Using Cloudflare Tunnels For Hosting & Certificates Without Exposing Ports On Your Firewall
Ғылым және технология
Cloudflare Tunnel Docs
developers.cloudflare.com/clo...
pfsense HAProxy video
• (Updated Video In Desc...
Jeff's How I survived a DDoS attack
• How I survived a DDoS ...
Connecting With Us
---------------------------------------------------
+ Hire Us For A Project: lawrencesystems.com/hire-us/
+ Tom Twitter 🐦 / tomlawrencetech
+ Our Web Site www.lawrencesystems.com/
+ Our Forums forums.lawrencesystems.com/
+ Instagram / lawrencesystems
+ Facebook / lawrencesystems
+ GitHub github.com/lawrencesystems/
+ Discord / discord
Lawrence Systems Shirts and Swag
---------------------------------------------------
►👕 lawrence.video/swag
AFFILIATES & REFERRAL LINKS
---------------------------------------------------
Amazon Affiliate Store
🛒 www.amazon.com/shop/lawrences...
UniFi Affiliate Link
🛒 store.ui.com?a_aid=LTS
All Of Our Affiliates that help us out and can get you discounts!
🛒 lawrencesystems.com/partners-...
Gear we use on Kit
🛒 kit.co/lawrencesystems
Use OfferCode LTSERVICES to get 10% off your order at
🛒 lawrence.video/techsupplydirect
Digital Ocean Offer Code
🛒 m.do.co/c/85de8d181725
HostiFi UniFi Cloud Hosting Service
🛒 hostifi.net/?via=lawrencesystems
Protect you privacy with a VPN from Private Internet Access
🛒 www.privateinternetaccess.com...
Patreon
💰 / lawrencesystems
⏱️ Time Stamps ⏱️
00:00 Cloudflare Tunnels
00:30 Requirements
01:42 Security Considerations
04:06 Demo Lab Setup
06:43 Documentation & Dashboard Setup
07:42 Creating Tunnels
14:41 Adding Application Security
#homelab #cloudflare #firewall
Пікірлер: 288
You never fail to give me practical new information on new systems. Thanks 😀
I think it’s important to note that cloudflare tunnels have limitations. For exemple if you plan to use this to access stuff that require large file transfers like nextcloud, cloudflare tunnels are limited to 100mb per file.
@DaleCunningham_DBA
Жыл бұрын
Thank you for this info.. that adds a lot of doubt into the mix for if I want to use it. I have large photos, videos and PDF documents that exceed 100MB Maybe Cloudflare wants a client to upgrade to get a higher threshold on the file sizes?
@ericesev
Жыл бұрын
Also see section 2.8 of the terms. "Use of the Services for serving video or a disproportionate percentage of pictures, audio files, or other non-HTML content is prohibited, unless purchased separately as part of a Paid Service or expressly allowed under our Supplemental Terms for a specific Service."
@3xpired3lements
Жыл бұрын
I think this is false information, Cloudflare TOS only refers to non HTML content.The 100mb limit is per connection and not per file. You can have multiple connections... I can upload 10G files just fine
@LAWRENCESYSTEMS
Жыл бұрын
I don't see that in their documentation developers.cloudflare.com/cloudflare-one/account-limits/
@LAWRENCESYSTEMS
Жыл бұрын
No hard limit, but it's at their discretion for free accounts. "Use of the Services for serving video or a disproportionate percentage of pictures, audio files, or other non-HTML content is prohibited, unless purchased separately as part of a Paid Service or expressly allowed under our Supplemental Terms for a specific Service" www.cloudflare.com/terms/
I've been using this service for 2-3 months and I love it. Easy setup and it works very well. I'm stuck behind CG-NAT making self-hosting difficult, but Cloudflare tunnels have made life much easier.
Very informative. That extra layer of security was exactly what I was looking for
thanks so much for your detailed videos - I have been struggling since last couple of days to fix the cloudflare tunneling problem with my docker container and continuously watching videos on youtube. But your video help me to resolve the issue, thanks again.
This service is brilliant, I had superficially seen something about it, but I hadn't tested it yet, now with this video, I'm going to try to implement it in some personal project to test it and see if it fits in some current or future project!
Thank you Lawrence for the videos, please upload more Cloudflare tutorials. great content
I started using this to have my college labs accessible when out of home. Making code changes real time and see them implemented makes life a lot easier.
@Dotcomtipsandtricks
8 ай бұрын
Could you please share with me how you did that on windows?
@lespinoz
8 ай бұрын
@@Dotcomtipsandtricks let me compose something later today and share it with you once done, but will for sure provide help!
Excellent - as is your usual standard. Thank you.
Best and most secure option to exposé internal services to the internet - and one that works with a cgnat, too 👍 Thanks for the video 😁
This is why I love this channel - first time I hear of the TLS intercept, which is okay, but you have to be aware of this. None of the other pointed this iirc...
Excellent video, very easy to follow and I have now restructured my remote connections using cloudflare tunnels and added another layer of security.Thanks!!! One thing I noticed when testing though was that I needed to set the email rules to 'Require' rather than 'Include' for the restrictions to work as described in the video.
@fotografm
Жыл бұрын
It won't let me save with required rule unless include rule is also present.
@TheBeardedLibertarian
8 ай бұрын
need both
@shrenikshah8882
4 ай бұрын
How to transfer or copy/paste windows files/directories to novnc servers?
With the 'bug' you mentioned at the end, you can go to your DNS settings in cloudflare, and delete the subdomain forward manually
Thank you Tom, very informative. One point I missed is - how to handle HTTPS certificates and if clouldflare can handle more sophisticated URL manipulations (rewriting)? I'm trying to understand if this could replace also my reverse proxy. I wish all best in 2023🎉😊
all good thanks for cover it step by step. I discover also that you can combine tailscale network and cloudflare tunnel to host something that isn't on the same network
Great video Lawrence! I self host Guacamole and have a custom domain pointing to it, but I think adding the extra security layer Cloudflare offers is a good idea.
@Jordan-hz1wr
2 ай бұрын
I’ve done the exact same thing for our MeshCentral instance.
Thanks for the tutorial. I was able to set this up to point to my Plex server and Owncast instance. I previously had these behind an nginx proxy. Plex and Owncast use websockets and was tricky to configure all of that in Nginx. Using Cloudflare tunnels, everything just works! no more nginx reverse-proxy configs and struggling to get it configured correctly.
It's hilarious how many times in the past year I've search this up to bypass ISP port blocking, and still haven't done it... maybe this will be the recemented video that makes me implement it.
great stuff! exactly the solution I need, thanks a lot for sharing this.
Many thanks. Will certainly be looking at this and interesting you referenced it re Bitwarden which is one of my potential use cases. Originally I was going to do bitwarden self hosted with vpn. Cisco CBD build to be done next week too.
Very good intro to bring awareness around who you bring into the trustcircle
thanks for the demo and info, have a great day
I'd love to see you run your ssh connections through a tunnel. I've only managed to do it with their in-browser ssh client, and not through a remote terminal.
Saved me for an issue I was having, thank you very much!
I run this as an add on in Home Assistant, works great!
@Tom thank you for this.. you solved my issue.. I wasn't activating the "No TLS Verify" so it wasn't working..
thank god for u, everyone missed the tls setting
I’ve experienced the same DNS “bug” when deleting a tunnel and needed to manually delete the DNS entry to reuse the subdomain when I started setting things up and testing. However, later when I set up different tunnels and eventually deleted them after testing, the DNS entry was deleted with the tunnel. So it hasn’t been a consistent bug for me, and may be related to the process taken when deleting.
Awesome video Lawrence, you got me out of a pickle, unfortunately, I followed another youtuber's video, but he failed to provide one very important detail regarding TLS verification..! Thanks
Super helpful! Thank you!
Thank you for this video. Answers a lot of questions I have :-)
A few things to note: end-to-end encryption can be achieved by specifying a trusted CA and an expected hostname within the cloudflare zero trust dashboard. Also, docker isolated networks are a MUST if you're going to host other containers/services that you don't want exposed to the internet
@nixxblikka
Жыл бұрын
Can you maybe please elaborate in more detail how to achieve end-to-end encryption? Unfortunaly I cant post links, but googling said it works with enterprise accounts...
@JohnsonJLB
Жыл бұрын
Which CA is best bang for buck? Verisign, GoDaddy, Digicert? Any other?
@malachis1447
Жыл бұрын
@@nixxblikka So I self host my own PKI, and in the Zero Trust panel, I specify the location on the internet where cloudflare can pull the CA cert from, and then specify the host name that cloudflare expects from the certificate
@Zeric1
Жыл бұрын
@@malachis1447 The only thing I found in the docs was how to "deploy a custom certificate" which encrypts the connection between the end user and the cloudflare gateway with your own cert (and only on enterprise plans). Perhaps yare are talking about something else as the "deploy a custom certificate" doesn't prevent cloudflare from reading your data (the man in the middle issue). Can you be more specific on how you set things up to get true end to end encryption (no man in the middle concern)?
@malachis1447
Жыл бұрын
@@Zeric1 the only place that you're "deploying a custom certificate" is internally, in the webserver in your network that you want cloudflare tunnels to connect to (something like a self signed certificate that cloudflare will trust the CA and specific hostname, once you've specified that setting in Cloudflare Zero Trust). Externally (for the end user), the certificate still says Cloudflare
Excellent demo! Question do they offer an agent that would enable private tunnel access with 2fa? This way you could enable access to all containers with a wildcard and not expose all the names in public dns,
If you go into your DNS settings in cloud flare for that domain you can remove them manually if you do it backwards.
Hi Tom. Thanks for this great content! I successfully use CF tunnels to expose home services a good while. Using "Applications Policies" in conjunction with "Access Groups" give me a granular way to lock down certain services to special groups of users or devices (by country, ip-address ranges, e-mail addr). Using special "identity provider"s for certain applications provides more flexibility also. The use tunnels depends a lot of "trusting" CF. Controlling the SSL-endpoints is a real responsibility for CF. Hope that CF never suffers a data breach or use our data for their own purposes. Than the "shit hits the fan"... A good an successful year 2023 for everybody! See you next year (in 1 day) 😀
This worked excellent. So many layers and no holes in the firewall.
Damn… I already thought I must have a look at Cloudflare Zero Trust Platform, but still havent come around doing so. Thanks to this video, I now know I DEFINETILEY need to have a look at as soon as possible…
Thanks for this video, cloudflare is the best 💯
It occurs to me that this might be a way to "expose" my webserver to fellow residents of the retirement village I live in and build a community portal. I'm behind a double NAT and I'm running WordPress on IIS (because I know IIS...). Thoughts on using Cloudflare Tunnels for this purpose?
Awesome video ! Thank you very much !
Great video as always. Is there a way to create a RTSP stream connection to an internal camera?
I'll have to give this a try. I actually had to solve this exact problem for a server I was building last year. I ended up using zerotier sdn connecting the homelab vm's to a droplet with a public IP, and using ipforwarding and ipchain to build a frontend for it. the droplet has the ssl cert, and dns records pointing to it. It follows the iptables rules to forward specific traffic over the zerotier virtual network to the local vm's and back.
I encountered that small nuance of not being able to adding back/renaming to a hostname that I had previously used. When you create/add a Public Hostname under Tunnel it creates a new CNAME in your DNS, and this doesn't get automatically deleted probably more of a safety feature since DNS propagation usually takes time. Delete the CNAME entry and you can go about the rest of the day.
awsome. I saw it elsewhere, but not seen the additional security layer. there is only the risk that cloud flare going for the free security to paid in some years.
Cloudflare tunnels, this is the way. Also the Web Application Firewall (WAF) they offer for free only adds additinal layers of security. You can make firewall rules to block traffic before it ever hits your network/servers/applications.
Hi you are great!! it's possible protect the tunnel access with mutual tls for authenticated the clients? because the apps behind the tunnel has auth. like a "MFA" cert + user + pwd
Great Vid, what about set up for a RDP connection? I can't seem to get this to work
Hello, this is a great video and convinced me to use Cloudflare Tunnels instead of reverse proxy. A question though: is there a possibility to add wildcards? I want to run a Wordpress Multisite but dont want to log in to Cloudflare and add another tunnel every time I add a new site. Also, if there are issues removing a tunnel I may have to rethink this.
Hey Lawrence, just wondering if you've tried the client configuration option (versus configuring on the zero-trust dashboard). I suspect you'll find this more helpful and it may also address the "bug" you mentioned in the video (at end).
@LAWRENCESYSTEMS
Жыл бұрын
Have not tried it, still an odd bug.
Also, folks should consider setting memory limits on their Docker containers in case one runs wild and starts using up all the RAM on the docker host. It helps prevent problems down the road.
@sebastian05000
Жыл бұрын
How do you add limits on each docket container or how to add it in a docker compose file?
@skorpion1298
Жыл бұрын
@@sebastian05000 use portainer. It’s super easy with it.
@sebastian05000
Жыл бұрын
@skorpion1298 Never used it tbh will need to learn it as well how to make my setup of docker compose files work without any issues. I simply used commands as well the Synology GUI of docker.
@skorpion1298
Жыл бұрын
@@sebastian05000 afaik you can also use compose files or commands in portainer. It’s pretty easy and there are plenty of tutorials out there :)
Hi Lawrence, thanks for your video. A question on a detail. I've installed Portainer and set a Cloudlare tunnel with Docker. When I go to the cloudflare container, to check the logs as you do, mines are empty. Which doesn't seem normal. Should I do something to make these logs visible? thanks
Really good. Thanks
Thanks!
Lawrence, I tried what you did with uptime-kuma, but Cloudflare treated it as an http URL. It doesn't wrap it in https for me the way it did for you. The TLS tab doesn't appear when I set the target service for http. What might I be missing? Thanks.
Great video, thank you very much - earned a new Subscriber here! Couple of questions: 1. Following on from your last video, I decided to ditch lastpass and am now hosting my own BitWarden, but would like to add another level of security when not going to the url from my home (which I have managed), but the sync in the app does not connect due to the Application Policy, is there a workaround to make this more secure? 2. I have a dynamic IP address at home and would like to make sure the IP in the application policy updates - is there a way to do this? Thanks and keep the great videos coming!
@LAWRENCESYSTEMS
Жыл бұрын
1. not sure, not something I have tested. 2. no way that I am aware of.
Fantastic!
Great video again, appreciated! Someone already asked the question but so far I've not seen a response to it. How would these Cloudflare tunnels compare to other popular solutions nowadays such as Tailscale or Zerotier? Any views on that you want to share Tom?
@LAWRENCESYSTEMS
Жыл бұрын
Tailscale or Zerotier are overlay networks , this is a reverse proxy they are not the same thing at all.
@nixxblikka
Жыл бұрын
@Nonkel: Main difference: With Tailscale / Zerotier the end point needs to be setup, here you do expose a servive to the internet, they great advantage: you do benefit from all security cloudflare provides, compared to a (mis)configured firewall at home. however without the shown security layer from Tom, you need to trust the implementation and setup with the client. Also too: The fact CF can intercept all traffic is a downside for me. Apart from media streaming I wouldnt know, what I want to share with them... although someone above explained to achieve real end2end (by pointing to a CA i think)
Any particular reason to use this instead of Tailscale? Apart from needing Tailscale on both the server and the client?
I do use it from before it changed of name. It was in beta, right now why it is free it is for gaining clients also if they do updates it is on the free before as if it broke the payed clients wont get the error as they will correct the error before. I used it for years as I am hosting at home on DHCP from my ISP and with it changing IP wont do me any thing. It is super repliable, safe and easy to configure.
Great video ! I set policies to "email" for each of my services. Is it a bug that once I succesfully accessed one service using the emailed PIN, I can then access all of the other services on the same tunnel without being challenged for an email PIN ? Or does the browser store a cookie allowing access to all services once I have successfully accessed one of them ? If I set a different email address for each service then this "bulk authorisation" disappears. I found that setting the "session duration" to "no duration" prevents this behaviour.
This is one of those awesome tools similar to ZeroTier One that once you hear about them you are super glad you know exist!
That looks really interesting, I'm currently using wireguard on pfsense, but I'll definitely have a play with that. As always, thanks for your excellent videos.
@RickMyBalls
Жыл бұрын
the plural of video is videos
@BillyDickson
Жыл бұрын
@@RickMyBalls So it is, thanks, I've amended the comment.
Seems that UDP is also a supported service on the Cloudflare Tunnel so technically, you can use the tunnel to manage your Unifi setup AND have the inform URL set to point to it. Has anyone given this a go?
I am wondering what could be the potential Performance of those tunnels, packet per second etc. Also how could I make them Highly Available mode, Option1 k8sbut again some many options can I run them in replica set. The intention would be complete firewall / load-balancer replacement for large busy websites. What are your thoughts based on my comments?
How does this compare to a Tailscale setup latency/throughput wise for streaming video (plex/jellyfin)?
Hi there, Do a vídeo explain service access with CF, like RDP, SQL SSH. That Will be great too!
has anyone been able to configure the 'IP range' as policy instead of OTP? I keep getting unauthenticated errors, even though the details in the message list the same public ip i've whitelisted in the configuration policy.
I need to use Traefik's reverse proxy services. Is there an option to route wildcard subdomain through cloudflare tunnel?
Can confirm this works well on a Raspberry Pi with the Debian Buster ARM 32-bit package 🙂 Can now access NUT UPS monitoring to see more detail of what is going on when I receive the dreaded email to say my UPS is on battery. It wasn't something I wanted to publicly expose and can't anyway due to my ISPs CG-NAT.
@AdamsLab
Жыл бұрын
VPNs don’t exist? 😊
@colin79666
Жыл бұрын
@@AdamsLab Not behind CGNAT without something extra in the middle.
Can you please provide some details on your video camera/mic setup? Video and audio are A+ [If I was to guess, Blackmagic 6K]. Do you edit with After-Effects/Premier Pro or something like DaVinci? Thanks! - big fan from neighborly ann arbor :)
@LAWRENCESYSTEMS
Жыл бұрын
I have a studio tour here kzread.info/dash/bejne/qJt9tptvmcy7Z5M.html
This is crazy easy and cool I am gonna be using this!!! I still find it crazy its free
This works with other internal thing. Like my deluge client. but with nextcloud I can't get it to work. I've added the correct ip's in the config.php allowed list. But nothing ever shows. Any ideas ?
Great Video -- How would I use TrueNAS Scale to host this Cloudflare client? Does the TrueNAS Scale machine need a VM host to these objects or can the Docker be managed by TrueNAS itself?
@LAWRENCESYSTEMS
Жыл бұрын
Don't know, I have not tested.
@costenalolek973
Жыл бұрын
cloudflared from truecharts
great video I love and use Cloudflare myself. any plans to make a video on combining it with Authelia for extra security ?
@LAWRENCESYSTEMS
Жыл бұрын
No, because I don't use it or have any plans to start using it right now.
Great Video 👍
Is there an elegant way to use cloudflare access for the whole domain, except 1 subdomain/ public hostname?
This is great,would definitely try it, but do you need to purchase the SSL certificate for your own domain for this?
@LAWRENCESYSTEMS
Жыл бұрын
nope, they handle the SSL cert
I created vlan on pfsense then connected cloudflare on vm with vlan, but I want to control it thru pfsense for example to use wan or lan ip, what am I missing
I already use this with a synologydva and Google OAuth. The only downside/ issue I have is not being able to access it via a mobile phone app DSCam.
Just a quick question. Will the cloud flare docker also point to services that are not running in docker? Say a Nextcloud snap image.
@LAWRENCESYSTEMS
Жыл бұрын
Yes, it can talk to anything on reachable on the network it's attached to.
Hey there. Not sure if you’ve figured out the bug already, but in case you haven’t. When you create a new public hostname, it’s actually creating a new CNAME entry in your DNS records. When you delete a tunnel before the hostname, you just need to go delete the DNS entry manually before you can recreate one of the same name. Deleting the public hostname “correctly” simply removes the DNS entry for you. Hope this helps!
I get the tunnel part up and it says healthy... and if I go to Plex on my server's side... it lets me connect the Remote Access to the Internet.. ...but when I try to access that tunnel/host, i get a Cloudflare error page saying that my tunnel is ok, and it's broken from my domain to the host. I dont get it. How can I make the connections then? (like from Plex's Remote Access page) I feel like I'm missing one small part, and it's frustrating as hell.
cn you share how can we forward the tcp traffic that arenot web services
its possible that it was eventual concistentancy, there is also the possibilty that they just let the ttl run out ?
and pee configure xampp if you have a local server?
How do you figure out what port an actual computer running unbuntunis using being banging my head trying to get cloud flair to work on Unbuntu 22.04 LTS
Great! How is this compared to Netmaker
yay i got the 1k like - nice video btw
Can you also block some parts of an open service? Like restricting only the admin page of a tunneled bitwarden install
@LAWRENCESYSTEMS
Жыл бұрын
Maybe, I did not test all the features.
Can you make a video "How to add cloudflare tunnels to OpnSense". Please I realy like your videos. Fantastic work !
@LAWRENCESYSTEMS
Жыл бұрын
I don't use opnsense
5:09 you made a small spelling mistake (Descsription). Anyway, love your videos!
I am trying to create a tunnel for Kavita but when I put the local URL at the Route Traffic for "TunnelName" it says URL is required despite me putting a URL into that spot. I've confirmed the service is running, and the URL is correct.
Can AWS Cloudfront do this "tunnel" thing too?
What about the data transferred via client tunnel? E.g. What if I transfer a large amount of data through my application? Is there any additional payment for this?
@LAWRENCESYSTEMS
Жыл бұрын
They don't have any clear bandwidth limits it seems to be at their discretion
Nice video, for most of use cases free plan is enough, but always it is a free so it needs to be limited, to encourage you to buy premium ;). Tom thank you for that.
What happens when you are on the same local network as the Cloudflare "endpoint" and you are requesting services on that local network with that same DNS entry... does the traffic route out of that "local" network and then back through the tunnel?
@LAWRENCESYSTEMS
Жыл бұрын
Your DNS need to point to cloudflare inside or outside and it will route out and back.
I know this is a bit difficult with docker containers... but can the connections, you were using 192.168.x.y:z, be unix domain sockets?
@LAWRENCESYSTEMS
Жыл бұрын
Not sure
Sir, Please can you help me I am trying to get RDP Access form Outside network of my home windows 10 pc from my office using Cloudflared Tunnel with out any port forrowarding of my Jio Fiver Router. Please help me sir.
I love tunnels!!!!
Is like the lazy man trafik? Also what happens if your internet goes out at home? Are you still able to access local services?