this post was submitted on 24 Oct 2023

2 points (100.0% liked)

Self-Hosted Main

511 readers

1 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

For Example

Service: Dropbox - Alternative: Nextcloud
Service: Google Reader - Alternative: Tiny Tiny RSS
Service: Blogger - Alternative: WordPress

We welcome posts that include suggestions for good self-hosted alternatives to popular online services, how they are better, or how they give back control of your data. Also include hints and tips for less technical readers.

Useful Lists

Awesome-Selfhosted List of Software
Awesome-Sysadmin List of Software

founded 1 year ago

MODERATORS

[email protected]

Cloudflare Tunnel Safer Now? (alien.top)

submitted 1 year ago by [email protected] to c/[email protected]

15 comments fedilink hide all child comments

I've seen a post on here before about Cloudflare tunnels being unsafe for exposing your locally hosted services to the web which I totally get.

However I'm a bit of a noob with complex VPN set ups and I tried to get Wireguard working in Docker but couldn't. I got a tunnel configured and exchanged all the peer keys and things but I think my initial networking docker-compose stack was incorrect possibly. Also the windows client for it is a bit ugly but that's by the by.

I've also used Tailscale in the past which is great but it feels like a temporary solution to me as you still have to remember ports and things (there may be a way around that if I remember correctly but I'd rather stay away from Tailscale. I prefer having control myself or through my domain name - probably illogical I know).

Instead I decided to try to protect the Cloudflare tunnel to my home network and I've made a policy in Cloudflare Access that won't let you in without emailing you a code (only my email address works) and having you enter it. I'd also rather adjust that to my 2FA app but I can't seem to get that to work here.

My question is: is that secure enough? And if not, what would you all suggest as an alternative (preferably an alternative that is pretty easy and means I can use my domain name)?

top 15 comments

sorted by: hot top controversial new old

[–] [email protected] 2 points 1 year ago (2 children)

One thing to keep in mind when using CF tunnels is that Cloudflare can see all of your server's traffic. If your goal is privacy I recommend staying away

[–] [email protected] 1 points 1 year ago (2 children)

I wish people would stop making this statement.

There's a difference between "seeing traffic" and "being able to understand what it is and do something about it".

[–] [email protected] 1 points 1 year ago

How could they not understand what it is, since it is all decrypted.

[–] [email protected] 1 points 1 year ago

Brother, there is no difference. I think you are confused. They can "understand your traffic and do something about it" it's unencrypted, and you agree to a fairly strict terms of service that allows them to basically do whatever they like. Maybe you should read the agreement, and if you're using the tunnels, maybe turn them off until you understand your security posture and exposure of your network

[–] [email protected] 1 points 1 year ago

Yeah I'm not bothered about that, but I can see why some might be. All I care about is security.

[–] [email protected] 1 points 1 year ago (1 children)

Cloudflare tunnels being unsafe for exposing your locally hosted services to the web

That's the pout of Cloudflare Tunnels. It's a reverse proxy.

Cloudflare Auth (zero trust) can lock down the tunnel so only certain people can access it.

I want to clarify something though. Cloudflare Tunnels IS SAFE. But if you choose to use it in a not safe way that's not the fault of the tunnel.

It's like putting on a bicycle helmet and then running on the freeway and wondering why your leg gets broken after getting hit by a car.

"but I was wearing my helmet" great, but that wasn't the point of the helmet.

[–] [email protected] 1 points 1 year ago

Makes sense. I was assuming that the people who were saying it wasn't safe were including the access control methods in that too for some reason.

[–] [email protected] 1 points 1 year ago (1 children)

We use cloudflare tunnels in production for massive workloads at FiveM/Cfx.re, I can with 100% confidence say that I trust in it.

Only caveat is that if you have rapid scaling, CF might accidentally route to a non existent tunnel, and if that doesn’t resolve itself you will have to recreate it.

But this has only been an issue if you force shutdown some of the cloudflared instances. And only very intermittently, reproducing it has been difficult.

[–] [email protected] 1 points 1 year ago

Gotcha, thanks.

[–] [email protected] 1 points 1 year ago

I admit there is a level of trust needed in cloudflare, but I also need to trust the container makers, and the hardware manufacturers as well. I use cloudflare with O365 and jumpcloud for my auth sources and I've been thrilled. Different policies by subdomain, works great.

[–] [email protected] 1 points 1 year ago (1 children)

This is basically my config:

wireguard:
    container_name: wireguard
    image: weejewel/wg-easy
    volumes:
      - ./data/wiregaurd:/etc/wireguard
    environment:
      - WG_DEFAULT_DNS=192.168.10.3
      - WG_HOST=public.example.com
    env_file:
      - ./env/wg-easy.secrets
    ports:
      - 51820:51820/udp
      - 51820:51820/tcp
    expose:
      - 51821
    restart: always
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    depends_on:
      - pihole
    sysctls:
      - net.ipv4.ip_forward=1
      - net.ipv4.conf.all.src_valid_mark=1

In my case, I reverse proxy port 51821 through caddy to configure clients (with Authelia in front of it), but you could expose it interally only if you want to prevent that interface from being publicly accessible.

Note that public.example.com needs to be replaced with your connection's public dns hostname (you can use something like duckdns for this if you want), and that you need to expose 51820 on your firewall/router. In my example above, 192.168.10.3 is the IP for pihole, and resolves some internal hostnames. You should look over the config provided once you set up a client and make sure it uses accessible hostnames, etc.

I don't think there's any specific reason to worry about using cloudflare tunnels over any other VPN solution, and if your connection uses NATCG, you might actually need something that tunnels out to a central hub.

[–] [email protected] 1 points 1 year ago

Thanks, that's a massive help, I may give it another go.

[–] [email protected] 1 points 1 year ago (1 children)

Cloudflare is as safe as you design it to be. Once you're tunnel is set up, you configure and access app and set up whatever rules you want. For me personally, for ultra protected stuff like my proxmox management I require warp to be in use and then an email MFA code. Along of course with my proxmox login.

[–] [email protected] 1 points 1 year ago

I'll be setting up something similar I think.

[–] [email protected] 1 points 1 year ago

How exactly are Cloudflare tunnels “unsafe”? And what makes you think VPNs are a better option?

I’ve used CF quite a lot and the major downside is that you have to have decent authn/authz on at least one end of your tunnel but CF does not necessarily provide this. VPNs provide authn but not necessarily authz depending on the setup. In either case, how you set up and manage identities and credentials is key.

The best way to achieve this depends entirely on what applications you are exposing and what options they give you for identity management.