I honestly don't mind all the cons of Cloudflare Tunnel, and I definitely agree. Don't just expose all your services without another form of security like Cloudflare Access. That's the first thing I did after setting up Tunnels, and it's been great.
basic auth is indeed not allways working as first level security, so cloudflare acces is a godsend. I was finnicking with Authelia but dammn cloudflare acces "just works"
Hi Christian and thank you for this critical and informative video. You do not bypass your firewall, if you set up the cloudflared-server (or cloudflare docker-container) in a separate dmz/vlan. I can't see any difference from other VPN solutions that ends directly in the internal network. This is a general problem that can either be improved by well-documented descriptions of possible extensions or you have the necessary expertise yourself to be able to operate such solutions relatively safely. So you are right, not only the route between the endpoints has to be secure, but espesially the endpoints itself and the networks behind those endpoints always has to be secured. Your argument is still absolutely valid and many manufacturers of such solutions promise easy and secure installations, what can be very deceptive. In my opinion, Cloudflare offers one of the best and most secure solutions for accessing internal services (no published ports, MFA for accessing the Cloudflare dashboard and separate MFA and other web application rules for accessing the actual services). In addition, the actual application that you want to reach via Cloudflare Tunnel should also have its own authentication - I only use applications that can handle MFA on their own, such as Guacamole. But it always depends on how you implement it :-) If large companies trust Microsoft by running an Azure AD (most have little choice), you can trust Cloudflare for your homelab services for sure.
If you can't see "any difference" between a VPN server that you run and this then you are ignorant about the topic or just plain daft. The alternative to cloudfared (from a privacy perspective) isn't tailscale or twingate or whatever tf. Let's concede that cloudfare gives you all of those features as securely as any third party can, that's really beside the point, you're getting all those "freebies" in exchange of putting a middle man in all the traffic you tunnel through them (technically they can establish any connection they wish from inside your network since they are running an agent inside yours). Obviously a lot of very technically inclined people are willing to do this but let's not be stupid about the trade-offs here.
Little workaround about the firewall issue: Put the cloudflare tunnel vm or container in a dedicated /30 vlan with only internet access to the external ips of cloudflare and create rules to internal services you want to expose via inter vlan routing
new to home lab here, are you saying to basically segment your internal network and all your exposed services will be on an isolated network along with your cloudflare tunnel vm running?
@@xavierlarosa8235 Yeah, you could do it like this. This would limit the devices cloudflare would be able to reach to this vlan. I have gone even further, got a server vlan with my internal services and an dedicated vlan for the cloudflare tunnel VM. So i get maximum control over the services cloudflare is able to reach by creating a default drop between the vlans and only dedicated allow rules for services i want to expose
This is what i am doing already to prevent cf tunnel gets access to whole my network. Cf tunnel limited to its own vlan, then get access to only the services what really need cloudflare tunnel.
Great video. I’m a huge fan of Cloudflare and think they’ve done a ton for the world on making the internet more secure. That said, having a reasonable, fair, and open analysis on the risks vs. benefits is something the homelab community should do more of. And frankly, there are a ton of packages and projects that we all install that should get the same scrutiny. Thanks again the the level headed analysis!
6:00 one thing you could do with a cloudflare tunnel setup is put the server which the connector daemon is running on, into its own VLAN. Then setup firewall rules in pfsense to route that VLAN traffic to the appropriate servers and ports on other subnets.
Hi Christian. I have one public IP with all ports available to my homelab. Obviously with a good firewall. In this configuration, I can do all I need. But here in Brazil, this type of service is very scarce, mainly due to the lack of available public IP. I've been testing the use of CHR for a few months now and I'm really enjoying it. First, the fact that I use an Amazon IP here in Brazil, where I host the mikrotik CHR, and also because I can create a tunnel with a server that is behind a restrictive firewall. What for me is very interesting due to the unavailability of public IP. Another interesting point is that I can configure my Hurricane Electrics IPv6 range in this CHR and distribute it to servers via tunnel. Great content.
This is a great video that got me thinking - especially while I was mulling the obvious home network security advantages of using a Cloudflare Tunnel. But, as with everything, there has to be a catch - you have to trust Cloudflare will handle your data carefully and hopefully not leave it open to exposure. The thing is - this is inherently a problem with Cloudflare itself (as well as AWS, Azure, Google, Apple and any other public cloud offering). And in reality, so much of the internet relies on these big players - there's practically no way you can use the internet without at least some of your important data ending up in the hands of these players.
This is a good balanced look at it. One thing you forgot to mention are mitigations, such as being careful where in your network to deploy the tunnel endpoint. For example, a “DMZ” *(or similar) area where you provide services from but that does not have access to the rest of your network… in order to minimize the crash surface.
Excellent video, this is something home labbers often get wrong. Cloudflare isn't a silver bullet to your security woes, sure it helps but it comes with it's own issues. if your using a free plan then I'd argue it doesn't provide much value at least compared to using something like ModSecurity/Coraza, CrowdSec or a hardware firewall appliance.
To be clear, at around 6:16 when firewalls might become useless because they are not intergrated into the firewall and punches a hole.... 1. If an enterprise employs applicaiton whitelisting on their laptops/servers/desktops then this will never have a chance at being deployed. 2. if an enterprises chooses to do SSL decryption, this would never have a chance at being deployed 3. If using some form of application identification {appid} this would never have a chance at being deployed 4. if you deny the outgoing port of 7844 then this will never get deployed If you choose to have lax rules or a lax security model then yeah you can bypass the network security but this isnt as easy as one would think it is.
Please do a video about best pratices to setup Sophos XG, secure the net, expose safely services, ecc. Or a video where you show us your Sophos setup. Thanks man!
Pro tip: You can still use the SSH tunnel and do a reverse port tunnel trough that. Cloudflare cannot see/MITM that, since only you have your certificate, which the server verifies and is thus able to perform an authenticated Diffie-Hellman exchange and guarantee your communication is confidential! (See the SSH2 protocol and TOFU security model) Also, I thought it was obvious that it works as essentially a MITM? They even advertise it as such! How else would they be able to magically HTTPSify all your services? Obviously, keep this in mind....
Well stated. The folks that have approached me interested in Cloudflare Tunnels are those that want to have services reachable from their CGnat. In situations where I have played with Cloudflare tunnel it has been inside of a dedicated VLAN on my network and I think that your concerns are valid. When CGNat folks want to host non-web applications, I tell them to manage their own VPS endpoint server outside of their network. This takes care of being able to host UDP connections or TCP connections to non-web ports which I don't really see a way to do on Cloudflare Zero Trust.
I use and rely on CF Tunnels for exposing resources, though they are heavily restricted and require you to have the WARP client present on your device and have authorization to my team. With WARP it creates a WireGuard tunnel connection into my network allowing me to pass UDP traffic or NON HTML traffic, It's actually a great VPN alternative since M$ has deprecated auth prompts which make OpenVPN with MFA impossible with NPS, Now you must pay for expensive services such as Duo :( P.S. Love your content and what you provide for the IT community, Thank you!
Great video! I think homelabbers should talk more about who you trust with your data, but also the various attack surfaces these services open up. I'd be interested in a deeper dive and comparison between Cloudflare Tunnels, Twingate and Tailscale (and Headscale), as they all do similar things with subtle--but important--differences.
I mean you can do something like tailscale, but that may still have similar privacy issues, so best option would be headscale with another main server on the cloud
@@Technically_Bad that's equivalent of opening a port. Hosting things on a public facing cloud. Instead what I suggested is using a VPS and a public facing connection interface. Without the Vpn to go through the first server, you can't even reach the second.
I have enough options with my FortiGate firewall to share certain parts of my network. I looked into the Cloudflare solution, but the fact that all my traffic would go through their servers stopped me from using it. However, once you have made the right settings in your firewall, it is easy to quickly provide someone with a service from the HomeLab.
Very good video. I was especially interested in the security concerns to bypass you companies firewall by using such a reserve tunnel. I guess no enterprise will want to have such a thing set up by individual user. I could imagine an enterprise set up done locally with trusting Cloudflare but it's security nightmare when everyone can start a docker container and punch holes into the whole firewall setup. I would even assume that some companies block those hosts and port per default.
i think the issue with the internal firewall in the internal network can be mitigated with making sure that the request crossing from the cloudflared tunnel needs to cross the firewall itself prior to reaching the service being exposed. this way requests are also checked by the internal firewall. you can have a separate firewall for this or it can be the same firewall you already have the exists. what is important is that the cloudflared instance is separate from the internal application instance by the firewall. firewall rules/checks/introspection can still happen.
Agreed with this post. With most cloud providers, you give up your privacy for security (well, security is subjective... providing no three letter agencies haven't already backdoored it like they did with L2TP and Juniper).
Thanks for the video. It actually makes sense. But I would like to add something here, "home lab is for learning" right? Yes, we can check out some tools but I think ppl who have a home lab should expose their services and do some kind of research about how to secure it, for example, use some kind of firewall, ids/ips, etc. See the logs regularly, and automate some things. Maybe I am wrong, it's just my thought. Correct me if I am wrong.
Great video. Probably you should have added more emphasis that similar products (Zerotier) have the same problem. US 3-letter organisations have access to all of your data, for sure.
I have tested CF, and i didn't choose it for a few reasons - trust, protocol limitation, and L7 protection (threath protection, AV, IPS, webfilter etc), which i can do on my SophosXG(WAF). Maybe i didnt test it well, but... ;)
Thanks for the great vid. But on 9:15 no "two endpoints" will ever be under your "full controll" not even physically (but even one endpoint could be disagreed about how much it is under your "full controll" as soon as any network connection - not allone wireless network connection is involved).
What if you ran cloudflare on a small separate machine, outside of your firewall? So that all cloudflare traffic still had to go through your firewall?
Beutifull video. Thank you for addressing this (actually, I was close to writing you and asking about this after seeing your CloudFlare video; you were just faster). Services like this are great, but they come at a cost. At the end of the day, this is all about whom we trust. Thank you, Christian; following your channel has been worth it since the day I discovered it. You gave me a lot of nice home projects to implement in my home lab (I still have to implement reverse proxy, lol).
Good point. I had to decide between zerotier which is more convenient for my application and cloudflare. I decided for cloudflare because i trust them (more). But shutting down a service is also a valid complaint.
I think one of the main issues for me is the centralising of important internet infrastructure. Cloudflare offer some great services which are important. But i do not feel comfortable with so many eggs of the internet being in so few baskets. Awesome video btw dude as usual
I see it in the opposite way: cloudflare removes many points of failure. Of coarse it depends how much time, money and (electric, your) energy are you willing to invest into your infrastructure. For accessing your personal blog, nextcloud, git ... running on low power pc/sbc i'd say it's perfect.
Well, I guess that one should not use this kind of services without security layers in mind. Mostly because in certain, given scenario, one could use their service's trustworthy reputation to stealthy exfiltrate data from a company's network, or gain reverse access to it. Either by somehow abusing it or installing it on purpose in a post-exploitation phase. This is a great option when your security's strategy is mature enough and capable of containing threats as mentioned before.
Another thing I would like to mention that most UA-camrs don’t is that if you are using cloudflare you should setup dns overwrites on your dns server on your lan so that stuff doesn’t go through cloudflare and works offline when just accessing it from lan
Cloudflare tunnel is a tunneling protocol that does a peer-to-peer connection through a "middle-man" server such as cloudflare tunnel, same as zerotier and tailscale Using another server inherently means you have a dependency that you need to be aware of
Hi Christian, excellent video. I'm using cloundlare tunnel to expose a web application (Django + React) to a handful of clients. I don't care about the data, I found cloudflared easy to do what I wanted, I should look for another approach?. To access my homelab I still use wireguard + adguardhome + npm.
Regarding your point about serving non-HTML content, I always found it was a good practice to bypass the caching with a page rule. I use the tunnel and a reverse proxy to host my plex server using a custom server access URL and the first month I had it running with no page rules I was a bit unsettled to see how much data had been cached, but nothing came of it anyway.
They said in the discord that this rule applies to ANYTHING that goes through cloudflare the network, they don't care if you cache it or not. So you can still get booted if you don't cache a thing. However they probably wont bother you if you not pushing many terabytes of data.
This is what I am thinking about doing. Do are you doing a CF tunnel to nginx to then forward to plex? Any security concerns? I feel like it is better than exposing ports on my ip
If you apply this logic then AWS can also read everything at the load balancer because we add all keys to AWS ACM. In that case nothing is safe on the cloud as well. I think I trust cloudflare much more than most tech companies out there.
"... customers can serve video and other large files using the CDN so long as that content is hosted by a Cloudflare service like Stream, Images, or R2." - Cloudflare's blog. That is for the removal of section 2.8 in the Cloudflare Terms of Service, which essentially means nothing to most people unless you are paying to use their services.
This is exactly what I was thinking. That’s why I run a VPS with a site2site VPN connection home to my self hosted services. It’s basically a jump box or traffic forwarder. There’s two ways for this: terminating your SSL at your VPS (which I am doing now) or forwarding the SSL traffic home (with HAProxy, experiments running as I am typing this). Video coming up in this, too
But why? xD Setup SSH Access via certificate on your VPS, use autossh on your machine, forward the ports you want to expose, write a startup rule in your .rc, done. Setup SSH Access via certificate on your VPS, create a new Service, ssh to your vps, forward the ports you want to expose, systemctl daemon-reload, service xxx enable, done.
I would love to check out that video! I use Cloudflare tunnel for hosting some sites from a mini pc that I have. But I would feel more secure if the traffic is forwarded direct from a cheap server that I can fully control.
I wonder what make you stop creating simple VPN setup with trusted provider and expose it securely. If you able to host vaultwarden locally, you should be able to setup VPN as well
@@semirauthsala6001 There are situations where the device you want to connect from can’t connect over a vpn because it is managed by someone else. A company device for example.
Very informative, but what will be the alternative of VPN, if we are not willing to use Cloudflare as an alternative of VPN. Is there is any Web Application Firewall, which fulfill all the requirement of a secure tunnel.
Does Cloudflare allow connecting to local service with only subdomain setup? I was setting up my service through Cloudflare tunnel(free tier), then I realized I cannot add subdomain only to Cloudflare for the public hostname. I don't want to do full setup for the zone because of the way my setup works. Quite wasted my time, I wish they will be clearer on the in the documentation very early on. So annoying to do until the end, only to realize it doesn't work for subdomain only setups.
I scanned through all the comments to see if there was any mention of this but didn't ... When you mentioned that Cloudflare decrypts the traffic, this is specific to if they're handling SSL for you and not if you're handling your own SSL termination? I don't use CF tunnels, but I do use Cloudflare. My internal services that get exposed connect to a Nginx reverse proxy that's in the cloud via a Nebula mesh overlay. The reverse proxy handles the SSL termination. That reverse proxy though is also connected to Cloudflare for caching, speed improvements, etc.
Cloudflare decrypts the connection between the web browser and their servers. It then re-encrypts the connection when communicating to your backend. In the middle, within the Cloudflare network, the data is unencrypted and visible to them. You can verify this. Take a look at the SSL certificate your browser uses when connected via Cloudflare and compare it to the SSL certificate used when your browser connects to your service directly. The key fingerprints/hashes won't be the same. Cloudfare owns the private key for their certificate. They are the only ones who can decrypt it. It must be decrypted and then re-encrypted before sending to your backend service.
So, what to use? what is the free, professional alternative to cloudflare tunnels? reverse proxy, local DNS and what else? Like, how would you add subdomains to your domain to expose your services? The only reason most people use cloudflare tunnels is because they don't know how to set it up on a different way.
sounds like a thing that needs to be isolated on it's on network segment and all traffic coming out from the agent still going through the main firewall
The big takeaway should be that if you don't understand the security implications, then don't use it. Goes for all systems though. Not fair to aim at cloudflare, but certainly fair to respond to your own content to provide better clarification.
Thank you! As far as I know, Twingate uses a different protocol, and does not hook into TLS, however, it also likes to punch a hole into your firewall, so while the 1st and 3rd problem won't apply, 2nd will...
@@christianlempa That's great!!! It's my own hole, so fine!!! :))))) Unfortunately my IP address is not public, so I can't use any port forwarding solutions. Thanks a lot for your reply
is this a segue to setting up a VPN with traefik? I definitely hope so! I am not sure if tailscale would be the same situation or if wireguard would be the better choice for privacy. a video about that would be a nice addition.
The branding bugs me. It's part of their "Cloudflare Zero Trust Platform", yet requires enormous amounts of trust of Cloudflare since they must decrypt your traffic. Am I missing something?
Was about to deploy Cloudflare and thanks to searching for deployment tutorials, the algorithm served me this video. Score one for YT - this was an excellent video I'd likely have otherwise missed. I still think it's right for my use case, but this video was invaluable towards a better understanding of what I was doing.. It was thoughtfully laid out well explained with just enough humor to make it fun to watch. Nice job; I subbed after watching it. Thanks!
I set up a DMZ vLan with Cloudflare and pf-Sense it's much more complicated to admin but at least the cloudflare vm doesn't have full network access by default just cost a bit of hair ripping during troubleshooting and setup lol
it might blow security engineers mind but AWS and other cloud providers also have access to your data (physically ...) but they don't care to detach and inspect the disks it lives on , unlike the tunnel which runs on your own machine and experts can inspect *especially if it's open source* what actually is going on ... I am no expert but my logic tells me that there will be performance overhead if such "sniffing" happens , I also think SSL's does not work this back and forward way
Personally, my deployment of cloudflare tunnels is by deploying it as a sidecar container on my external ingress traefik instances. I run 2 sets of traefik deployments in my local k8s cluster, one that's exposed to internet via cloudflare tunnels, and one that's local only. Gives me pretty good control of what gets exposed where by setting the correct ingressClassName and external-dns annotations on my ingress resources. Security is enforced by the CNI via Network Policies, and the cloudflared daemon isn't initialized with cloud config, just a straight "direct all traffic to traefik on localhost" rule static configuration. It's pretty good for punching through CGNAT while being directly accessible online. Similar things would be ngrok I guess. Tailscale funnel is nice, but a bit restrictive since you can't use your own domains. As for bypassing the network firewalls and whatnot, that's a pretty easy workaround. Deploy the cloudflared tunnel on a separate VLAN/subnet where it has to go through the router to reach the services, then it's traffic will be monitored by the firewall / security appliance. (Though in most homelab setups it does mean the traffic will transit the router twice so... tradeoffs.)
do you have any videos on how to set up a webserver on a raspberry pi and have secure certificates etc that can be accessed externally and not open up your home to potential cyber attack?
Could you make video with alternative way to expose internal services without public IP(CGNAT)? I currently rent VPS with public IP and with ZeroTier (will setup my own WireGuard at some point) connect to dedicated VM at home. then on that VPS I redirect all traffic on ports 80 and 443 to my reverse proxy VM with IPtable rules. It was a bit of a pain to get it working at first before I figured out the correct IPtable rules. But works fine since then.
3:40 I recall a rather large, and quite shady, situation that occurred right before their sudden popularity. It was enough of a ‘something’ that it warrants caution. Some might even argue that it justifies suspecting ulterior motives.
I've been burned too many times by cloud hosted services. As more and more folks use their free tier, I suspect they'll eventually need to start charging for it or discontinue it entirely. I've been basically doing the same Zero Trust thing with a reverse proxy on my own network. It'll always be free, it'll always be more private, and a direct connection will always be faster and more reliable. I've never understood how they can market their product as having end-to-end encryption when it only has point-to-point encryption.
So what would be the best choice to use the potential of homelab where I don't have a static IP, but I have a Mikrotik router and another remote server (nginx proxy and load balancing for services in nodejs on homelab) with a static IP and my own domain. DDNS, SSH tunnel, or maybe something else
What if I use Cloudflare as DNS-only over Nginx Proxy Manager? The Certs are saved on my machine and every port except 22, 80 and 443 is blocked, so CF shouldn't be able to decrypt the data, right?
It depends on whether you need to publish a local service, or want secure access. For latter, there are other solutions like tailscale, twingate, netbird, etc.
Why does every video with these tech UA-camrs require me to grab a drink?
They're paid by the Big Drink lobby that wants you hydrated, and your piss translucent
Just once, I'd like to see a video start with: "So get ready, grab yourself a five course dinner and let's figure this out together!"
Great question. Why don't we talk more about it....over a cup of coffee!
to be honest I wouldn't be able to sit through most of them without a stiff one.
@@xConundrumx for me I need a stiffy
I honestly don't mind all the cons of Cloudflare Tunnel, and I definitely agree. Don't just expose all your services without another form of security like Cloudflare Access. That's the first thing I did after setting up Tunnels, and it's been great.
basic auth is indeed not allways working as first level security, so cloudflare acces is a godsend. I was finnicking with Authelia but dammn cloudflare acces "just works"
Too many eggs in the Cloudflare basket for reasonable comfort I think.
Hi Christian and thank you for this critical and informative video. You do not bypass your firewall, if you set up the cloudflared-server (or cloudflare docker-container) in a separate dmz/vlan. I can't see any difference from other VPN solutions that ends directly in the internal network. This is a general problem that can either be improved by well-documented descriptions of possible extensions or you have the necessary expertise yourself to be able to operate such solutions relatively safely.
So you are right, not only the route between the endpoints has to be secure, but espesially the endpoints itself and the networks behind those endpoints always has to be secured. Your argument is still absolutely valid and many manufacturers of such solutions promise easy and secure installations, what can be very deceptive.
In my opinion, Cloudflare offers one of the best and most secure solutions for accessing internal services (no published ports, MFA for accessing the Cloudflare dashboard and separate MFA and other web application rules for accessing the actual services). In addition, the actual application that you want to reach via Cloudflare Tunnel should also have its own authentication - I only use applications that can handle MFA on their own, such as Guacamole. But it always depends on how you implement it :-)
If large companies trust Microsoft by running an Azure AD (most have little choice), you can trust Cloudflare for your homelab services for sure.
If you can't see "any difference" between a VPN server that you run and this then you are ignorant about the topic or just plain daft. The alternative to cloudfared (from a privacy perspective) isn't tailscale or twingate or whatever tf. Let's concede that cloudfare gives you all of those features as securely as any third party can, that's really beside the point, you're getting all those "freebies" in exchange of putting a middle man in all the traffic you tunnel through them (technically they can establish any connection they wish from inside your network since they are running an agent inside yours). Obviously a lot of very technically inclined people are willing to do this but let's not be stupid about the trade-offs here.
@@ShaferHart Hosting a VPN server primarily just means having an encrypted connection between 2 points, nothing else!
Little workaround about the firewall issue:
Put the cloudflare tunnel vm or container in a dedicated /30 vlan with only internet access to the external ips of cloudflare and create rules to internal services you want to expose via inter vlan routing
new to home lab here, are you saying to basically segment your internal network and all your exposed services will be on an isolated network along with your cloudflare tunnel vm running?
@@xavierlarosa8235
Yeah, you could do it like this. This would limit the devices cloudflare would be able to reach to this vlan.
I have gone even further, got a server vlan with my internal services and an dedicated vlan for the cloudflare tunnel VM. So i get maximum control over the services cloudflare is able to reach by creating a default drop between the vlans and only dedicated allow rules for services i want to expose
This is what i am doing already to prevent cf tunnel gets access to whole my network. Cf tunnel limited to its own vlan, then get access to only the services what really need cloudflare tunnel.
@@rb-max Could you share how this can be done?
@@tonyho4512
Depends on your firewall.
What firewall do you have?
Yup, these are the same issues I brought up in my Cloudflare Tunnel video.
Great video. I’m a huge fan of Cloudflare and think they’ve done a ton for the world on making the internet more secure. That said, having a reasonable, fair, and open analysis on the risks vs. benefits is something the homelab community should do more of. And frankly, there are a ton of packages and projects that we all install that should get the same scrutiny. Thanks again the the level headed analysis!
6:00 one thing you could do with a cloudflare tunnel setup is put the server which the connector daemon is running on, into its own VLAN. Then setup firewall rules in pfsense to route that VLAN traffic to the appropriate servers and ports on other subnets.
Hi Christian. I have one public IP with all ports available to my homelab. Obviously with a good firewall. In this configuration, I can do all I need. But here in Brazil, this type of service is very scarce, mainly due to the lack of available public IP. I've been testing the use of CHR for a few months now and I'm really enjoying it. First, the fact that I use an Amazon IP here in Brazil, where I host the mikrotik CHR, and also because I can create a tunnel with a server that is behind a restrictive firewall. What for me is very interesting due to the unavailability of public IP. Another interesting point is that I can configure my Hurricane Electrics IPv6 range in this CHR and distribute it to servers via tunnel. Great content.
This is a great video that got me thinking - especially while I was mulling the obvious home network security advantages of using a Cloudflare Tunnel. But, as with everything, there has to be a catch - you have to trust Cloudflare will handle your data carefully and hopefully not leave it open to exposure.
The thing is - this is inherently a problem with Cloudflare itself (as well as AWS, Azure, Google, Apple and any other public cloud offering). And in reality, so much of the internet relies on these big players - there's practically no way you can use the internet without at least some of your important data ending up in the hands of these players.
Was Waiting For Someone To Make This Video Great To See Someone Talking About This . We Should See Both Sides.
Same here
This is a good balanced look at it. One thing you forgot to mention are mitigations, such as being careful where in your network to deploy the tunnel endpoint. For example, a “DMZ” *(or similar) area where you provide services from but that does not have access to the rest of your network… in order to minimize the crash surface.
Excellent video, this is something home labbers often get wrong.
Cloudflare isn't a silver bullet to your security woes, sure it helps but it comes with it's own issues. if your using a free plan then I'd argue it doesn't provide much value at least compared to using something like ModSecurity/Coraza, CrowdSec or a hardware firewall appliance.
Very good point. You could always put the Cloudflare endpoint in its own vlan so that you can still build firewall rules for the traffic.
To be clear, at around 6:16 when firewalls might become useless because they are not intergrated into the firewall and punches a hole....
1. If an enterprise employs applicaiton whitelisting on their laptops/servers/desktops then this will never have a chance at being deployed.
2. if an enterprises chooses to do SSL decryption, this would never have a chance at being deployed
3. If using some form of application identification {appid} this would never have a chance at being deployed
4. if you deny the outgoing port of 7844 then this will never get deployed
If you choose to have lax rules or a lax security model then yeah you can bypass the network security but this isnt as easy as one would think it is.
Please do a video about best pratices to setup Sophos XG, secure the net, expose safely services, ecc. Or a video where you show us your Sophos setup. Thanks man!
Pro tip: You can still use the SSH tunnel and do a reverse port tunnel trough that. Cloudflare cannot see/MITM that, since only you have your certificate, which the server verifies and is thus able to perform an authenticated Diffie-Hellman exchange and guarantee your communication is confidential! (See the SSH2 protocol and TOFU security model)
Also,
I thought it was obvious that it works as essentially a MITM? They even advertise it as such! How else would they be able to magically HTTPSify all your services? Obviously, keep this in mind....
I try to avoid using someone else's cloud services. I'm not 100% opposed, but I prefer to manage my own stuff with my own stuff.
thanks for sharing your knowledge, planning my home lab and use your videos as a research.
i just recently deployed cloudflare tunnel with my home lab services and it’s been working fantastic but after watching this i’m very conflicted
Like I said, it's not a bad service at all. Just depends on what matters most to you, simplicity, or privacy :)
Well stated. The folks that have approached me interested in Cloudflare Tunnels are those that want to have services reachable from their CGnat. In situations where I have played with Cloudflare tunnel it has been inside of a dedicated VLAN on my network and I think that your concerns are valid. When CGNat folks want to host non-web applications, I tell them to manage their own VPS endpoint server outside of their network. This takes care of being able to host UDP connections or TCP connections to non-web ports which I don't really see a way to do on Cloudflare Zero Trust.
I use and rely on CF Tunnels for exposing resources, though they are heavily restricted and require you to have the WARP client present on your device and have authorization to my team. With WARP it creates a WireGuard tunnel connection into my network allowing me to pass UDP traffic or NON HTML traffic, It's actually a great VPN alternative since M$ has deprecated auth prompts which make OpenVPN with MFA impossible with NPS, Now you must pay for expensive services such as Duo :(
P.S. Love your content and what you provide for the IT community, Thank you!
Great video! I think homelabbers should talk more about who you trust with your data, but also the various attack surfaces these services open up.
I'd be interested in a deeper dive and comparison between Cloudflare Tunnels, Twingate and Tailscale (and Headscale), as they all do similar things with subtle--but important--differences.
You forgot zerotier. Would really love to see an in depth comparison of these
Vielen Dank Christian! I've been considering haproxy or the CF tunnel. This helped me make my decision.
What's the alternative to it though? If the option is either opening a port or using cloudflare, is that really a viable alternative?
IPv6
I mean you can do something like tailscale, but that may still have similar privacy issues, so best option would be headscale with another main server on the cloud
You can host your own service on a VPS, or use a remote access VPN.
@@Technically_Bad that's equivalent of opening a port. Hosting things on a public facing cloud. Instead what I suggested is using a VPS and a public facing connection interface. Without the Vpn to go through the first server, you can't even reach the second.
@@damiendye6623 true, but hard to implement currently
I have enough options with my FortiGate firewall to share certain parts of my network. I looked into the Cloudflare solution, but the fact that all my traffic would go through their servers stopped me from using it. However, once you have made the right settings in your firewall, it is easy to quickly provide someone with a service from the HomeLab.
So what method do you recommend for remote access to home network? VPN?
Very good video. I was especially interested in the security concerns to bypass you companies firewall by using such a reserve tunnel. I guess no enterprise will want to have such a thing set up by individual user. I could imagine an enterprise set up done locally with trusting Cloudflare but it's security nightmare when everyone can start a docker container and punch holes into the whole firewall setup. I would even assume that some companies block those hosts and port per default.
Thank you man! :)
Thank you Christian for taking a critical take on this. 👍
Thank you. I was wondering the implications of using it
i think the issue with the internal firewall in the internal network can be mitigated with making sure that the request crossing from the cloudflared tunnel needs to cross the firewall itself prior to reaching the service being exposed. this way requests are also checked by the internal firewall. you can have a separate firewall for this or it can be the same firewall you already have the exists. what is important is that the cloudflared instance is separate from the internal application instance by the firewall. firewall rules/checks/introspection can still happen.
Agreed with this post. With most cloud providers, you give up your privacy for security (well, security is subjective... providing no three letter agencies haven't already backdoored it like they did with L2TP and Juniper).
Thanks for the video. It actually makes sense. But I would like to add something here, "home lab is for learning" right? Yes, we can check out some tools but I think ppl who have a home lab should expose their services and do some kind of research about how to secure it, for example, use some kind of firewall, ids/ips, etc. See the logs regularly, and automate some things. Maybe I am wrong, it's just my thought. Correct me if I am wrong.
Great video. Probably you should have added more emphasis that similar products (Zerotier) have the same problem.
US 3-letter organisations have access to all of your data, for sure.
I have tested CF, and i didn't choose it for a few reasons - trust, protocol limitation, and L7 protection (threath protection, AV, IPS, webfilter etc), which i can do on my SophosXG(WAF). Maybe i didnt test it well, but... ;)
Glad someone else finally said it!
I like that you are correcting it.
What do you mean?
Great content Christian! Your channel rocks!
Thank you buddy :)
Thanks for the great vid. But on 9:15 no "two endpoints" will ever be under your "full controll" not even physically (but even one endpoint could be disagreed about how much it is under your "full controll" as soon as any network connection - not allone wireless network connection is involved).
What if you ran cloudflare on a small separate machine, outside of your firewall? So that all cloudflare traffic still had to go through your firewall?
Thanks for pointing out this issue.
Thanks for the info and video, have a great day
Beutifull video. Thank you for addressing this (actually, I was close to writing you and asking about this after seeing your CloudFlare video; you were just faster). Services like this are great, but they come at a cost. At the end of the day, this is all about whom we trust.
Thank you, Christian; following your channel has been worth it since the day I discovered it. You gave me a lot of nice home projects to implement in my home lab (I still have to implement reverse proxy, lol).
Thank you!, super useful as a intro to Cloud Flare Tunnels and it's uses.
Glad it was helpful!
Good point. I had to decide between zerotier which is more convenient for my application and cloudflare. I decided for cloudflare because i trust them (more). But shutting down a service is also a valid complaint.
I think one of the main issues for me is the centralising of important internet infrastructure. Cloudflare offer some great services which are important. But i do not feel comfortable with so many eggs of the internet being in so few baskets.
Awesome video btw dude as usual
I see it in the opposite way: cloudflare removes many points of failure. Of coarse it depends how much time, money and (electric, your) energy are you willing to invest into your infrastructure. For accessing your personal blog, nextcloud, git ... running on low power pc/sbc i'd say it's perfect.
Well, I guess that one should not use this kind of services without security layers in mind.
Mostly because in certain, given scenario, one could use their service's trustworthy reputation to stealthy exfiltrate data from a company's network, or gain reverse access to it. Either by somehow abusing it or installing it on purpose in a post-exploitation phase.
This is a great option when your security's strategy is mature enough and capable of containing threats as mentioned before.
Just use a reverse SSH tunnel to the device hosting the cloudflared, that's encrypted end-to-end.
Is this some kind of SSL passthrough setting in Cloudflare?
Thank you christian for the video.. kindly we need to know what the alternative’s solutions in your opinion?
I like how he kept a neutral stance but provided info so we can make our own choice.
Another thing I would like to mention that most UA-camrs don’t is that if you are using cloudflare you should setup dns overwrites on your dns server on your lan so that stuff doesn’t go through cloudflare and works offline when just accessing it from lan
How do you do that? And if you use something like pihole, is this still a concern or especially then?
@@jayzn1931 Pihole is the dns server I used, just add in local dns the address of the website and the server ip
@@jayzn1931Google split dns
Cloudflare tunnel is a tunneling protocol that does a peer-to-peer connection through a "middle-man" server such as cloudflare tunnel, same as zerotier and tailscale
Using another server inherently means you have a dependency that you need to be aware of
For tailscale if it can do P2P no middle man
If it can't it will use a middle man
Hi Christian, excellent video.
I'm using cloundlare tunnel to expose a web application (Django + React) to a handful of clients. I don't care about the data, I found cloudflared easy to do what I wanted, I should look for another approach?. To access my homelab I still use wireguard + adguardhome + npm.
Good video. I self-host to have control over my data, I don't want to give it to a company again.
True ;)
Regarding your point about serving non-HTML content, I always found it was a good practice to bypass the caching with a page rule. I use the tunnel and a reverse proxy to host my plex server using a custom server access URL and the first month I had it running with no page rules I was a bit unsettled to see how much data had been cached, but nothing came of it anyway.
They said in the discord that this rule applies to ANYTHING that goes through cloudflare the network, they don't care if you cache it or not. So you can still get booted if you don't cache a thing. However they probably wont bother you if you not pushing many terabytes of data.
This is what I am thinking about doing. Do are you doing a CF tunnel to nginx to then forward to plex? Any security concerns? I feel like it is better than exposing ports on my ip
If you apply this logic then AWS can also read everything at the load balancer because we add all keys to AWS ACM. In that case nothing is safe on the cloud as well.
I think I trust cloudflare much more than most tech companies out there.
Glad I watched this. I will abandon Cloudflare before I get too involved. Much appreciated.
Thanks! Glad it helped
Can you point out some other options similar to cloudflare tunnel which have similar services.
Do you think tailgate is a better solution than cloudflare?
"... customers can serve video and other large files using the CDN so long as that content is hosted by a Cloudflare service like Stream, Images, or R2." - Cloudflare's blog.
That is for the removal of section 2.8 in the Cloudflare Terms of Service, which essentially means nothing to most people unless you are paying to use their services.
This is exactly what I was thinking. That’s why I run a VPS with a site2site VPN connection home to my self hosted services. It’s basically a jump box or traffic forwarder. There’s two ways for this: terminating your SSL at your VPS (which I am doing now) or forwarding the SSL traffic home (with HAProxy, experiments running as I am typing this).
Video coming up in this, too
But why? xD Setup SSH Access via certificate on your VPS, use autossh on your machine, forward the ports you want to expose, write a startup rule in your .rc, done.
Setup SSH Access via certificate on your VPS, create a new Service, ssh to your vps, forward the ports you want to expose, systemctl daemon-reload, service xxx enable, done.
@@MrOnePieceRuffy because ssh reduces the performance by a lot because it’s double tcp encapsulation
This is actually what I do too, also gets around CGNAT for my backup 4G internet connection
I would love to check out that video! I use Cloudflare tunnel for hosting some sites from a mini pc that I have. But I would feel more secure if the traffic is forwarded direct from a cheap server that I can fully control.
I applaud you for also pointing out the drawbacks of CF tunnels. What is your opinion on exposing something like vaultwarden on CF tunnels?
I wonder what make you stop creating simple VPN setup with trusted provider and expose it securely. If you able to host vaultwarden locally, you should be able to setup VPN as well
@@semirauthsala6001 There are situations where the device you want to connect from can’t connect over a vpn because it is managed by someone else. A company device for example.
Very informative, but what will be the alternative of VPN, if we are not willing to use Cloudflare as an alternative of VPN. Is there is any Web Application Firewall, which fulfill all the requirement of a secure tunnel.
Does Cloudflare allow connecting to local service with only subdomain setup? I was setting up my service through Cloudflare tunnel(free tier), then I realized I cannot add subdomain only to Cloudflare for the public hostname. I don't want to do full setup for the zone because of the way my setup works. Quite wasted my time, I wish they will be clearer on the in the documentation very early on. So annoying to do until the end, only to realize it doesn't work for subdomain only setups.
I scanned through all the comments to see if there was any mention of this but didn't ...
When you mentioned that Cloudflare decrypts the traffic, this is specific to if they're handling SSL for you and not if you're handling your own SSL termination? I don't use CF tunnels, but I do use Cloudflare. My internal services that get exposed connect to a Nginx reverse proxy that's in the cloud via a Nebula mesh overlay. The reverse proxy handles the SSL termination. That reverse proxy though is also connected to Cloudflare for caching, speed improvements, etc.
Someone said, you can host your own PKI and point CF to it. However I am not sure, what is the point then, of having it at all?
Cloudflare decrypts the connection between the web browser and their servers. It then re-encrypts the connection when communicating to your backend. In the middle, within the Cloudflare network, the data is unencrypted and visible to them.
You can verify this. Take a look at the SSL certificate your browser uses when connected via Cloudflare and compare it to the SSL certificate used when your browser connects to your service directly. The key fingerprints/hashes won't be the same. Cloudfare owns the private key for their certificate. They are the only ones who can decrypt it. It must be decrypted and then re-encrypted before sending to your backend service.
So, what to use? what is the free, professional alternative to cloudflare tunnels? reverse proxy, local DNS and what else? Like, how would you add subdomains to your domain to expose your services? The only reason most people use cloudflare tunnels is because they don't know how to set it up on a different way.
do you have a video on what to use instead of cloudflare tunnels to access my homelab applications?
There will be more videos about these topics. Currently I can recommend tailscale or teleport videos.
sounds like a thing that needs to be isolated on it's on network segment and all traffic coming out from the agent still going through the main firewall
The big takeaway should be that if you don't understand the security implications, then don't use it. Goes for all systems though. Not fair to aim at cloudflare, but certainly fair to respond to your own content to provide better clarification.
hey Christian thanks for your videos. Does the same thing applies for Twingate? Any insights on this solution? Thanks
Thank you! As far as I know, Twingate uses a different protocol, and does not hook into TLS, however, it also likes to punch a hole into your firewall, so while the 1st and 3rd problem won't apply, 2nd will...
@@christianlempa That's great!!! It's my own hole, so fine!!! :))))) Unfortunately my IP address is not public, so I can't use any port forwarding solutions. Thanks a lot for your reply
is this a segue to setting up a VPN with traefik? I definitely hope so! I am not sure if tailscale would be the same situation or if wireguard would be the better choice for privacy. a video about that would be a nice addition.
The branding bugs me. It's part of their "Cloudflare Zero Trust Platform", yet requires enormous amounts of trust of Cloudflare since they must decrypt your traffic.
Am I missing something?
Hmm true 😃 however the Zero-Trust concept refers to something different, it’s a new concept in IT to create more secure environments.
This was very informative, danke sehr
why not just add an extra layer of encryption before sending stuff through cloudflare? excellent video btw
Another good video sir !!
Thank you so much :)
What about cloudflare Zero Trust with WARP
Would that be better than tunnels?
Was about to deploy Cloudflare and thanks to searching for deployment tutorials, the algorithm served me this video. Score one for YT - this was an excellent video I'd likely have otherwise missed.
I still think it's right for my use case, but this video was invaluable towards a better understanding of what I was doing.. It was thoughtfully laid out well explained with just enough humor to make it fun to watch. Nice job; I subbed after watching it. Thanks!
I switched from ngrok to cloud flare tunnels and i don't regret it
You should do a video about Twingate. Very cool tool
I set up a DMZ vLan with Cloudflare and pf-Sense it's much more complicated to admin but at least the cloudflare vm doesn't have full network access by default just cost a bit of hair ripping during troubleshooting and setup lol
it might blow security engineers mind but AWS and other cloud providers also have access to your data (physically ...) but they don't care to detach and inspect the disks it lives on , unlike the tunnel which runs on your own machine and experts can inspect *especially if it's open source* what actually is going on ... I am no expert but my logic tells me that there will be performance overhead if such "sniffing" happens , I also think SSL's does not work this back and forward way
Personally, my deployment of cloudflare tunnels is by deploying it as a sidecar container on my external ingress traefik instances.
I run 2 sets of traefik deployments in my local k8s cluster, one that's exposed to internet via cloudflare tunnels, and one that's local only. Gives me pretty good control of what gets exposed where by setting the correct ingressClassName and external-dns annotations on my ingress resources. Security is enforced by the CNI via Network Policies, and the cloudflared daemon isn't initialized with cloud config, just a straight "direct all traffic to traefik on localhost" rule static configuration.
It's pretty good for punching through CGNAT while being directly accessible online. Similar things would be ngrok I guess. Tailscale funnel is nice, but a bit restrictive since you can't use your own domains.
As for bypassing the network firewalls and whatnot, that's a pretty easy workaround. Deploy the cloudflared tunnel on a separate VLAN/subnet where it has to go through the router to reach the services, then it's traffic will be monitored by the firewall / security appliance. (Though in most homelab setups it does mean the traffic will transit the router twice so... tradeoffs.)
Great insight thanks
First! Thanks for keeping sharing your knowledge Christian!
Thank you so much :)
do you have any videos on how to set up a webserver on a raspberry pi and have secure certificates etc that can be accessed externally and not open up your home to potential cyber attack?
Could you make video with alternative way to expose internal services without public IP(CGNAT)?
I currently rent VPS with public IP and with ZeroTier (will setup my own WireGuard at some point) connect to dedicated VM at home. then on that VPS I redirect all traffic on ports 80 and 443 to my reverse proxy VM with IPtable rules. It was a bit of a pain to get it working at first before I figured out the correct IPtable rules. But works fine since then.
It`s any posibility to expose tcp or ssh over claudflare tunel?
Great explanation, thanks!
Thank you 😊
3:40 I recall a rather large, and quite shady, situation that occurred right before their sudden popularity. It was enough of a ‘something’ that it warrants caution. Some might even argue that it justifies suspecting ulterior motives.
Which is
It's literally a description of how a malware would work :) Whether one trusts CF or not is up to everyone to decide for themselves.
I've been burned too many times by cloud hosted services. As more and more folks use their free tier, I suspect they'll eventually need to start charging for it or discontinue it entirely. I've been basically doing the same Zero Trust thing with a reverse proxy on my own network. It'll always be free, it'll always be more private, and a direct connection will always be faster and more reliable.
I've never understood how they can market their product as having end-to-end encryption when it only has point-to-point encryption.
So what would be the best choice to use the potential of homelab where I don't have a static IP, but I have a Mikrotik router and another remote server (nginx proxy and load balancing for services in nodejs on homelab) with a static IP and my own domain. DDNS, SSH tunnel, or maybe something else
Simple: set the cloudflaretunnel to a dedicated vlan - so you can still control the connection to your internal ips
Thank you! Just in time, as for me.
can you do a video on PfSense or something similar and how we would go about securing our home lab?
What if I use Cloudflare as DNS-only over Nginx Proxy Manager? The Certs are saved on my machine and every port except 22, 80 and 443 is blocked, so CF shouldn't be able to decrypt the data, right?
Yes, you're right! If you just use it for DNS, they don't see the payload
And what is the difference between this config with cloudflare and tailscale?
I understand your point, but what other option does a CGNAT user has?
It depends on whether you need to publish a local service, or want secure access. For latter, there are other solutions like tailscale, twingate, netbird, etc.
OMG Where did you get your animated matrix wallpaper?? also thanks for this, I've been looking at using Cloudflare due to UA-cam videos etc.
why use cloudflare tunnels, aka reverse proxy, if your router supports port forwarding?
think of setting up an rpi on some coffee shop's free wifi....
Most people dont have public static IPs or even public IPs for that matter
Very good points - I just discover this
Thanks ;)