Whenever this comes up, I just want to make sure that people are aware that Cloudflare MITMs all of your traffic (including HTTPS; going over the tunnel). That might be perfectly fine for most people, I just feel like they should be made aware.
Very cool. I hadnt yet seen the cf zero trust functionality used yet. That does look pretty interesting for some use cases I've been throwing around. Thanks for the video!
i use tailscale to remotely access my home assistant. so far its been pretty reliable (but will it stay that way?) the only issue is that it sucks the battery dry FAST.
@@lhamil64 I imagine he’s using a battery powered mobile device of some sort to access his Home Assistant and the Tailscale client for the mobile device is power hungry.
Great video! I have managed to do everything you demonstrate in the video. One thing I can't figure out how to accomplish though is how to pipe the inform-traffic from my remote sites, through the Cloudflare tunnel, to my locally installed CloudKey. If you can show how to configure that I will be forever loyal to your channel. The only holes that remains to be closed in my firewall are these holes for inform- and STUN-traffic from my remote sites.
UniFi inform traffic is HTTP over port 8080, so I would think if you match up the same rule (ie. Cloudflare FQDN forwards to HTTP 8080 on your local UniFi controller) that should work? I'm just not sure if UniFi devices will like having to go through HTTPS to get there...I've never tried it.
@@CrosstalkSolutions Well, that's what I thought as well. However, I can't get these messages through the tunnel. Everything else I send that way reach its destination, including reaching the CloudKey's web interface. But the inform traffic refuses. Isn't that a challenge for a the next video ;-)
I was able to follow the instructions and the tunnel is working on my PiKVM. My problem is I am still able to go directly to the site without being prompted for one-time pin even after adding the Access Application
@@CrosstalkSolutions Funny, I just added a new "Application domain", but this time I left the "subdomain" blank. So now there are two two Application Domains. Both have the same domain, but one has an "*" for the subdomain and the other one is left blank for the subdomain. Now, when I go to the domain I see the "Get a login code emailed to you". I don't understand.
Cloudflare creates the SSL certs for the domain that you add - no need for Let's Encrypt on the device locally...all traffic is valid SSL traffic. There is an argument to be made for not having control over the SSL cert though as I'm sure many in comments will bring up - that's a decision you'd have to weigh.
@@CrosstalkSolutions I figured remote ssl was handled via the tunnel, but my pet peeve is getting rid of ssl warning in local lan. It is a topic I’ve always hoped you would cover as my setup is similar to yours. But I don’t want to expose everything to the web. I’m also am having trouble getting through my gateway to my dream machine. So right now I’m tooling with setting up a “.internal” TLD and using unbound or nginx to redirect dns queries locally and issue my own carts. There is some discussion of using bind for it, but the few tutorials I’ve read have the bind server be your dhcp server as well, and I want to keep my dhcp through UniFi.
Not sure what I'm doing wrong.. Installed Cloudflared, Configured the Tunnel in the ZT Dash, it shows healthy, but when I try to access that environment, it drops. I'm just getting a 404, and it doesn't look like DNS is resolving. Is the CNAME supposed to resolve properly?
unless you're out of the loop, there's multiple n100 boards with 2.5g ethernet built it for the same price on amazon. Are you being paid by them or something.
If you think that coffee tastes good after being ruined in a blade grinder, you really should pick up a cheap burr grinder. You wouldn't believe how much better it would taste, even if you do ruin it further in a drip coffee maker. *8')
I can't tell if that's sarcasm or not @@CrosstalkSolutions , but I'm glad you like your friends coffee, and if it's as good as you say, people who try it will keep going back for more, even if they do ruin it with blade grinders and drip coffee makers. *8')
@@markbooth3066Hey! The good thing about our coffee is it tastes great even if a blade grinder, Burr grinder, drip machine, pour over or French press is used to enjoy! Our beans are roasted the day your order ships and shipping is always free in the USA! Thanks for checking us out!
As a coffee enthusiast myself, I will caution that that rabbit hole can go deep and get quite expensive. For regular coffee, you can do quite well with a quality hand grinder and something like a V60 pour over or AeroPress.
Thanks for the great video. I followed your instructions and got my zima board working. But adding my Diskstation failed, telling me „Bad gateway“. I may have figured it out. HTTP works. But not https.
i was using cloudflare tunnel for some time BUT when i used tailscale i never looked back 👍thank you for this video man
two different product with two different purposes as far as I am aware. how did you replace cloudflare tunnel with tailscale?
The timing of this video is awesome! I plan on setting this up this weekend! Thanks for all the great videos!
Whenever this comes up, I just want to make sure that people are aware that Cloudflare MITMs all of your traffic (including HTTPS; going over the tunnel). That might be perfectly fine for most people, I just feel like they should be made aware.
Totally agree with you and I think Tom Lawrence did put a disclaimer.
None the less I highly suggest setting up VPN.
@@PowerUsr1 Yes also, people get excited about "Free Things" but Cloudflare Tunnels are a lock in to Cloudflare
Man.. Thank you very much. This example helped me a bunch with my setup!!!
thanks for the video. got it all set up and working with my rasberry pi 5 im configuring to replace my old pi 2b
I could never get mine to work!! Thank you!!!!!!!!!
Very cool. I hadnt yet seen the cf zero trust functionality used yet. That does look pretty interesting for some use cases I've been throwing around. Thanks for the video!
Can this setup be used to lock down my Reolink camera remote access
Thanks for the shout-out!
Thanks for the demo and info, have a great day
X in 10 mins, explained in a 20 min video :D Joke aside, keep up the excellent job!
My SO makes fun of me for doing this. I am glad I'm not the only one who confuses how long 10 minutes is 😅
would have been awesome if you showed how to set up an RDP connection.
Can you still connect with home assistant companion app, if you lock down the tunnel?
I really like Tailscale. But thos looks cool as well
Thank!
i use tailscale to remotely access my home assistant. so far its been pretty reliable (but will it stay that way?)
the only issue is that it sucks the battery dry FAST.
Your home assistant server is running on battery?
@@lhamil64 I imagine he’s using a battery powered mobile device of some sort to access his Home Assistant and the Tailscale client for the mobile device is power hungry.
@@jadamsnz exactly.
Great video! I have managed to do everything you demonstrate in the video. One thing I can't figure out how to accomplish though is how to pipe the inform-traffic from my remote sites, through the Cloudflare tunnel, to my locally installed CloudKey. If you can show how to configure that I will be forever loyal to your channel. The only holes that remains to be closed in my firewall are these holes for inform- and STUN-traffic from my remote sites.
UniFi inform traffic is HTTP over port 8080, so I would think if you match up the same rule (ie. Cloudflare FQDN forwards to HTTP 8080 on your local UniFi controller) that should work? I'm just not sure if UniFi devices will like having to go through HTTPS to get there...I've never tried it.
@@CrosstalkSolutions Well, that's what I thought as well. However, I can't get these messages through the tunnel. Everything else I send that way reach its destination, including reaching the CloudKey's web interface. But the inform traffic refuses. Isn't that a challenge for a the next video ;-)
Does CF tunnels allow for on-http/https traffic such a tcp/udp to be exposed via tunnels?
Can this method be a replacement for NGINx proxy manager? I would like to do this with Vaultwarden.
I was able to follow the instructions and the tunnel is working on my PiKVM. My problem is I am still able to go directly to the site without being prompted for one-time pin even after adding the Access Application
Argh, so frustrating. I have watched two other video which basically show the same info, but my configuration still doesn't work.
Double-check the Application rules - make sure you have the * in the hostname so that the application catches all sub-domains.
@@CrosstalkSolutions Funny, I just added a new "Application domain", but this time I left the "subdomain" blank. So now there are two two Application Domains. Both have the same domain, but one has an "*" for the subdomain and the other one is left blank for the subdomain. Now, when I go to the domain I see the "Get a login code emailed to you". I don't understand.
So if you go this route, does this make it super easy to pull let’s encrypt ssl carts for your homeland devices? Eg a synology?
Cloudflare creates the SSL certs for the domain that you add - no need for Let's Encrypt on the device locally...all traffic is valid SSL traffic. There is an argument to be made for not having control over the SSL cert though as I'm sure many in comments will bring up - that's a decision you'd have to weigh.
@@CrosstalkSolutions I figured remote ssl was handled via the tunnel, but my pet peeve is getting rid of ssl warning in local lan. It is a topic I’ve always hoped you would cover as my setup is similar to yours. But I don’t want to expose everything to the web. I’m also am having trouble getting through my gateway to my dream machine.
So right now I’m tooling with setting up a “.internal” TLD and using unbound or nginx to redirect dns queries locally and issue my own carts.
There is some discussion of using bind for it, but the few tutorials I’ve read have the bind server be your dhcp server as well, and I want to keep my dhcp through UniFi.
@@cameronpalm4617you could setup pihole for your local dns. that’s what i use with my homelab
I looked into your training, but it's expensive for what it is.
Where can I get that shirt? Have to have it!
Vim for days
Is this CG-NAT or do they use IPv6 to IPv4 translation?
It's CGNAT.
What is the solution for SMB?
Self-Hosted ZeroTier all day and all night.. love CloudFlare but marry with zerotier. 😂😂😂
Not sure what I'm doing wrong.. Installed Cloudflared, Configured the Tunnel in the ZT Dash, it shows healthy, but when I try to access that environment, it drops. I'm just getting a 404, and it doesn't look like DNS is resolving. Is the CNAME supposed to resolve properly?
If you do it too quickly, sometimes the SSL cert hasn't been generated yet - give it a bit and try back later.
@@CrosstalkSolutions looks like Cloudflare was having a DNS propagation issue when I was attempting this. What timing on your video and CF's issue!
unless you're out of the loop, there's multiple n100 boards with 2.5g ethernet built it for the same price on amazon. Are you being paid by them or something.
Which one is your favorite model? List it here and I'll check it out.
If you think that coffee tastes good after being ruined in a blade grinder, you really should pick up a cheap burr grinder. You wouldn't believe how much better it would taste, even if you do ruin it further in a drip coffee maker. *8')
Pro tip - thanks!
I can't tell if that's sarcasm or not @@CrosstalkSolutions , but I'm glad you like your friends coffee, and if it's as good as you say, people who try it will keep going back for more, even if they do ruin it with blade grinders and drip coffee makers. *8')
@@markbooth3066Hey! The good thing about our coffee is it tastes great even if a blade grinder, Burr grinder, drip machine, pour over or French press is used to enjoy! Our beans are roasted the day your order ships and shipping is always free in the USA! Thanks for checking us out!
As a coffee enthusiast myself, I will caution that that rabbit hole can go deep and get quite expensive. For regular coffee, you can do quite well with a quality hand grinder and something like a V60 pour over or AeroPress.
Thanks for the great video. I followed your instructions and got my zima board working. But adding my Diskstation failed, telling me „Bad gateway“. I may have figured it out. HTTP works. But not https.
First!