You should NOT use Cloudflare Tunnel (if you do this...)

Why does every video with these tech YouTubers require me to grab a drink?

jasenwar

Yup, these are the same issues I brought up in my Cloudflare Tunnel video.

LAWRENCESYSTEMS

Hi Christian. I have one public IP with all ports available to my homelab. Obviously with a good firewall. In this configuration, I can do all I need. But here in Brazil, this type of service is very scarce, mainly due to the lack of available public IP. I've been testing the use of CHR for a few months now and I'm really enjoying it. First, the fact that I use an Amazon IP here in Brazil, where I host the mikrotik CHR, and also because I can create a tunnel with a server that is behind a restrictive firewall. What for me is very interesting due to the unavailability of public IP. Another interesting point is that I can configure my Hurricane Electrics IPv6 range in this CHR and distribute it to servers via tunnel. Great content.

IanCliveKerrCoelho

I honestly don't mind all the cons of Cloudflare Tunnel, and I definitely agree. Don't just expose all your services without another form of security like Cloudflare Access. That's the first thing I did after setting up Tunnels, and it's been great.

clixt

thanks for sharing your knowledge, planning my home lab and use your videos as a research.

maximusdecimus

Well stated. The folks that have approached me interested in Cloudflare Tunnels are those that want to have services reachable from their CGnat. In situations where I have played with Cloudflare tunnel it has been inside of a dedicated VLAN on my network and I think that your concerns are valid. When CGNat folks want to host non-web applications, I tell them to manage their own VPS endpoint server outside of their network. This takes care of being able to host UDP connections or TCP connections to non-web ports which I don't really see a way to do on Cloudflare Zero Trust.

scottibyte

Hmm.... Your video confirms my amateur understanding of Cloudflare tunnels. Thank you very much! I'll think more about it, get info and probably tip my tunnels and switch to a practical in-house VPN solution. I hope I can do that. Best regards.

erichb.

I use and rely on CF Tunnels for exposing resources, though they are heavily restricted and require you to have the WARP client present on your device and have authorization to my team. With WARP it creates a WireGuard tunnel connection into my network allowing me to pass UDP traffic or NON HTML traffic, It's actually a great VPN alternative since M$ has deprecated auth prompts which make OpenVPN with MFA impossible with NPS, Now you must pay for expensive services such as Duo :(
P.S. Love your content and what you provide for the IT community, Thank you!

rocket

Very good point. You could always put the Cloudflare endpoint in its own vlan so that you can still build firewall rules for the traffic.

sphbecker

Was about to deploy Cloudflare and thanks to searching for deployment tutorials, the algorithm served me this video. Score one for YT - this was an excellent video I'd likely have otherwise missed.

I still think it's right for my use case, but this video was invaluable towards a better understanding of what I was doing.. It was thoughtfully laid out well explained with just enough humor to make it fun to watch. Nice job; I subbed after watching it. Thanks!

RobertAnthonyPitera

This is a great video that got me thinking - especially while I was mulling the obvious home network security advantages of using a Cloudflare Tunnel. But, as with everything, there has to be a catch - you have to trust Cloudflare will handle your data carefully and hopefully not leave it open to exposure.
The thing is - this is inherently a problem with Cloudflare itself (as well as AWS, Azure, Google, Apple and any other public cloud offering). And in reality, so much of the internet relies on these big players - there's practically no way you can use the internet without at least some of your important data ending up in the hands of these players.

AlexWard

Vielen Dank Christian! I've been considering haproxy or the CF tunnel. This helped me make my decision.

BlitzFingers

Great video. I’m a huge fan of Cloudflare and think they’ve done a ton for the world on making the internet more secure. That said, having a reasonable, fair, and open analysis on the risks vs. benefits is something the homelab community should do more of. And frankly, there are a ton of packages and projects that we all install that should get the same scrutiny. Thanks again the the level headed analysis!

henrysowell

This is a good balanced look at it. One thing you forgot to mention are mitigations, such as being careful where in your network to deploy the tunnel endpoint. For example, a “DMZ” *(or similar) area where you provide services from but that does not have access to the rest of your network… in order to minimize the crash surface.

MikelManitius

6:00 one thing you could do with a cloudflare tunnel setup is put the server which the connector daemon is running on, into its own VLAN. Then setup firewall rules in pfsense to route that VLAN traffic to the appropriate servers and ports on other subnets.

jenniferw

Please do a video about best pratices to setup Sophos XG, secure the net, expose safely services, ecc. Or a video where you show us your Sophos setup. Thanks man!

mrcolo.

Excellent video, this is something home labbers often get wrong.
Cloudflare isn't a silver bullet to your security woes, sure it helps but it comes with it's own issues. if your using a free plan then I'd argue it doesn't provide much value at least compared to using something like ModSecurity/Coraza, CrowdSec or a hardware firewall appliance.

jacksoncremean

Beutifull video. Thank you for addressing this (actually, I was close to writing you and asking about this after seeing your CloudFlare video; you were just faster). Services like this are great, but they come at a cost. At the end of the day, this is all about whom we trust.

Thank you, Christian; following your channel has been worth it since the day I discovered it. You gave me a lot of nice home projects to implement in my home lab (I still have to implement reverse proxy, lol).

MiFonito

Hi Christian and thank you for this critical and informative video. You do not bypass your firewall, if you set up the cloudflared-server (or cloudflare docker-container) in a separate dmz/vlan. I can't see any difference from other VPN solutions that ends directly in the internal network. This is a general problem that can either be improved by well-documented descriptions of possible extensions or you have the necessary expertise yourself to be able to operate such solutions relatively safely.
So you are right, not only the route between the endpoints has to be secure, but espesially the endpoints itself and the networks behind those endpoints always has to be secured. Your argument is still absolutely valid and many manufacturers of such solutions promise easy and secure installations, what can be very deceptive.
In my opinion, Cloudflare offers one of the best and most secure solutions for accessing internal services (no published ports, MFA for accessing the Cloudflare dashboard and separate MFA and other web application rules for accessing the actual services). In addition, the actual application that you want to reach via Cloudflare Tunnel should also have its own authentication - I only use applications that can handle MFA on their own, such as Guacamole. But it always depends on how you implement it :-)
If large companies trust Microsoft by running an Azure AD (most have little choice), you can trust Cloudflare for your homelab services for sure.

Glatze

Hi Christian, I have been thinking about it again, especially with regard to my self-hosted 'Vaultwarden' which is accessible externally via Cloudflare tunnel. As far as I know - and I am a layman - Vaultwarden encrypts the data locally. When synchronising with an external client via the CF tunnel, the data should actually be securely encrypted. CF doesn't know the key of my Vaultwarden. Or am I wrong?

erichb.