With regards to routing streaming services like Plex, Emby, Jellyfin, etc., here is the portion of CloudFlare's TOS that covers it: www.cloudflare.com/terms/#:~:text=2.8%20Limitation%20on%20Serving%20Non%2DHTML%20Content I'm trying to get more information about what service(s) need to be purchased as to not break TOS with CloudFlare.
I've been banging my head to overcome this with wireguard for days, then I reach this video and make it work within 5~10 minutes... Great job and THANK YOU!
Hey DBTech, really appreciate all you do for our community! Your channel was one of the main reasons that inspired me to become a content provider. Thank you for everything!
I already had my domain on cloud flare and I’ve been dreading setting up a reverse proxy and integrating to the CF proxy for just a home assistant instance. This was the answer I didn’t know existed!! Thank you!!!!
A note for those doing this fresh, cloudflare takes up to 24 hours (or more) to verify new domain names, and during this time you will NOT be able to set up a self-hosted application. However you can do the rest of the instructions. Also if you use portainer the docker run command will show up if you run it in the host machine of portainer, so just do that. Trying to make a docker compose for this that exposed the right network correctly was a nightmare for me :D
I directly run docker run command in my machine. I have portainer setup. Should I go thorough that? Also, cloudflare is taking more than 24 hours. Is it expected?
This is a fantastic and thoughtful guide. I set out to do exactly this on a Raspberry Pi and your instructions worked flawlessly. Thank you for posting this!
Thank you very much! This is what I was looking for, as I was always a little uncomfortable opening ports in my router. Despite using NPM, Fail2Ban and other helpers. Thank you for your effort!
I love this tutorial. Absolutely brilliant!! I spent the afternoon moving from NGINX to this service and switched off my port forwarding, which should lower and decrease my attack vector. Thanks again!
@@Otomai This removes the need for port forwarding. This removes the need for NGINX entirely. By switching to this, my network is more secure AND my internet-facing apps are more secure becasue I don't have to open ports and Cloudflare is actively monitoring the traffic to prevent bots and attacks.
Hey David! I got this working.. kind of. All my devices keep sending IPv6 addresses, so just putting my IPv4 in like you did at 13:10 doesn't work for me, it returns the access forbidden page. The tunnel works, but I have to keep adding new v6 addresses to the policy every time my PC or phone decides to change or add a new one. Any way to "prefer using IPv4"? My v4 hardly ever changes.
QQ. After setting up the docker container and making the connection with cloudflare, how can maintain running? If I ctrl+c out of the 'docker run . . .' in the terminal, the connection servers and am unable to use the tunnel anymore
I'm trying to do this on unraid and everything gets set up but I keep getting a bad gateway error and the log says: "ERR Request failed error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: x509" Can't seem to figure this out.
I'm trying to configure cloudflare zero trust with traefik, and I can't manage. Did someone manage? If so, which address is pointing the tunnel to, as no ports are exposed? On the other hand, with nginx I have no problems.
Hey! So define "configure cloudflare zero trust with traefik". Are you trying to access a Traefik instance, or trying to use Traefik through a tunnel? What OS or environment are you using? If you mean you're trying to access your Traefik instance from another device, using a tunnel, you would just need to type in the internal IP address of whatever device is running Traefik like Dave does around the 6:00 mark. If you're trying to use Traefik as a reverse proxy to access other applications from outside your home network you don't need to, Cloudflare handles your proxy and the tunnel is the security from the outside world, see 14:12 for restricting access to only YOUR devices.
Great video David, thanks Quick question: What to do with the services that need certificates to work, example adguardhome, since now that you have removed the cloudflare dns record, they cannot be requested by NPM. Thank you.
I have been using this solution for just over a month now, and it works perfectly. However, how do you update the docker containers to the latest cloudflared version? My containers are all complaingin they are running on an old version. How about a tuiturial on that :) ?
I'm not sure about this under their tos. "you hereby grant us a non-exclusive, fully sublicensable, worldwide, royalty-free right to collect, use, copy, store, transmit, modify and create derivative works of Customer Content, in each case to the extent necessary to provide the Services." The problem with this, is they can claim all your content necessary to provide service.
Hi sir, I'm building a TrueNAS right now. I'm not really good at this networking thingy. Right now, I do have NGINX Proxy Manager (for nextcloud) set up. So if I decided to use Cloudflare Tunnel, I don't need NPM anymore? I can just connect cloudflare to docker and point it to portainer which contains nextcloud, some web project? Thank you in advance
how about dynamic ip ? with this method the ip will be autoupdated ? EDIT: Worked fine with dynamic ip, i suggest to install the cloudflared docker on vm or lxc that contain Portainer, it will automatically show on portainer dashboard and it's easy to stop & restart it
Hi, I have followed this method. Hosting OMV on RPi 4. But only http tunnels are working. SMB is not working. SSH is working if it is browser rendered. Not working in SSH client. Please help. I have spent lots of hours but couldn't figure out. Please show how to tunnel SMB.
I successfully set up a tunnel. The only issue I have is that it redirects to my domain with the port number shown. I can't seem to find any information on this. Any ideas?
Ive followed this a few times yet always come to the same Error 502 bad gateway. Showing browser and cloudflare working but the host is not. Any thoughts on what the cause might be?
Excellent video. One question though - CloudFlare has a container that let's them know if your home ID has changed, so that they can always point the domain to the correct server IP. Is it possible to use that mechanism to restrict access to your sites to whatever is the current IP address that your ISP has given you?
I have followed this guide to share my Jellyfin server, but the download speed from the tunnel cap at 300KBps, streaming 1080p videos is always buffering every 1 sec
I have been looking for an answer to this for days, and I cant seem to figure it out ... I am pretty tech savvy (I was an electronics tech. in the navy) but I am really teaching myself the networking side of things for a sort of hobby. I am trying to set up jellyfin to be remote accessible through an unraid server. What IP address do I use for my external IP to set up the tunnel through Cloudflare? Do i also use this to set up the record? I actually used your guide last night and got it working, security check application and all, but this morning the tunnel wasn't working again. I'm sort of assuming that I used the wrong IP address, or I used an IP address that is no longer relevant. I guess the root of my question is this: does the unraid server have it's own IP, or do I need to use the IP of a docker container? Is there a specific container I need to install so that there is a static IP? or do I just use the ip of the jellyfin server? Do i need to just force the jellyfin container to ahve a static IP? Am I skipping some ultra-basic step here that I am going to kick myself for not understanding? Last night I just used the IP address listed in the Jellyfin docker info, and honestly I was sort of surprised that it worked, and I'm also not really all that surprised that it no longer works. What is the best way to do this? I feel like I've been watching hours and hours of tutorial, and at the point of setup where you need to enter an IP to create a record or a tunnel, everyone just says "just put in your IP" and I'm like, "WHAT IP?!?!?!"
Your Unraid server will have its own IP. If you network is set up via DHCP, that IP may change from time to time. Any docker containers you have on your Unraid server will share the Unraid server's IP address unless you've set up something like a MAC VLAN and assign different IP addresses to different containers. So, for instance, let's say your Unraid server IP is 192.168.0.25, then you would access Jellyfin on 192.168.0.25:8096 If you want your Unraid server to have a static IP, then you need to set that in your network router. You might be able to set it in Unraid's UI, but you may still run into conflicts if your network router wants to use that IP for something else.
@@DBTechYT Is the Unraid server external IP the same as all the other IPs in the network, or is the Unraid server IP uniqe? I have run ifconfig eth0, but for some reason there is not a standard looking IP address there, so i just used the IP address that my PC was using, with port 8096. That is what was working last night, and what is not working this morning. Is it possibly my IP dynamically changed overnight?
Your "external IP" is the one your Internet Service Provider gives you. Don't use sites like whatismyip or ipchicken to get your IP address for your local devices. You may need to login to your router to get the IP addresses of your devices on your local network.
Great question!! You can do it either way. Things to consider: If you install it on your Proxmox server directly, you only have one tunnel agent to manage/update. You can also easily just point domains to any of the VMs or CTs on the device with that single agent. The down side to doing it that way, is that you're potentially opening your entire Proxmox server up to the world if you don't have the right levels of security in place. If you were to install it directly on Proxmox, you'd want to make sure that you limit access via methods like this: ua-cam.com/video/wdmbAo02ktQ/v-deo.html or even restricting access via the Warp client (I haven't made a video on this topic yet.). You'd also want to make sure that you have 2FA enabled on your Proxmox server and have a good backup solution in place *just in case*.
Even with the help of this video, i still have trouble setting this up. I can only get the / path to work. Anytime i add a path after the domain it returns a 404. Also, i don't understand what the application is exactly. Why do we both add a Tunnel AND an application? Should applications just be considered a firewall, and tunnel considered an app?
I'm stuck at the public hostname page for the server tunnel 6:39. I'm not sure what my service url is. Is it the same IP that I use to SSH to it? I'm also unsure of the port number that you place after it. I'm using an Ubuntu server. Sorry about the noob question; this is all a learning experience for me :)
@@DBTechYT thanks for the quick reply! Maybe I don’t understand the container part. Do I need to use docker? I basically just have an old PC running Ubuntu server on it that I want to host a website on to learn. Maybe I’m watching the wrong video? 🤔
quick question! you added the port 6999 for specific service on the same docker instance where cloudflare container is running. what if I want to use another VM with different IP and port (in my case homeassistant ip x.x.x.20:81234)?
Hello DB Tech, I really hope you can help me out, since i'm struggeling for a week now to get it done. I'm running a proxmox server, where i have home assistant running in a VM (HAOS). In a LXC container i'm running nginx proxy manager, witch i'm trying to setup with a argo tunnel from cloudflare. I tried many ways, tried to setup docker swag, tried to setup a tunnel myself with all the info i could find on the web, but i don't get it to work. Everytime i get dnsprobe errors or to many redirections error. Anyway, i can't seem to make nginx proxy manager host my subdomains thru a argo tunnel. I really hope you can make a video on how to set it up, it would greatly help me out! Thanks in advance!
I'm sure I'm missing something obvious, but what do I need to do so that it will auto-start? I think I need to add the restart policy, but I'm not sure where I add it in the copy/paste I get from cloudflare. Any ideas? --restart unless-stopped
No port forwarding. App restriction based on IP address, email address, etc. Firewall built in. SO many things you can do with CloudFlare tunnels that you can't easily do with NPM
Hey buddy, I’m going back to this video to see if there was a hint on how to host all applications using one tunnel. I had to instal 6 different containers to host each one of my dockers without open ports. It’s possible that you can point me on what I have to do to just use one instead of a separate one per application. Thank you.
I just installed a fresh install on my RPI 4 B 2022-04-04-raspios-bullseye-arm64.img.xz . But when I go to install cloudflare/cloudflared:latest I get docker: no matching manifest for linux/arm/v7. Can you help??
cloudflare/cloudflared:latest doesn't work with ARM processors. You need to go here: hub.docker.com/r/cloudflare/cloudflared/tags Find a tag that works with your setup. Then change cloudflare/cloudflared:latest to cloudflare/cloudflared:
Thank you for the video. I followed the instructions (have Ubuntu 20.04 with Portainer) but when I try to access the public URL I keep getting "Bad Request - Error code 502). Can you let me know how to debug this? I can access these locally and through NPM but accessing through tunnels is throwing up error. The page image depicts: You Browser (working) --> Newark Cloudfare (working) --> My domain Host (not working)
Hi, Me again :) Do you know if i Cloudflare Tunnel will allow to set up subdomains for different local IPs instead of being one Docker IP. Example, i would like to have DOMAIN pointed to local_ip_1 but subdomain like plex (dot) domain or cloud (dot) domain to point to local_ip_2
I’ve sent this to so many people since starlink became available in our area. Have you ever considered a video targeting CG-Nat especially Starlink and fixed wireless internet?
Are you still using Nginx-Proxy-Manager with this solution, or does this solution eliminate the need for that component? My other question is do you have a separate cloudflare tunnel for each server where you have services that are exposed to the internet?
This removes the need for NPM. You'll need to install the tunnel agent on each device you want to access, but you can have multiple devices attached to 1 tunnel if you want.
@@DBTechYT a question around this in that case... I have setup NPM with Authelia for my services as in one of your previous videos. Are you able to do a video around migrating authelia from NPM to using this cloudflare tunnel instead? I love the idea of this tunnel but I'm worries it will take away too much flexibility.
So.. with these tunnels, could you tunnel into an Nginx Proxy and maintain all the SSL Certificates? I am administrating a server at my Brother's house remotely (900 miles away), and he wants NextCloud. His internet is on Starlink, and they don't have any way to port forward. I tried to get SSL's to work over SSH tunnels maintained by the autossh docker image (which is how I remotely access his server), but I couldn't get it to work. If I could get reliable remote access for him, then I could open up a bunch of different services that he could use.
you only select the https option if the container has an SSL built into the container and then only if you're pointing your tunnel to that https port in the container. If there's no SSL built into the container, then you do NOT user the https option
Alright, so that Cloudflare isn't an option, what would be a decent option? Tailscale would be a good one, but I don't want to have to connect to Tailscale every time, since my phone can only have a single tunnel at once. Would Tailscale work without connecting to the tunnel on the client? What would be a better option?
This is great! I can now access all of my HTTP services through Cloudflare tunnel, however, I am having issues with Wireguard. Is it possible to connect to my wireguard server through a Cloudflare tunnel? If so I haven't gotten it to work yet. :/
I'm glad you got most everything working. I haven't tried getting a wireguard server to work with tunnels, but I feel like they would actively work against each other
I'm not sure for your specific case, but I have Unraid's built-in wireguard going and followed David's tutorial here using the main terminal in Unraid, it set up a tunnel in the Docker, and everything works as intended. I have a Wireguard tunnel from my server to my phone, when I'm not on my home network with the VPN off I get the intended "Forbidden" page but as soon as I connect the VPN everything works. Not sure if that's what you meant but yeah.
Great video David, thanks Quick question: Does anyone have any issue when UFW is enabled ? (Digitalocean's Docker instance works flawlessly without UFW enabled, but cannot access with UFW enabled) Thank you.
very cool @DBTechYT !! Do you (or anyone else) know is this also works with running your app inside Kubernetes? Would you need to expose the cloudflare agent or your app with a ClusterIP or NodePort?
Windows 11 has NOTHING to do with your Docker setup unless you're running Docker ON Windows. To show the docker containers on your system, SSH into your docker server and type: docker ps
Great Stuff - I will try it on my Pi first then I want to add it to my contabo vps. For that I wonder if I added FW to block all trafic will it still let the Cloudflare access tunnel through?
Thank you for all of your work…your videos have been such a help in getting my home nas running well. This video is extremely welcomed as I’d like to not forward any ports if possible. Ill definitely be trying this out….Can i use a synology domain name?
Hi sir I have an hp server installed windows server on it. I’m using some applications that users can connect to those through port forwarding. Im interesting to know whether I can use your method instead of port forwarding for my apps or this way is special for cloud based servers?
Does this only work when your home router has a public address assigned by the ISP modem or can it work when the internal router has a private ip from the modem?
First - Excellent UA-cam Channel. Did you really quick your day job to do UA-cam? Kudos to your vidio editor too. 🙂 My question is. I currently expose a random port on my firewall and then use Cloudflare Origin rule to rewrite 443 to the random rule that I have open on my firewall - then port Forward from random port to 443 to my Nginx proxy server. And now for the question. With CloudflarD Tunnels, do I still need Nginx? Cuz the last two times I installed this on my Docker it broke my RPI. Thank you and keep up the good work. Chris
Hey there, Thanks so much for this video. I have one question. Do I still need Nginx Proxy Manager to create subdomains with SSL or CloudFlare tunnels takes care of this? Thanks in advance.
Greetings my fellow Canadian ! It seems that every time I restart my computer, I lose the the data. How could I make it "persistent." If that's the correct term?,
I'm honored to be called Canadian, but I'm from the USA. As far as persistent storage (which is the correct term 😊), there is no persistent storage for Cloudflare Tunnels, but if you use the docker-run command they provide... well... it's not great. Try this docker-compose: dbt3ch.com/books/access-your-self-hosted-services-without-port-forwarding/page/cloudflare-tunnels-docker-compose Just be sure to replace the YOURTOKENHERE with the token that Cloudflare gives you in the docker run command for the setup process
Hey, this video is fantastic! Although, I’m just wanting to make sure, with this process, you can for a fact access your media from outside of your home network. For example, if my home server was located in California, and I went to New York, could I still access my media through the domain? Another question I have is, can this be used for Jellyfin? If not, what’s the reasoning?
This method will allow you to remotely access your services from wherever you want that has an internet connection. Cloudflare used to have a section of their TOS that explicitly forbade hosting media services. They've removed that section, but I would still be careful.
With regards to routing streaming services like Plex, Emby, Jellyfin, etc., here is the portion of CloudFlare's TOS that covers it:
www.cloudflare.com/terms/#:~:text=2.8%20Limitation%20on%20Serving%20Non%2DHTML%20Content
I'm trying to get more information about what service(s) need to be purchased as to not break TOS with CloudFlare.
Someone already knows this? I'm a bit paranoid of getting banned.
Hey again,
Do you have any updates here? Thank you in advance!
@@zlatizlatev8632 unfortunately nothing more than is on their website
@@DBTechYT I guess that means we shouldn't use this for Plex or Emby, right?
@@zlatizlatev8632 Based on their terms, that's correct
I've been banging my head to overcome this with wireguard for days, then I reach this video and make it work within 5~10 minutes... Great job and THANK YOU!
Glad I could help!
Hey DBTech, really appreciate all you do for our community! Your channel was one of the main reasons that inspired me to become a content provider. Thank you for everything!
I already had my domain on cloud flare and I’ve been dreading setting up a reverse proxy and integrating to the CF proxy for just a home assistant instance. This was the answer I didn’t know existed!! Thank you!!!!
I'm glad the video was helpful. It took me a bit to wrap my head around so I'm glad I was able to help others :)
It's even easier with Home Assistant. Use the Cloudflare Add-On, add a few lines of code in HAOS, and done.
The amount of giddy I got when I accessed my self hosted stuff after disabling port forwarding... hoah yeah. HEH!
THANK YOU!
A note for those doing this fresh, cloudflare takes up to 24 hours (or more) to verify new domain names, and during this time you will NOT be able to set up a self-hosted application. However you can do the rest of the instructions.
Also if you use portainer the docker run command will show up if you run it in the host machine of portainer, so just do that. Trying to make a docker compose for this that exposed the right network correctly was a nightmare for me :D
I directly run docker run command in my machine. I have portainer setup. Should I go thorough that? Also, cloudflare is taking more than 24 hours. Is it expected?
This is a fantastic and thoughtful guide. I set out to do exactly this on a Raspberry Pi and your instructions worked flawlessly. Thank you for posting this!
Glad it helped!
Thank you very much! This is what I was looking for, as I was always a little uncomfortable opening ports in my router. Despite using NPM, Fail2Ban and other helpers. Thank you for your effort!
Glad I could help!
NPM? What exactly does the package manager do to boost security? What other helpers do you use? Other than UFW?
@@trapOrdoom „NPM“: Nginx Proxy Manager.
By using this method opening port 80 is not necessary for making wp site available outside the LAN?
@@latesthollywood3745 was thinking the same question
I really enjoy your videos - always cover the things most relevant to my interests!
Awesome!
I love this tutorial. Absolutely brilliant!!
I spent the afternoon moving from NGINX to this service and switched off my port forwarding, which should lower and decrease my attack vector.
Thanks again!
I'm really glad it was helpful!
@@DBTechYT How is this different from NGINX with Cloudflare Dyndns with your own domain? (Honest Doubt)
@@Otomai This removes the need for port forwarding. This removes the need for NGINX entirely. By switching to this, my network is more secure AND my internet-facing apps are more secure becasue I don't have to open ports and Cloudflare is actively monitoring the traffic to prevent bots and attacks.
@@DBTechYT Oh, I see, thanks!
Most important video you've done in a while. Just wish Cloudflare didn't have a monopoly on literally everything like this.
There are other companies doing similar things, but CloudFlare really is a beast as far as their offerings :)
Hey David! I got this working.. kind of. All my devices keep sending IPv6 addresses, so just putting my IPv4 in like you did at 13:10 doesn't work for me, it returns the access forbidden page. The tunnel works, but I have to keep adding new v6 addresses to the policy every time my PC or phone decides to change or add a new one. Any way to "prefer using IPv4"? My v4 hardly ever changes.
This exactly the type of solution I have been looking for! Thanks!
QQ. After setting up the docker container and making the connection with cloudflare, how can maintain running? If I ctrl+c out of the 'docker run . . .' in the terminal, the connection servers and am unable to use the tunnel anymore
I'm trying to do this on unraid and everything gets set up but I keep getting a bad gateway error and the log says: "ERR Request failed error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: x509" Can't seem to figure this out.
same here. Did you find a solution?
I'm trying to configure cloudflare zero trust with traefik, and I can't manage. Did someone manage? If so, which address is pointing the tunnel to, as no ports are exposed? On the other hand, with nginx I have no problems.
Hey! So define "configure cloudflare zero trust with traefik". Are you trying to access a Traefik instance, or trying to use Traefik through a tunnel? What OS or environment are you using? If you mean you're trying to access your Traefik instance from another device, using a tunnel, you would just need to type in the internal IP address of whatever device is running Traefik like Dave does around the 6:00 mark. If you're trying to use Traefik as a reverse proxy to access other applications from outside your home network you don't need to, Cloudflare handles your proxy and the tunnel is the security from the outside world, see 14:12 for restricting access to only YOUR devices.
Great video David, thanks
Quick question: What to do with the services that need certificates to work, example adguardhome, since now that you have removed the cloudflare dns record, they cannot be requested by NPM.
Thank you.
+1, also would like to know how to deal with certificates in this case.
Got this working for Unraid web GUI. But how to configure for nextcloud docker as its showing bad gateway?
I have been using this solution for just over a month now, and it works perfectly. However, how do you update the docker containers to the latest cloudflared version?
My containers are all complaingin they are running on an old version. How about a tuiturial on that :) ?
Thank you very much! This was exactly what I needed. Keep up the good work
Glad it helped!
I'm not sure about this under their tos.
"you hereby grant us a non-exclusive, fully sublicensable, worldwide, royalty-free right to collect, use, copy, store, transmit, modify and create derivative works of Customer Content, in each case to the extent necessary to provide the Services."
The problem with this, is they can claim all your content necessary to provide service.
I've been using them for more than a decade and have never had an issue with them other than better security
Hi do you have to put the couldflare into the directory folder as your docker for your website ?
Love you man! Great video as always.
You're the best!
Could this be used to remotely view/access cctv nvr?
Hi sir, I'm building a TrueNAS right now. I'm not really good at this networking thingy. Right now, I do have NGINX Proxy Manager (for nextcloud) set up. So if I decided to use Cloudflare Tunnel, I don't need NPM anymore? I can just connect cloudflare to docker and point it to portainer which contains nextcloud, some web project? Thank you in advance
Things like this is exactly why I love cloudflare
AWESOME! Thank you, David! I’m off to implement this!
Hell yes!! You got this!
how about dynamic ip ? with this method the ip will be autoupdated ?
EDIT:
Worked fine with dynamic ip, i suggest to install the cloudflared docker on vm or lxc that contain Portainer, it will automatically show on portainer dashboard and it's easy to stop & restart it
Glad you got it sorted!
Hi, I have followed this method. Hosting OMV on RPi 4. But only http tunnels are working. SMB is not working. SSH is working if it is browser rendered. Not working in SSH client. Please help. I have spent lots of hours but couldn't figure out. Please show how to tunnel SMB.
If I remember correctly, CF tunnel solution explained in this video only works with HTTP traffic, not for other TCP based services (SSH, SMB, etc.)
do you know how to set it up with support for websocket?
I successfully set up a tunnel. The only issue I have is that it redirects to my domain with the port number shown. I can't seem to find any information on this. Any ideas?
I like to know how use a path like db3tech/path, i tried simple put in public hostname setup but gives me 404 error
Ive followed this a few times yet always come to the same Error 502 bad gateway. Showing browser and cloudflare working but the host is not. Any thoughts on what the cause might be?
Excellent video. One question though - CloudFlare has a container that let's them know if your home ID has changed, so that they can always point the domain to the correct server IP.
Is it possible to use that mechanism to restrict access to your sites to whatever is the current IP address that your ISP has given you?
There may be an API for that, but I've never looked into it.
How can I check the url is running on tunnel?
When I want to install by the command from the Cloudflare, it says "docker: no matching manifest for linux/arm/v8 in the manifest list entries." :(
Because you're trying to install on a Raspberry Pi. It's not compatible with that.
yes yes YES YES .
This is what i needed. Amazing !
I have followed this guide to share my Jellyfin server, but the download speed from the tunnel cap at 300KBps, streaming 1080p videos is always buffering every 1 sec
Because CloudFlare doesn't want people using their service for streaming media.
why returns " no matching manifest for linux/arm/v7 in the manifest list entries"
What can I do to solve it. I am trying in a pi.
That error message means that it isn't compatible with Pi
is there any tuts for docker/portainer?
Wonderful ... So well explained 😀✌... Thanks a lot 🙏.
I have been looking for an answer to this for days, and I cant seem to figure it out ...
I am pretty tech savvy (I was an electronics tech. in the navy) but I am really teaching myself the networking side of things for a sort of hobby. I am trying to set up jellyfin to be remote accessible through an unraid server. What IP address do I use for my external IP to set up the tunnel through Cloudflare? Do i also use this to set up the record? I actually used your guide last night and got it working, security check application and all, but this morning the tunnel wasn't working again. I'm sort of assuming that I used the wrong IP address, or I used an IP address that is no longer relevant.
I guess the root of my question is this: does the unraid server have it's own IP, or do I need to use the IP of a docker container? Is there a specific container I need to install so that there is a static IP? or do I just use the ip of the jellyfin server? Do i need to just force the jellyfin container to ahve a static IP? Am I skipping some ultra-basic step here that I am going to kick myself for not understanding?
Last night I just used the IP address listed in the Jellyfin docker info, and honestly I was sort of surprised that it worked, and I'm also not really all that surprised that it no longer works. What is the best way to do this? I feel like I've been watching hours and hours of tutorial, and at the point of setup where you need to enter an IP to create a record or a tunnel, everyone just says "just put in your IP" and I'm like, "WHAT IP?!?!?!"
Your Unraid server will have its own IP. If you network is set up via DHCP, that IP may change from time to time. Any docker containers you have on your Unraid server will share the Unraid server's IP address unless you've set up something like a MAC VLAN and assign different IP addresses to different containers.
So, for instance, let's say your Unraid server IP is 192.168.0.25, then you would access Jellyfin on 192.168.0.25:8096
If you want your Unraid server to have a static IP, then you need to set that in your network router. You might be able to set it in Unraid's UI, but you may still run into conflicts if your network router wants to use that IP for something else.
@@DBTechYT Is the Unraid server external IP the same as all the other IPs in the network, or is the Unraid server IP uniqe? I have run ifconfig eth0, but for some reason there is not a standard looking IP address there, so i just used the IP address that my PC was using, with port 8096. That is what was working last night, and what is not working this morning. Is it possibly my IP dynamically changed overnight?
Your "external IP" is the one your Internet Service Provider gives you. Don't use sites like whatismyip or ipchicken to get your IP address for your local devices. You may need to login to your router to get the IP addresses of your devices on your local network.
@@DBTechYT WAN is the same as External, correct?
correct
doesnt this break TOS? Is there a way to use this service without breaking TOS?
did you ssh and install the tunnel on OVM or straight to Proxmox? Any idea what would be the implications of each approach?
Great question!! You can do it either way. Things to consider:
If you install it on your Proxmox server directly, you only have one tunnel agent to manage/update. You can also easily just point domains to any of the VMs or CTs on the device with that single agent.
The down side to doing it that way, is that you're potentially opening your entire Proxmox server up to the world if you don't have the right levels of security in place. If you were to install it directly on Proxmox, you'd want to make sure that you limit access via methods like this: ua-cam.com/video/wdmbAo02ktQ/v-deo.html or even restricting access via the Warp client (I haven't made a video on this topic yet.). You'd also want to make sure that you have 2FA enabled on your Proxmox server and have a good backup solution in place *just in case*.
Even with the help of this video, i still have trouble setting this up.
I can only get the / path to work. Anytime i add a path after the domain it returns a 404.
Also, i don't understand what the application is exactly. Why do we both add a Tunnel AND an application? Should applications just be considered a firewall, and tunnel considered an app?
This video might be more helpful ua-cam.com/video/Q5dG8g4-Sx0/v-deo.html
I'm stuck at the public hostname page for the server tunnel 6:39. I'm not sure what my service url is. Is it the same IP that I use to SSH to it? I'm also unsure of the port number that you place after it. I'm using an Ubuntu server. Sorry about the noob question; this is all a learning experience for me :)
The IP is the IP address of the server that you have your container on. The port number is the port that you use to access the container
@@DBTechYT thanks for the quick reply! Maybe I don’t understand the container part. Do I need to use docker? I basically just have an old PC running Ubuntu server on it that I want to host a website on to learn. Maybe I’m watching the wrong video? 🤔
You don't HAVE to use docker. You can install Tunnels via command line as well but this video specifically covers Docker
I’m on cgnat, can cloudflare tunnels allow hosting a vpn access? I can’t figure it out.
quick question! you added the port 6999 for specific service on the same docker instance where cloudflare container is running. what if I want to use another VM with different IP and port (in my case homeassistant ip x.x.x.20:81234)?
You have to install the tunnel agent container on whatever device you want access to.
Hello DB Tech, I really hope you can help me out, since i'm struggeling for a week now to get it done.
I'm running a proxmox server, where i have home assistant running in a VM (HAOS). In a LXC container i'm running nginx proxy manager, witch i'm trying to setup with a argo tunnel from cloudflare. I tried many ways, tried to setup docker swag, tried to setup a tunnel myself with all the info i could find on the web, but i don't get it to work. Everytime i get dnsprobe errors or to many redirections error. Anyway, i can't seem to make nginx proxy manager host my subdomains thru a argo tunnel. I really hope you can make a video on how to set it up, it would greatly help me out! Thanks in advance!
What are the pros & cons of doing it this way vs your other guide (cloudflare+nginex)?
This method requires no port forwarding. It also allows for better restrictions, firewalls, authentication, etc
I'm sure I'm missing something obvious, but what do I need to do so that it will auto-start? I think I need to add the restart policy, but I'm not sure where I add it in the copy/paste I get from cloudflare. Any ideas? --restart unless-stopped
Thank you for this awesome tutorial! I just have a question - does this eliminate the need for nginx proxy manager totally?
Yes it does
@@DBTechYT awesome! No more npm fiddeling
Very informative as always, thank you for your hard work.
Good work as always!
Appreciate that
So I learned to use nginx for nothing! Great find. Any benefits to using this method over nginx? Or is it just not needing any ports open?
No port forwarding. App restriction based on IP address, email address, etc. Firewall built in. SO many things you can do with CloudFlare tunnels that you can't easily do with NPM
@@DBTechYT I watched your video on NPM and Authelia but this seems similar and much easier. Great work!
Hey buddy, I’m going back to this video to see if there was a hint on how to host all applications using one tunnel. I had to instal 6 different containers to host each one of my dockers without open ports. It’s possible that you can point me on what I have to do to just use one instead of a separate one per application. Thank you.
I've had this come up a few times recently in comments. I'm going to make another video about Tunnels this week.
@@DBTechYT I will really appreciate it. Thank you very much.
I just installed a fresh install on my RPI 4 B 2022-04-04-raspios-bullseye-arm64.img.xz . But when I go to install cloudflare/cloudflared:latest I get docker: no matching manifest for linux/arm/v7. Can you help??
cloudflare/cloudflared:latest doesn't work with ARM processors.
You need to go here: hub.docker.com/r/cloudflare/cloudflared/tags
Find a tag that works with your setup. Then change cloudflare/cloudflared:latest to cloudflare/cloudflared:
Got it to work. Wanted to know how I would get this working with Authelia?
I'm not sure that you can without a LOT of extra work
Thank you for the video. I followed the instructions (have Ubuntu 20.04 with Portainer) but when I try to access the public URL I keep getting "Bad Request - Error code 502). Can you let me know how to debug this? I can access these locally and through NPM but accessing through tunnels is throwing up error.
The page image depicts: You Browser (working) --> Newark Cloudfare (working) --> My domain Host (not working)
Hi, Me again :)
Do you know if i Cloudflare Tunnel will allow to set up subdomains for different local IPs instead of being one Docker IP.
Example, i would like to have DOMAIN pointed to local_ip_1 but subdomain like plex (dot) domain or cloud (dot) domain to point to local_ip_2
I have one tunnel with agents on mutiple devices and I point to different IPs that way
@@DBTechYT Amazing. Thank you for quick example. RESPECT !
I’ve sent this to so many people since starlink became available in our area. Have you ever considered a video targeting CG-Nat especially Starlink and fixed wireless internet?
Are you still using Nginx-Proxy-Manager with this solution, or does this solution eliminate the need for that component? My other question is do you have a separate cloudflare tunnel for each server where you have services that are exposed to the internet?
This removes the need for NPM. You'll need to install the tunnel agent on each device you want to access, but you can have multiple devices attached to 1 tunnel if you want.
Great video as usual. I have a similar setup with cloudflare Argo tunnel and using NPM which ibracorp covered on his channel.
@@DBTechYT a question around this in that case... I have setup NPM with Authelia for my services as in one of your previous videos. Are you able to do a video around migrating authelia from NPM to using this cloudflare tunnel instead? I love the idea of this tunnel but I'm worries it will take away too much flexibility.
@@cloud2050 From what I read on Cloudflare's website, "Argo Tunnel" was changed to "Cloudflare Tunnel".
thanx for the Video! how can i tunnel "rustdesk" it needs a lot of Ports 21115-21119? any idea?
So.. with these tunnels, could you tunnel into an Nginx Proxy and maintain all the SSL Certificates?
I am administrating a server at my Brother's house remotely (900 miles away), and he wants NextCloud. His internet is on Starlink, and they don't have any way to port forward. I tried to get SSL's to work over SSH tunnels maintained by the autossh docker image (which is how I remotely access his server), but I couldn't get it to work. If I could get reliable remote access for him, then I could open up a bunch of different services that he could use.
This completely removes the need for Nginx Proxy Manager. It handles its own SSLs
@@DBTechYT Neato! So I'll need a separate tunnel for each app? I only plan on one at his house, just wondering for future possibilities.
I've got 19 apps running on a single tunnel, so I think you'll be okay :)
Hi There, if is possible use Cloudflared and TVHeadend Streams ?
Check the pinned comment
do i need to do https when the pad lock is working? pros cons? how to do it as https and disable TLS 1.0
you only select the https option if the container has an SSL built into the container and then only if you're pointing your tunnel to that https port in the container. If there's no SSL built into the container, then you do NOT user the https option
Alright, so that Cloudflare isn't an option, what would be a decent option? Tailscale would be a good one, but I don't want to have to connect to Tailscale every time, since my phone can only have a single tunnel at once. Would Tailscale work without connecting to the tunnel on the client? What would be a better option?
Why wouldn't cloudflare be an option? It's free and doesn't require port forwarding?
@@DBTechYT I need it for Jellyfin and it seems that they don't exactly support that, right?
Gotcha. You might see if TailScale has a split tunneling option
@@DBTechYT Yeah, unfortunately it doesn't, and Mullvad doesn't have port forwarding support on iPhone, so it's kinda a weird situation.
Thanks I just learned about tunnels and zero trust so this will get me up to speed ligthnig fast.
Have fun
@@DBTechYT I ran into a bump in the road... one do not need a reverse proxy while using this right?
This replaces your reverse proxy
This is great! I can now access all of my HTTP services through Cloudflare tunnel, however, I am having issues with Wireguard. Is it possible to connect to my wireguard server through a Cloudflare tunnel? If so I haven't gotten it to work yet. :/
I'm glad you got most everything working. I haven't tried getting a wireguard server to work with tunnels, but I feel like they would actively work against each other
I'm not sure for your specific case, but I have Unraid's built-in wireguard going and followed David's tutorial here using the main terminal in Unraid, it set up a tunnel in the Docker, and everything works as intended. I have a Wireguard tunnel from my server to my phone, when I'm not on my home network with the VPN off I get the intended "Forbidden" page but as soon as I connect the VPN everything works. Not sure if that's what you meant but yeah.
I'm a bit late to the party, but what options (Cloudflare or not) are available to pass through IMAP and SMTP ports?
Great video David, thanks
Quick question: Does anyone have any issue when UFW is enabled ?
(Digitalocean's Docker instance works flawlessly without UFW enabled, but cannot access with UFW enabled)
Thank you.
Fantastic Video, immediate subscription
Thanks and welcome
Would this work to access VMs? Either over noVNC or the Spice protocol?
As long as you set up the right connection type when configuring your hosts in CF, you should be able to
@@DBTechYT Thank you, I'll defo try it and let you know if it worked
Thanks, you can use this tunnel to bypass cg-nat and access from outside?
Correct
Great video, wished to know this earlier!
YES, now I can do so much more with my websites and servers!
Woo!!
When trying to deploy I get Unable to find image 'cloudflare/cloudflared:latest' locally> Any thoughts or suggestions?
It will always say that the first time you try to deploy a container. It has to download the assets to build the containers locally
very cool @DBTechYT !!
Do you (or anyone else) know is this also works with running your app inside Kubernetes? Would you need to expose the cloudflare agent or your app with a ClusterIP or NodePort?
Would this work with the domain name provided by TPLink Deco?
No. You don't have any control over the actual DNS for that domain name
Great Video!
@DBTech if this feature is enable do you still use authelia?
Possibly, but I'm not sure what that process would look like
can we go through cloudflare zero trust tunnel to NGINX Proxy for multiple domain?
Tunnels replaces nginx proxy and works with multiple domains
I'm using a windows 11 box. You are showing container list but you don't show how to get there. I have no idea where to go from here.
Windows 11 has NOTHING to do with your Docker setup unless you're running Docker ON Windows. To show the docker containers on your system, SSH into your docker server and type: docker ps
Great Stuff - I will try it on my Pi first then I want to add it to my contabo vps. For that I wonder if I added FW to block all trafic will it still let the Cloudflare access tunnel through?
Are there going to be services that it would be better to run through something like NGINX rather than this method?
Any streaming apps like Plex, Emby, Jellyfin, etc. as CloudFlare has a policy against running media apps through its services
awesome video!
Great tutorial!! Can't wait to put this into practice. Thank you very much! :)
Glad you enjoyed it!
Thank you for all of your work…your videos have been such a help in getting my home nas running well. This video is extremely welcomed as I’d like to not forward any ports if possible. Ill definitely be trying this out….Can i use a synology domain name?
You have to use a purchased domain that you've routed through cloudflare
Awesome, thats is one of the greatest videos, thanks
Hi sir
I have an hp server installed windows server on it. I’m using some applications that users can connect to those through port forwarding. Im interesting to know whether I can use your method instead of port forwarding for my apps or this way is special for cloud based servers?
You can use it just about anywhere. I use it in multiple devices in the server rack in my garage
So if an app like Output messenger uses server ip can i use this method?@@DBTechYT
Does this only work when your home router has a public address assigned by the ISP modem or can it work when the internal router has a private ip from the modem?
It can work in just about any situation
hey 1 question.
I have want to setup nextcloud on my old pc. Now my question is which ip I have to give tl tunnel. local ip in router or my router ip?
You'll give it the IP address of your docker server
@@DBTechYT if I am connected to router then also give IP of docker server?
First - Excellent UA-cam Channel. Did you really quick your day job to do UA-cam? Kudos to your vidio editor too. 🙂 My question is. I currently expose a random port on my firewall and then use Cloudflare Origin rule to rewrite 443 to the random rule that I have open on my firewall - then port Forward from random port to 443 to my Nginx proxy server. And now for the question. With CloudflarD Tunnels, do I still need Nginx? Cuz the last two times I installed this on my Docker it broke my RPI. Thank you and keep up the good work.
Chris
Does this method still require SSL certificates being created? Im pretty new to this stuff.
Nope. This method takes care of all that automatically.
@@DBTechYT thank you for the reply!
I’ve been trying to set up next cloud container via this way and it’s been a nightmare lol
Hey there,
Thanks so much for this video.
I have one question. Do I still need Nginx Proxy Manager to create subdomains with SSL or CloudFlare tunnels takes care of this? Thanks in advance.
this replaces nginx proxy manager entirely. it handles everything
@@DBTechYT Thanks so much, I appreciate your time! I can't wait to try this! Keep up the great work!
QUick Qestion, If that does work flawless then whats the purpose of usinf Ngnix Proxy Manager?
This replaces Nginx Proxy Manager
Will this work with Kasm?
Greetings my fellow Canadian ! It seems that every time I restart my computer, I lose the the data. How could I make it "persistent." If that's the correct term?,
I'm honored to be called Canadian, but I'm from the USA. As far as persistent storage (which is the correct term 😊), there is no persistent storage for Cloudflare Tunnels, but if you use the docker-run command they provide... well... it's not great. Try this docker-compose: dbt3ch.com/books/access-your-self-hosted-services-without-port-forwarding/page/cloudflare-tunnels-docker-compose
Just be sure to replace the YOURTOKENHERE with the token that Cloudflare gives you in the docker run command for the setup process
Great video David! Can you do a video with Jellyfin on OMV6 in a cloudflare tunnel with all the paths?
Possibly!
@@DBTechYT I can’t wait then. And thank you very much
If I understand correctly, video streaming is not allowed and your account may be banned.
That's interesting. I'm using it for Emby without issue.
Hey, this video is fantastic! Although, I’m just wanting to make sure, with this process, you can for a fact access your media from outside of your home network.
For example, if my home server was located in California, and I went to New York, could I still access my media through the domain?
Another question I have is, can this be used for Jellyfin? If not, what’s the reasoning?
This method will allow you to remotely access your services from wherever you want that has an internet connection. Cloudflare used to have a section of their TOS that explicitly forbade hosting media services. They've removed that section, but I would still be careful.