With regards to routing streaming services like Plex, Emby, Jellyfin, etc., here is the portion of CloudFlare's TOS that covers it: www.cloudflare.com/terms/#:~:text=2.8%20Limitation%20on%20Serving%20Non%2DHTML%20Content I'm trying to get more information about what service(s) need to be purchased as to not break TOS with CloudFlare.
I've been banging my head to overcome this with wireguard for days, then I reach this video and make it work within 5~10 minutes... Great job and THANK YOU!
Hey DBTech, really appreciate all you do for our community! Your channel was one of the main reasons that inspired me to become a content provider. Thank you for everything!
A note for those doing this fresh, cloudflare takes up to 24 hours (or more) to verify new domain names, and during this time you will NOT be able to set up a self-hosted application. However you can do the rest of the instructions. Also if you use portainer the docker run command will show up if you run it in the host machine of portainer, so just do that. Trying to make a docker compose for this that exposed the right network correctly was a nightmare for me :D
I directly run docker run command in my machine. I have portainer setup. Should I go thorough that? Also, cloudflare is taking more than 24 hours. Is it expected?
I already had my domain on cloud flare and I’ve been dreading setting up a reverse proxy and integrating to the CF proxy for just a home assistant instance. This was the answer I didn’t know existed!! Thank you!!!!
This is a fantastic and thoughtful guide. I set out to do exactly this on a Raspberry Pi and your instructions worked flawlessly. Thank you for posting this!
I love this tutorial. Absolutely brilliant!! I spent the afternoon moving from NGINX to this service and switched off my port forwarding, which should lower and decrease my attack vector. Thanks again!
@@Otomai This removes the need for port forwarding. This removes the need for NGINX entirely. By switching to this, my network is more secure AND my internet-facing apps are more secure becasue I don't have to open ports and Cloudflare is actively monitoring the traffic to prevent bots and attacks.
Thank you very much! This is what I was looking for, as I was always a little uncomfortable opening ports in my router. Despite using NPM, Fail2Ban and other helpers. Thank you for your effort!
Great video David, thanks Quick question: What to do with the services that need certificates to work, example adguardhome, since now that you have removed the cloudflare dns record, they cannot be requested by NPM. Thank you.
I have been using this solution for just over a month now, and it works perfectly. However, how do you update the docker containers to the latest cloudflared version? My containers are all complaingin they are running on an old version. How about a tuiturial on that :) ?
Excellent video. One question though - CloudFlare has a container that let's them know if your home ID has changed, so that they can always point the domain to the correct server IP. Is it possible to use that mechanism to restrict access to your sites to whatever is the current IP address that your ISP has given you?
Great video David, thanks Quick question: Does anyone have any issue when UFW is enabled ? (Digitalocean's Docker instance works flawlessly without UFW enabled, but cannot access with UFW enabled) Thank you.
Hey David! I got this working.. kind of. All my devices keep sending IPv6 addresses, so just putting my IPv4 in like you did at 13:10 doesn't work for me, it returns the access forbidden page. The tunnel works, but I have to keep adding new v6 addresses to the policy every time my PC or phone decides to change or add a new one. Any way to "prefer using IPv4"? My v4 hardly ever changes.
First - Excellent UA-cam Channel. Did you really quick your day job to do UA-cam? Kudos to your vidio editor too. 🙂 My question is. I currently expose a random port on my firewall and then use Cloudflare Origin rule to rewrite 443 to the random rule that I have open on my firewall - then port Forward from random port to 443 to my Nginx proxy server. And now for the question. With CloudflarD Tunnels, do I still need Nginx? Cuz the last two times I installed this on my Docker it broke my RPI. Thank you and keep up the good work. Chris
I’ve sent this to so many people since starlink became available in our area. Have you ever considered a video targeting CG-Nat especially Starlink and fixed wireless internet?
I'm not sure about this under their tos. "you hereby grant us a non-exclusive, fully sublicensable, worldwide, royalty-free right to collect, use, copy, store, transmit, modify and create derivative works of Customer Content, in each case to the extent necessary to provide the Services." The problem with this, is they can claim all your content necessary to provide service.
Hi sir, I'm building a TrueNAS right now. I'm not really good at this networking thingy. Right now, I do have NGINX Proxy Manager (for nextcloud) set up. So if I decided to use Cloudflare Tunnel, I don't need NPM anymore? I can just connect cloudflare to docker and point it to portainer which contains nextcloud, some web project? Thank you in advance
Thank you for all of your work…your videos have been such a help in getting my home nas running well. This video is extremely welcomed as I’d like to not forward any ports if possible. Ill definitely be trying this out….Can i use a synology domain name?
I'm trying to do this on unraid and everything gets set up but I keep getting a bad gateway error and the log says: "ERR Request failed error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: x509" Can't seem to figure this out.
Great Stuff - I will try it on my Pi first then I want to add it to my contabo vps. For that I wonder if I added FW to block all trafic will it still let the Cloudflare access tunnel through?
No port forwarding. App restriction based on IP address, email address, etc. Firewall built in. SO many things you can do with CloudFlare tunnels that you can't easily do with NPM
very cool @DBTechYT !! Do you (or anyone else) know is this also works with running your app inside Kubernetes? Would you need to expose the cloudflare agent or your app with a ClusterIP or NodePort?
Here's a stack format for those who prefer to use stacks. I added a restart policy and used Cloudflares' DNS for the container. version: "3" services: cftunnel: image: cloudflare/cloudflared:2022.5.1 container_name: CF_Tunnel restart: unless-stopped dns:1.1.1.1 command: tunnel --no-autoupdate run --token YourTunnelToken
When I include the command line, I'm getting this error: There is an error in the yaml syntax: YAMLSemanticError: Implicit map keys need to be followed by map values. any idea?
My best guess would be that you're including the . needs to be completely replaced with the token Cloudflare supplies to you. I edited my original comment to exclude the .
Thank you for your content. Its really helpful and to the point no filler. I have a question for you. I was able to follow your tutorial on setting up the tunnel but I can make post requests to my url. I have tried to figure it out with no luck. Do you have a video or recommendation to fix this? Thank you.
Great video. I see a lot of videos saying you need nginix along with CloudFlare tunnels. What is the difference and do you need them both actually? Sounds like a secure tunnel would mean a reverse proxy is not needed.
You're exactly correct with your assumption of NOT needing a reverse proxy if you're using CloudFlare tunnels. It's WHY I switched to tunnels: No reverse proxy. No open ports or port forwarding. All your routes are configured on CloudFlare
Are you still using Nginx-Proxy-Manager with this solution, or does this solution eliminate the need for that component? My other question is do you have a separate cloudflare tunnel for each server where you have services that are exposed to the internet?
This removes the need for NPM. You'll need to install the tunnel agent on each device you want to access, but you can have multiple devices attached to 1 tunnel if you want.
@@DBTechYT a question around this in that case... I have setup NPM with Authelia for my services as in one of your previous videos. Are you able to do a video around migrating authelia from NPM to using this cloudflare tunnel instead? I love the idea of this tunnel but I'm worries it will take away too much flexibility.
how about dynamic ip ? with this method the ip will be autoupdated ? EDIT: Worked fine with dynamic ip, i suggest to install the cloudflared docker on vm or lxc that contain Portainer, it will automatically show on portainer dashboard and it's easy to stop & restart it
I'm trying to configure cloudflare zero trust with traefik, and I can't manage. Did someone manage? If so, which address is pointing the tunnel to, as no ports are exposed? On the other hand, with nginx I have no problems.
Hey! So define "configure cloudflare zero trust with traefik". Are you trying to access a Traefik instance, or trying to use Traefik through a tunnel? What OS or environment are you using? If you mean you're trying to access your Traefik instance from another device, using a tunnel, you would just need to type in the internal IP address of whatever device is running Traefik like Dave does around the 6:00 mark. If you're trying to use Traefik as a reverse proxy to access other applications from outside your home network you don't need to, Cloudflare handles your proxy and the tunnel is the security from the outside world, see 14:12 for restricting access to only YOUR devices.
Hey buddy, I’m going back to this video to see if there was a hint on how to host all applications using one tunnel. I had to instal 6 different containers to host each one of my dockers without open ports. It’s possible that you can point me on what I have to do to just use one instead of a separate one per application. Thank you.
This is great! I can now access all of my HTTP services through Cloudflare tunnel, however, I am having issues with Wireguard. Is it possible to connect to my wireguard server through a Cloudflare tunnel? If so I haven't gotten it to work yet. :/
I'm glad you got most everything working. I haven't tried getting a wireguard server to work with tunnels, but I feel like they would actively work against each other
I'm not sure for your specific case, but I have Unraid's built-in wireguard going and followed David's tutorial here using the main terminal in Unraid, it set up a tunnel in the Docker, and everything works as intended. I have a Wireguard tunnel from my server to my phone, when I'm not on my home network with the VPN off I get the intended "Forbidden" page but as soon as I connect the VPN everything works. Not sure if that's what you meant but yeah.
I have been looking for an answer to this for days, and I cant seem to figure it out ... I am pretty tech savvy (I was an electronics tech. in the navy) but I am really teaching myself the networking side of things for a sort of hobby. I am trying to set up jellyfin to be remote accessible through an unraid server. What IP address do I use for my external IP to set up the tunnel through Cloudflare? Do i also use this to set up the record? I actually used your guide last night and got it working, security check application and all, but this morning the tunnel wasn't working again. I'm sort of assuming that I used the wrong IP address, or I used an IP address that is no longer relevant. I guess the root of my question is this: does the unraid server have it's own IP, or do I need to use the IP of a docker container? Is there a specific container I need to install so that there is a static IP? or do I just use the ip of the jellyfin server? Do i need to just force the jellyfin container to ahve a static IP? Am I skipping some ultra-basic step here that I am going to kick myself for not understanding? Last night I just used the IP address listed in the Jellyfin docker info, and honestly I was sort of surprised that it worked, and I'm also not really all that surprised that it no longer works. What is the best way to do this? I feel like I've been watching hours and hours of tutorial, and at the point of setup where you need to enter an IP to create a record or a tunnel, everyone just says "just put in your IP" and I'm like, "WHAT IP?!?!?!"
Your Unraid server will have its own IP. If you network is set up via DHCP, that IP may change from time to time. Any docker containers you have on your Unraid server will share the Unraid server's IP address unless you've set up something like a MAC VLAN and assign different IP addresses to different containers. So, for instance, let's say your Unraid server IP is 192.168.0.25, then you would access Jellyfin on 192.168.0.25:8096 If you want your Unraid server to have a static IP, then you need to set that in your network router. You might be able to set it in Unraid's UI, but you may still run into conflicts if your network router wants to use that IP for something else.
@@DBTechYT Is the Unraid server external IP the same as all the other IPs in the network, or is the Unraid server IP uniqe? I have run ifconfig eth0, but for some reason there is not a standard looking IP address there, so i just used the IP address that my PC was using, with port 8096. That is what was working last night, and what is not working this morning. Is it possibly my IP dynamically changed overnight?
Your "external IP" is the one your Internet Service Provider gives you. Don't use sites like whatismyip or ipchicken to get your IP address for your local devices. You may need to login to your router to get the IP addresses of your devices on your local network.
QQ. After setting up the docker container and making the connection with cloudflare, how can maintain running? If I ctrl+c out of the 'docker run . . .' in the terminal, the connection servers and am unable to use the tunnel anymore
Hey, this video is fantastic! Although, I’m just wanting to make sure, with this process, you can for a fact access your media from outside of your home network. For example, if my home server was located in California, and I went to New York, could I still access my media through the domain? Another question I have is, can this be used for Jellyfin? If not, what’s the reasoning?
This method will allow you to remotely access your services from wherever you want that has an internet connection. Cloudflare used to have a section of their TOS that explicitly forbade hosting media services. They've removed that section, but I would still be careful.
I'm sure I'm missing something obvious, but what do I need to do so that it will auto-start? I think I need to add the restart policy, but I'm not sure where I add it in the copy/paste I get from cloudflare. Any ideas? --restart unless-stopped
Great video, thanks! I am using DNS Made Easy as my name server. Do I need to switch to Cloudflare DNS for the tunnels to work or can keep my existing NS?
Good question!! The differences with this method allows you to use a domain name. You can share your services with anyone without them having to install software on their devices, you can just add their IP or Email address to the setup and require that one of those criteria are met if you want to add that level of security. Using email authentication, you can also get security information about who logged into your services. I'm sure there are others, but this is off the top of my head
@@DBTechYT Thank you for a very clear explanation. I have been using your instruction on setting Plex on OMV5 and just upgraded to OMV6, is your instruction still applied to OMV6?
This is amazing. Will certainly be trying it out. Is there a way the allowed IP can automatically be updated, as I don't have a fixed IP with my ISP. Thanks
I know there's a DDNS container that can be used to update regular A Records, but I'm not sure about updating allowed IPs. The one thing I've done for when I'm away from home is that I've got a PIA VPN account with a dedicated IP. That might be an idea until another method is available. If you want to try that, here's my PIA affiliate link: dbte.ch/piavpn
Great great video. Service works except ssh into my synology hosting the containers. I have not tried rdp or other tcp ports, but ssh not working is stumping me. Any ideas?
quick question! you added the port 6999 for specific service on the same docker instance where cloudflare container is running. what if I want to use another VM with different IP and port (in my case homeassistant ip x.x.x.20:81234)?
Oh my! That’s awesome. My nextcloud stopped working for some reason. Maybe firewall was blocking traffic and I could not fix it. I think this will solve all that.
Great question!! You can do it either way. Things to consider: If you install it on your Proxmox server directly, you only have one tunnel agent to manage/update. You can also easily just point domains to any of the VMs or CTs on the device with that single agent. The down side to doing it that way, is that you're potentially opening your entire Proxmox server up to the world if you don't have the right levels of security in place. If you were to install it directly on Proxmox, you'd want to make sure that you limit access via methods like this: ua-cam.com/video/wdmbAo02ktQ/v-deo.html or even restricting access via the Warp client (I haven't made a video on this topic yet.). You'd also want to make sure that you have 2FA enabled on your Proxmox server and have a good backup solution in place *just in case*.
Great efforts as usual Dav..many thanks. Can I utilize this to gain access to services hosted on different hosts at the same subnet as the the one which the agent is installed in? One more question..do we need the DDNS script container to update dynamic IP with Cloudflare anymore?
I usually install an agent on any host that I need access to just to make sure that I don't run into any issues. Also, you shouldn't need DDNS anymore with this setup as there's a constant line of communication between your agents and the CF servers
@@DBTechYT Absolutely amazing....thanks again...your content is the most straightforward and easy to coherence among all other UA-camrs. Keep it up...
Thank you. I was wondering I guess for example on nextcloud, we do not have to request Let'sEncrypt certificate anymore, correct? SSL certificate is now provided by Cloudflare?
Hi, Me again :) Do you know if i Cloudflare Tunnel will allow to set up subdomains for different local IPs instead of being one Docker IP. Example, i would like to have DOMAIN pointed to local_ip_1 but subdomain like plex (dot) domain or cloud (dot) domain to point to local_ip_2
Hello David, This is awesome and I will definitely try this out. I have been searching a few things like I have a old pc at home which I use it as a server though fedora server OS. Using duckdns I access it over internet and the subsequent docker containers have to be accessed using the duckdns url and the port. Can cloudflare help in eliminating the need for accessing the containers using ports only the https url. Also can we go use putty over internet using the cloudflare and the smb services for file transfer. Apologies for jumbling up too many questions in one comment and thank you so much for inspiring us to learn and try more.
This allows you to securely access your apps via a domain or subdomain instead of needing to use ports or anything like that. There is an option to setup additional services like SSH and RDP that I may make additional videos about in the future
Ive followed this a few times yet always come to the same Error 502 bad gateway. Showing browser and cloudflare working but the host is not. Any thoughts on what the cause might be?
Hi, I have followed this method. Hosting OMV on RPi 4. But only http tunnels are working. SMB is not working. SSH is working if it is browser rendered. Not working in SSH client. Please help. I have spent lots of hours but couldn't figure out. Please show how to tunnel SMB.
You'll have to update it based on your current update strategy. If you do your updates manually, then you'll do that here as well. Same thing with WatchTower.
hey thanks for this awsome video i really like this setup a lot currently iam trying to setup some authorization method to secure my service/pages from others for my old setup i used in NPM http-basic (simple and quick) but this doesn't really work for cloudflare, so my idea was to use something like keycloak as Identity Provider which i can setup in cloudflare and keycloak itself is running as a docker container also but right now i am kinda stuck, i only get the auth selection screen shown from cloudflare and no keycloak login screen even tried SAML (guide from cloudflare itself) and OIDC maybe you or someone else has any idea how to get this setup working that would be awesome
I successfully set up a tunnel. The only issue I have is that it redirects to my domain with the port number shown. I can't seem to find any information on this. Any ideas?
For the sake of argument I’ll assume the port forwarding was for a reverse proxy. Assuming that, would this tunneling scenario take the place of a reverse proxy?
Hello DB Tech, I really hope you can help me out, since i'm struggeling for a week now to get it done. I'm running a proxmox server, where i have home assistant running in a VM (HAOS). In a LXC container i'm running nginx proxy manager, witch i'm trying to setup with a argo tunnel from cloudflare. I tried many ways, tried to setup docker swag, tried to setup a tunnel myself with all the info i could find on the web, but i don't get it to work. Everytime i get dnsprobe errors or to many redirections error. Anyway, i can't seem to make nginx proxy manager host my subdomains thru a argo tunnel. I really hope you can make a video on how to set it up, it would greatly help me out! Thanks in advance!
Hey there, Thanks so much for this video. I have one question. Do I still need Nginx Proxy Manager to create subdomains with SSL or CloudFlare tunnels takes care of this? Thanks in advance.
Give this a look: dbt3ch.com/books/access-your-self-hosted-services-without-port-forwarding-YoG/page/access-your-self-hosted-services-without-port-forwarding
@@DBTechYT One thing I'm having trouble with is assigning the container with a static IP. Is there a good way to do this? I need it for Home Assistant to accept connections from the container.
Thank you for the video. I followed the instructions (have Ubuntu 20.04 with Portainer) but when I try to access the public URL I keep getting "Bad Request - Error code 502). Can you let me know how to debug this? I can access these locally and through NPM but accessing through tunnels is throwing up error. The page image depicts: You Browser (working) --> Newark Cloudfare (working) --> My domain Host (not working)
Thanks man. Was looking forward to this. It seems like a little extra work but definitely will increase my home server security. When using cloud flare zero trust/tunnel there is pretty much no reason to be using NPM any longer correct?
Sorry, two more questions. I don’t have a static IP and use cloud flare ddns container to update the dns registry automatically. Is not having a static IP going to cause issues with the tunnel and is the cloud flare ddns container still needed?
So most of the containers seem to work. But sadly my two vital containers (Nextcloud and vaultwarden) don’t. I get an IP address could not be found. I’ve tried using the server ip and container ip. And I double checked the ports.
Excellent video thank you i was going to setup nginx but will go this route now. Question please when you ran the docker run command was that on your proxmox host or a docker server running on proxmox as it wasnt clear? Could you show running this on a synology also to please if you get chance?
Doesn't matter if it's on bare metal, proxmox, synology, whatever. It's the same process. You're just spinning up a docker container to act as a tunnel between your server(s) and CloudFlare.
@@DBTechYT so if I understand correctly,as I’m going to follow your video to set myself up, the tunnel needs to be set up with a docker container called cloudflared ? If I wanted to set up access to my DSM, would that just be an application set up?
@@DBTechYT gotcha…I deploy several containers now on my synology….my understanding is that i need 1 tunnel…which will allow me to set up access for my containers…but also my synology dsm?
correct. as long as you set them up in your "Public Hostname" section and your "Application" section, you should be good to go. I was actually able to set up access to my Synology the other day while I was at the bowling alley :)
Congratulations, Great video, i have one question. i follow you during years already and i have all configurate with nginx proxy manager, is possible do this direct to proxy manager and all work like before?, Thanks
@@DBTechYT Oops, missed that link... Thank you so much I was struggling with the nginx proxy manager setup and this actually worked for me. plus I would not have to update DNS every time my public IP changes, this is great.
With regards to routing streaming services like Plex, Emby, Jellyfin, etc., here is the portion of CloudFlare's TOS that covers it:
www.cloudflare.com/terms/#:~:text=2.8%20Limitation%20on%20Serving%20Non%2DHTML%20Content
I'm trying to get more information about what service(s) need to be purchased as to not break TOS with CloudFlare.
Someone already knows this? I'm a bit paranoid of getting banned.
Hey again,
Do you have any updates here? Thank you in advance!
@@zlatizlatev8632 unfortunately nothing more than is on their website
@@DBTechYT I guess that means we shouldn't use this for Plex or Emby, right?
@@zlatizlatev8632 Based on their terms, that's correct
I've been banging my head to overcome this with wireguard for days, then I reach this video and make it work within 5~10 minutes... Great job and THANK YOU!
Glad I could help!
Hey DBTech, really appreciate all you do for our community! Your channel was one of the main reasons that inspired me to become a content provider. Thank you for everything!
A note for those doing this fresh, cloudflare takes up to 24 hours (or more) to verify new domain names, and during this time you will NOT be able to set up a self-hosted application. However you can do the rest of the instructions.
Also if you use portainer the docker run command will show up if you run it in the host machine of portainer, so just do that. Trying to make a docker compose for this that exposed the right network correctly was a nightmare for me :D
I directly run docker run command in my machine. I have portainer setup. Should I go thorough that? Also, cloudflare is taking more than 24 hours. Is it expected?
I already had my domain on cloud flare and I’ve been dreading setting up a reverse proxy and integrating to the CF proxy for just a home assistant instance. This was the answer I didn’t know existed!! Thank you!!!!
I'm glad the video was helpful. It took me a bit to wrap my head around so I'm glad I was able to help others :)
It's even easier with Home Assistant. Use the Cloudflare Add-On, add a few lines of code in HAOS, and done.
The amount of giddy I got when I accessed my self hosted stuff after disabling port forwarding... hoah yeah. HEH!
THANK YOU!
Things like this is exactly why I love cloudflare
This is a fantastic and thoughtful guide. I set out to do exactly this on a Raspberry Pi and your instructions worked flawlessly. Thank you for posting this!
Glad it helped!
Most important video you've done in a while. Just wish Cloudflare didn't have a monopoly on literally everything like this.
There are other companies doing similar things, but CloudFlare really is a beast as far as their offerings :)
I love this tutorial. Absolutely brilliant!!
I spent the afternoon moving from NGINX to this service and switched off my port forwarding, which should lower and decrease my attack vector.
Thanks again!
I'm really glad it was helpful!
@@DBTechYT How is this different from NGINX with Cloudflare Dyndns with your own domain? (Honest Doubt)
@@Otomai This removes the need for port forwarding. This removes the need for NGINX entirely. By switching to this, my network is more secure AND my internet-facing apps are more secure becasue I don't have to open ports and Cloudflare is actively monitoring the traffic to prevent bots and attacks.
@@DBTechYT Oh, I see, thanks!
Thank you very much! This is what I was looking for, as I was always a little uncomfortable opening ports in my router. Despite using NPM, Fail2Ban and other helpers. Thank you for your effort!
Glad I could help!
NPM? What exactly does the package manager do to boost security? What other helpers do you use? Other than UFW?
@@trapOrdoom „NPM“: Nginx Proxy Manager.
By using this method opening port 80 is not necessary for making wp site available outside the LAN?
@@latesthollywood3745 was thinking the same question
Great video David, thanks
Quick question: What to do with the services that need certificates to work, example adguardhome, since now that you have removed the cloudflare dns record, they cannot be requested by NPM.
Thank you.
+1, also would like to know how to deal with certificates in this case.
This exactly the type of solution I have been looking for! Thanks!
I really enjoy your videos - always cover the things most relevant to my interests!
Awesome!
I have been using this solution for just over a month now, and it works perfectly. However, how do you update the docker containers to the latest cloudflared version?
My containers are all complaingin they are running on an old version. How about a tuiturial on that :) ?
Excellent video. One question though - CloudFlare has a container that let's them know if your home ID has changed, so that they can always point the domain to the correct server IP.
Is it possible to use that mechanism to restrict access to your sites to whatever is the current IP address that your ISP has given you?
There may be an API for that, but I've never looked into it.
Great video David, thanks
Quick question: Does anyone have any issue when UFW is enabled ?
(Digitalocean's Docker instance works flawlessly without UFW enabled, but cannot access with UFW enabled)
Thank you.
Hey David! I got this working.. kind of. All my devices keep sending IPv6 addresses, so just putting my IPv4 in like you did at 13:10 doesn't work for me, it returns the access forbidden page. The tunnel works, but I have to keep adding new v6 addresses to the policy every time my PC or phone decides to change or add a new one. Any way to "prefer using IPv4"? My v4 hardly ever changes.
Thank you for this awesome tutorial! I just have a question - does this eliminate the need for nginx proxy manager totally?
Yes it does
@@DBTechYT awesome! No more npm fiddeling
yes yes YES YES .
This is what i needed. Amazing !
First - Excellent UA-cam Channel. Did you really quick your day job to do UA-cam? Kudos to your vidio editor too. 🙂 My question is. I currently expose a random port on my firewall and then use Cloudflare Origin rule to rewrite 443 to the random rule that I have open on my firewall - then port Forward from random port to 443 to my Nginx proxy server. And now for the question. With CloudflarD Tunnels, do I still need Nginx? Cuz the last two times I installed this on my Docker it broke my RPI. Thank you and keep up the good work.
Chris
AWESOME! Thank you, David! I’m off to implement this!
Hell yes!! You got this!
I’ve sent this to so many people since starlink became available in our area. Have you ever considered a video targeting CG-Nat especially Starlink and fixed wireless internet?
Wonderful ... So well explained 😀✌... Thanks a lot 🙏.
Thank you very much! This was exactly what I needed. Keep up the good work
Glad it helped!
I'm not sure about this under their tos.
"you hereby grant us a non-exclusive, fully sublicensable, worldwide, royalty-free right to collect, use, copy, store, transmit, modify and create derivative works of Customer Content, in each case to the extent necessary to provide the Services."
The problem with this, is they can claim all your content necessary to provide service.
I've been using them for more than a decade and have never had an issue with them other than better security
Hi sir, I'm building a TrueNAS right now. I'm not really good at this networking thingy. Right now, I do have NGINX Proxy Manager (for nextcloud) set up. So if I decided to use Cloudflare Tunnel, I don't need NPM anymore? I can just connect cloudflare to docker and point it to portainer which contains nextcloud, some web project? Thank you in advance
Thank you for all of your work…your videos have been such a help in getting my home nas running well. This video is extremely welcomed as I’d like to not forward any ports if possible. Ill definitely be trying this out….Can i use a synology domain name?
You have to use a purchased domain that you've routed through cloudflare
Love you man! Great video as always.
You're the best!
I'm a bit late to the party, but what options (Cloudflare or not) are available to pass through IMAP and SMTP ports?
I'm trying to do this on unraid and everything gets set up but I keep getting a bad gateway error and the log says: "ERR Request failed error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: x509" Can't seem to figure this out.
same here. Did you find a solution?
Great Stuff - I will try it on my Pi first then I want to add it to my contabo vps. For that I wonder if I added FW to block all trafic will it still let the Cloudflare access tunnel through?
Hi do you have to put the couldflare into the directory folder as your docker for your website ?
So I learned to use nginx for nothing! Great find. Any benefits to using this method over nginx? Or is it just not needing any ports open?
No port forwarding. App restriction based on IP address, email address, etc. Firewall built in. SO many things you can do with CloudFlare tunnels that you can't easily do with NPM
@@DBTechYT I watched your video on NPM and Authelia but this seems similar and much easier. Great work!
Very informative as always, thank you for your hard work.
very cool @DBTechYT !!
Do you (or anyone else) know is this also works with running your app inside Kubernetes? Would you need to expose the cloudflare agent or your app with a ClusterIP or NodePort?
YES, now I can do so much more with my websites and servers!
Woo!!
Here's a stack format for those who prefer to use stacks. I added a restart policy and used Cloudflares' DNS for the container.
version: "3"
services:
cftunnel:
image: cloudflare/cloudflared:2022.5.1
container_name: CF_Tunnel
restart: unless-stopped
dns:1.1.1.1
command: tunnel --no-autoupdate run --token YourTunnelToken
When I include the command line, I'm getting this error: There is an error in the yaml syntax: YAMLSemanticError: Implicit map keys need to be followed by map values. any idea?
Yup, getting the same syntax error.
My best guess would be that you're including the . needs to be completely replaced with the token Cloudflare supplies to you. I edited my original comment to exclude the .
So this would allow me to run this via Portainer, for example? Do you know if there is any way I can run this on a Raspberry Pi (ARM)?
@@eierund you should be able to run this on a raspberry pi, just make sure to edit in your token.
Thank you for your content. Its really helpful and to the point no filler. I have a question for you. I was able to follow your tutorial on setting up the tunnel but I can make post requests to my url. I have tried to figure it out with no luck. Do you have a video or recommendation to fix this? Thank you.
Great video. I see a lot of videos saying you need nginix along with CloudFlare tunnels. What is the difference and do you need them both actually? Sounds like a secure tunnel would mean a reverse proxy is not needed.
You're exactly correct with your assumption of NOT needing a reverse proxy if you're using CloudFlare tunnels. It's WHY I switched to tunnels: No reverse proxy. No open ports or port forwarding. All your routes are configured on CloudFlare
Are you still using Nginx-Proxy-Manager with this solution, or does this solution eliminate the need for that component? My other question is do you have a separate cloudflare tunnel for each server where you have services that are exposed to the internet?
This removes the need for NPM. You'll need to install the tunnel agent on each device you want to access, but you can have multiple devices attached to 1 tunnel if you want.
Great video as usual. I have a similar setup with cloudflare Argo tunnel and using NPM which ibracorp covered on his channel.
@@DBTechYT a question around this in that case... I have setup NPM with Authelia for my services as in one of your previous videos. Are you able to do a video around migrating authelia from NPM to using this cloudflare tunnel instead? I love the idea of this tunnel but I'm worries it will take away too much flexibility.
@@cloud2050 From what I read on Cloudflare's website, "Argo Tunnel" was changed to "Cloudflare Tunnel".
how about dynamic ip ? with this method the ip will be autoupdated ?
EDIT:
Worked fine with dynamic ip, i suggest to install the cloudflared docker on vm or lxc that contain Portainer, it will automatically show on portainer dashboard and it's easy to stop & restart it
Glad you got it sorted!
I'm trying to configure cloudflare zero trust with traefik, and I can't manage. Did someone manage? If so, which address is pointing the tunnel to, as no ports are exposed? On the other hand, with nginx I have no problems.
Hey! So define "configure cloudflare zero trust with traefik". Are you trying to access a Traefik instance, or trying to use Traefik through a tunnel? What OS or environment are you using? If you mean you're trying to access your Traefik instance from another device, using a tunnel, you would just need to type in the internal IP address of whatever device is running Traefik like Dave does around the 6:00 mark. If you're trying to use Traefik as a reverse proxy to access other applications from outside your home network you don't need to, Cloudflare handles your proxy and the tunnel is the security from the outside world, see 14:12 for restricting access to only YOUR devices.
Hey buddy, I’m going back to this video to see if there was a hint on how to host all applications using one tunnel. I had to instal 6 different containers to host each one of my dockers without open ports. It’s possible that you can point me on what I have to do to just use one instead of a separate one per application. Thank you.
I've had this come up a few times recently in comments. I'm going to make another video about Tunnels this week.
@@DBTechYT I will really appreciate it. Thank you very much.
This is great! I can now access all of my HTTP services through Cloudflare tunnel, however, I am having issues with Wireguard. Is it possible to connect to my wireguard server through a Cloudflare tunnel? If so I haven't gotten it to work yet. :/
I'm glad you got most everything working. I haven't tried getting a wireguard server to work with tunnels, but I feel like they would actively work against each other
I'm not sure for your specific case, but I have Unraid's built-in wireguard going and followed David's tutorial here using the main terminal in Unraid, it set up a tunnel in the Docker, and everything works as intended. I have a Wireguard tunnel from my server to my phone, when I'm not on my home network with the VPN off I get the intended "Forbidden" page but as soon as I connect the VPN everything works. Not sure if that's what you meant but yeah.
Got it to work. Wanted to know how I would get this working with Authelia?
I'm not sure that you can without a LOT of extra work
I have been looking for an answer to this for days, and I cant seem to figure it out ...
I am pretty tech savvy (I was an electronics tech. in the navy) but I am really teaching myself the networking side of things for a sort of hobby. I am trying to set up jellyfin to be remote accessible through an unraid server. What IP address do I use for my external IP to set up the tunnel through Cloudflare? Do i also use this to set up the record? I actually used your guide last night and got it working, security check application and all, but this morning the tunnel wasn't working again. I'm sort of assuming that I used the wrong IP address, or I used an IP address that is no longer relevant.
I guess the root of my question is this: does the unraid server have it's own IP, or do I need to use the IP of a docker container? Is there a specific container I need to install so that there is a static IP? or do I just use the ip of the jellyfin server? Do i need to just force the jellyfin container to ahve a static IP? Am I skipping some ultra-basic step here that I am going to kick myself for not understanding?
Last night I just used the IP address listed in the Jellyfin docker info, and honestly I was sort of surprised that it worked, and I'm also not really all that surprised that it no longer works. What is the best way to do this? I feel like I've been watching hours and hours of tutorial, and at the point of setup where you need to enter an IP to create a record or a tunnel, everyone just says "just put in your IP" and I'm like, "WHAT IP?!?!?!"
Your Unraid server will have its own IP. If you network is set up via DHCP, that IP may change from time to time. Any docker containers you have on your Unraid server will share the Unraid server's IP address unless you've set up something like a MAC VLAN and assign different IP addresses to different containers.
So, for instance, let's say your Unraid server IP is 192.168.0.25, then you would access Jellyfin on 192.168.0.25:8096
If you want your Unraid server to have a static IP, then you need to set that in your network router. You might be able to set it in Unraid's UI, but you may still run into conflicts if your network router wants to use that IP for something else.
@@DBTechYT Is the Unraid server external IP the same as all the other IPs in the network, or is the Unraid server IP uniqe? I have run ifconfig eth0, but for some reason there is not a standard looking IP address there, so i just used the IP address that my PC was using, with port 8096. That is what was working last night, and what is not working this morning. Is it possibly my IP dynamically changed overnight?
Your "external IP" is the one your Internet Service Provider gives you. Don't use sites like whatismyip or ipchicken to get your IP address for your local devices. You may need to login to your router to get the IP addresses of your devices on your local network.
@@DBTechYT WAN is the same as External, correct?
correct
QQ. After setting up the docker container and making the connection with cloudflare, how can maintain running? If I ctrl+c out of the 'docker run . . .' in the terminal, the connection servers and am unable to use the tunnel anymore
Hey, this video is fantastic! Although, I’m just wanting to make sure, with this process, you can for a fact access your media from outside of your home network.
For example, if my home server was located in California, and I went to New York, could I still access my media through the domain?
Another question I have is, can this be used for Jellyfin? If not, what’s the reasoning?
This method will allow you to remotely access your services from wherever you want that has an internet connection. Cloudflare used to have a section of their TOS that explicitly forbade hosting media services. They've removed that section, but I would still be careful.
Hi can you make a tutorial how to connect ssh using cloudflare without opening ports?
this is a great idea!
Fantastic Video, immediate subscription
Thanks and welcome
What are the pros & cons of doing it this way vs your other guide (cloudflare+nginex)?
This method requires no port forwarding. It also allows for better restrictions, firewalls, authentication, etc
Great video, can you please show how to setup and use RDP with cloudflare zero trust. Thanks
I'm sure I'm missing something obvious, but what do I need to do so that it will auto-start? I think I need to add the restart policy, but I'm not sure where I add it in the copy/paste I get from cloudflare. Any ideas? --restart unless-stopped
Great video, thanks! I am using DNS Made Easy as my name server. Do I need to switch to Cloudflare DNS for the tunnels to work or can keep my existing NS?
You'll have to switch your DNS to Cloudflare
You can also delegate a subdomain to cloudflare and keep the main domain at current name server...
Hi David, can you please explain what is the advantage/differences between this and using Taiscale. Thanks.
Good question!! The differences with this method allows you to use a domain name. You can share your services with anyone without them having to install software on their devices, you can just add their IP or Email address to the setup and require that one of those criteria are met if you want to add that level of security. Using email authentication, you can also get security information about who logged into your services. I'm sure there are others, but this is off the top of my head
@@DBTechYT Thank you for a very clear explanation. I have been using your instruction on setting Plex on OMV5 and just upgraded to OMV6, is your instruction still applied to OMV6?
Great video, wished to know this earlier!
This is amazing. Will certainly be trying it out. Is there a way the allowed IP can automatically be updated, as I don't have a fixed IP with my ISP. Thanks
I know there's a DDNS container that can be used to update regular A Records, but I'm not sure about updating allowed IPs. The one thing I've done for when I'm away from home is that I've got a PIA VPN account with a dedicated IP. That might be an idea until another method is available. If you want to try that, here's my PIA affiliate link: dbte.ch/piavpn
Got this working for Unraid web GUI. But how to configure for nextcloud docker as its showing bad gateway?
Finally cloudflare tunnel, thank you!
Enjoy!
Great great video. Service works except ssh into my synology hosting the containers. I have not tried rdp or other tcp ports, but ssh not working is stumping me. Any ideas?
BTW I have ash via browser not shell.
Awesome, thats is one of the greatest videos, thanks
Great Video! Thank you for sharing!
Thank you too!
quick question! you added the port 6999 for specific service on the same docker instance where cloudflare container is running. what if I want to use another VM with different IP and port (in my case homeassistant ip x.x.x.20:81234)?
You have to install the tunnel agent container on whatever device you want access to.
Thanks, you can use this tunnel to bypass cg-nat and access from outside?
Correct
Could this be used to remotely view/access cctv nvr?
Great method. Will this allow iOS apps or non browser access work like home assistant or nextcloud?
Yep!
Oh my! That’s awesome. My nextcloud stopped working for some reason. Maybe firewall was blocking traffic and I could not fix it. I think this will solve all that.
did you ssh and install the tunnel on OVM or straight to Proxmox? Any idea what would be the implications of each approach?
Great question!! You can do it either way. Things to consider:
If you install it on your Proxmox server directly, you only have one tunnel agent to manage/update. You can also easily just point domains to any of the VMs or CTs on the device with that single agent.
The down side to doing it that way, is that you're potentially opening your entire Proxmox server up to the world if you don't have the right levels of security in place. If you were to install it directly on Proxmox, you'd want to make sure that you limit access via methods like this: ua-cam.com/video/wdmbAo02ktQ/v-deo.html or even restricting access via the Warp client (I haven't made a video on this topic yet.). You'd also want to make sure that you have 2FA enabled on your Proxmox server and have a good backup solution in place *just in case*.
Good work as always!
Appreciate that
Great efforts as usual Dav..many thanks. Can I utilize this to gain access to services hosted on different hosts at the same subnet as the the one which the agent is installed in? One more question..do we need the DDNS script container to update dynamic IP with Cloudflare anymore?
I usually install an agent on any host that I need access to just to make sure that I don't run into any issues. Also, you shouldn't need DDNS anymore with this setup as there's a constant line of communication between your agents and the CF servers
@@DBTechYT Absolutely amazing....thanks again...your content is the most straightforward and easy to coherence among all other UA-camrs. Keep it up...
Thanks!! I really appreciate that! :)
Thank you. I was wondering I guess for example on nextcloud, we do not have to request Let'sEncrypt certificate anymore, correct? SSL certificate is now provided by Cloudflare?
Yes, correct
Hi, Me again :)
Do you know if i Cloudflare Tunnel will allow to set up subdomains for different local IPs instead of being one Docker IP.
Example, i would like to have DOMAIN pointed to local_ip_1 but subdomain like plex (dot) domain or cloud (dot) domain to point to local_ip_2
I have one tunnel with agents on mutiple devices and I point to different IPs that way
@@DBTechYT Amazing. Thank you for quick example. RESPECT !
is there any tuts for docker/portainer?
Hello David,
This is awesome and I will definitely try this out. I have been searching a few things like I have a old pc at home which I use it as a server though fedora server OS. Using duckdns I access it over internet and the subsequent docker containers have to be accessed using the duckdns url and the port. Can cloudflare help in eliminating the need for accessing the containers using ports only the https url. Also can we go use putty over internet using the cloudflare and the smb services for file transfer.
Apologies for jumbling up too many questions in one comment and thank you so much for inspiring us to learn and try more.
This allows you to securely access your apps via a domain or subdomain instead of needing to use ports or anything like that. There is an option to setup additional services like SSH and RDP that I may make additional videos about in the future
Ive followed this a few times yet always come to the same Error 502 bad gateway. Showing browser and cloudflare working but the host is not. Any thoughts on what the cause might be?
Hi, I have followed this method. Hosting OMV on RPi 4. But only http tunnels are working. SMB is not working. SSH is working if it is browser rendered. Not working in SSH client. Please help. I have spent lots of hours but couldn't figure out. Please show how to tunnel SMB.
If I remember correctly, CF tunnel solution explained in this video only works with HTTP traffic, not for other TCP based services (SSH, SMB, etc.)
Would you recommend using this over a reverse proxy? I have nginx set up atm but will switch to this as it looks safer, any draw backs?
I prefer this much more than a standard reverse proxy
Thanks I just learned about tunnels and zero trust so this will get me up to speed ligthnig fast.
Have fun
@@DBTechYT I ran into a bump in the road... one do not need a reverse proxy while using this right?
This replaces your reverse proxy
How is the tunnel's Docker container updated? Automatically? Manually? Watchtower?
You'll have to update it based on your current update strategy. If you do your updates manually, then you'll do that here as well. Same thing with WatchTower.
Thank you very much, this is great content and very informative.
Glad it was helpful!
do you know how to set it up with support for websocket?
Great video! Can you also do this for a SQL Server?
Great tutorial!! Can't wait to put this into practice. Thank you very much! :)
Glad you enjoyed it!
doesnt this break TOS? Is there a way to use this service without breaking TOS?
Great video David! Can you do a video with Jellyfin on OMV6 in a cloudflare tunnel with all the paths?
Possibly!
@@DBTechYT I can’t wait then. And thank you very much
If I understand correctly, video streaming is not allowed and your account may be banned.
That's interesting. I'm using it for Emby without issue.
hey thanks for this awsome video
i really like this setup a lot
currently iam trying to setup some authorization method to secure my service/pages from others
for my old setup i used in NPM http-basic (simple and quick)
but this doesn't really work for cloudflare, so my idea was to use something like keycloak as Identity Provider which i can setup in cloudflare and keycloak itself is running as a docker container also
but right now i am kinda stuck, i only get the auth selection screen shown from cloudflare and no keycloak login screen
even tried SAML (guide from cloudflare itself) and OIDC
maybe you or someone else has any idea how to get this setup working that would be awesome
I might have to make a video about adding authentication to apps via CloudFlare... :)
I successfully set up a tunnel. The only issue I have is that it redirects to my domain with the port number shown. I can't seem to find any information on this. Any ideas?
For the sake of argument I’ll assume the port forwarding was for a reverse proxy. Assuming that, would this tunneling scenario take the place of a reverse proxy?
Your assumptions are correct
Nice video David, but this setup is not supported on docker running on raspi (arm).😭😭
hi you can use debian armhf or arm64 version.
thanx for the Video! how can i tunnel "rustdesk" it needs a lot of Ports 21115-21119? any idea?
Hello DB Tech, I really hope you can help me out, since i'm struggeling for a week now to get it done.
I'm running a proxmox server, where i have home assistant running in a VM (HAOS). In a LXC container i'm running nginx proxy manager, witch i'm trying to setup with a argo tunnel from cloudflare. I tried many ways, tried to setup docker swag, tried to setup a tunnel myself with all the info i could find on the web, but i don't get it to work. Everytime i get dnsprobe errors or to many redirections error. Anyway, i can't seem to make nginx proxy manager host my subdomains thru a argo tunnel. I really hope you can make a video on how to set it up, it would greatly help me out! Thanks in advance!
This is a a really good tool. Thanks for the video. Could this be used for non web services?
As long as the service has an IP address you should be good. It might require a port but that also may not
Hey there,
Thanks so much for this video.
I have one question. Do I still need Nginx Proxy Manager to create subdomains with SSL or CloudFlare tunnels takes care of this? Thanks in advance.
this replaces nginx proxy manager entirely. it handles everything
@@DBTechYT Thanks so much, I appreciate your time! I can't wait to try this! Keep up the great work!
Awesome ... thanks for the content.
Glad you liked it!
Thank you for this. It's very cool. Is there a docker compose for it so I can easily deploy it in portainer?
Give this a look: dbt3ch.com/books/access-your-self-hosted-services-without-port-forwarding-YoG/page/access-your-self-hosted-services-without-port-forwarding
@@DBTechYT That is awesome. I've been having a performance issue with NPM and this looks to cure that. I need to make some tweaks, but this is huge.
@@DBTechYT One thing I'm having trouble with is assigning the container with a static IP. Is there a good way to do this? I need it for Home Assistant to accept connections from the container.
MacVLAN: ua-cam.com/video/o7nn6Tv-PAw/v-deo.html
@@DBTechYT As I started this I remembered a mistake I made. Thanks!
When do you do studio setup tour?
Thank you for the video. I followed the instructions (have Ubuntu 20.04 with Portainer) but when I try to access the public URL I keep getting "Bad Request - Error code 502). Can you let me know how to debug this? I can access these locally and through NPM but accessing through tunnels is throwing up error.
The page image depicts: You Browser (working) --> Newark Cloudfare (working) --> My domain Host (not working)
Thanks man. Was looking forward to this. It seems like a little extra work but definitely will increase my home server security. When using cloud flare zero trust/tunnel there is pretty much no reason to be using NPM any longer correct?
That is correct!
Sorry, two more questions. I don’t have a static IP and use cloud flare ddns container to update the dns registry automatically. Is not having a static IP going to cause issues with the tunnel and is the cloud flare ddns container still needed?
You should be fine as the tunnel agent on your system is continually updating CloudFlare about changes :)
So most of the containers seem to work. But sadly my two vital containers (Nextcloud and vaultwarden) don’t. I get an IP address could not be found. I’ve tried using the server ip and container ip. And I double checked the ports.
@@alove4tech I have Vaultwarden as a Docker container running on Unraid. I followed this and got it working without doing anything special.
Excellent video thank you i was going to setup nginx but will go this route now. Question please when you ran the docker run command was that on your proxmox host or a docker server running on proxmox as it wasnt clear? Could you show running this on a synology also to please if you get chance?
Doesn't matter if it's on bare metal, proxmox, synology, whatever. It's the same process. You're just spinning up a docker container to act as a tunnel between your server(s) and CloudFlare.
@@DBTechYT so if I understand correctly,as I’m going to follow your video to set myself up, the tunnel needs to be set up with a docker container called cloudflared ? If I wanted to set up access to my DSM, would that just be an application set up?
I just installed a docker container on my Synology device via command line.
@@DBTechYT gotcha…I deploy several containers now on my synology….my understanding is that i need 1 tunnel…which will allow me to set up access for my containers…but also my synology dsm?
correct. as long as you set them up in your "Public Hostname" section and your "Application" section, you should be good to go. I was actually able to set up access to my Synology the other day while I was at the bowling alley :)
Congratulations, Great video, i have one question. i follow you during years already and i have all configurate with nginx proxy manager, is possible do this direct to proxy manager and all work like before?, Thanks
This replaces Nginx Proxy Manager
@@DBTechYT Oops, missed that link... Thank you so much I was struggling with the nginx proxy manager setup and this actually worked for me. plus I would not have to update DNS every time my public IP changes, this is great.