
@Thewho456
Жыл бұрын
That's Excalidraw, specifically used inside Obsidian. Obsidian is a markdown editor and knowledge management app with lots of extensions, one of them is Excalidraw. Excalidraw also exists as a standalone web app.