You're one of the few channels that has given me a better outlook on my homelab and how to make it all tick. Many content creators only scratch the surface, but you manage to go in depth and explain how this is all set up, why it should be set up, the pros and cons, and specifics like what rules you should be setting up in your firewall. Keep up the great work!!
Watched it like 20 times and still can't recreate it. I just left it unsecure, bought a backup server that I sync once a week and keep it offline. If I get hacked, I just wipe it and bring up my backup server. Simples.
I've used Cloudflare tunnels before and it's too easy to setup. Unaware users don't know what security layers they lost... I'd rather use nginx rproxy over a VPN into a VPS.
How exactly could network engineers at a company prevent someone from hosting an internal company service externally over their own domain through cloudflare tunnels? Block all Cloudflare traffic and break the company internet? 😅
@@Clarence-Homelab several ways. A couple of obvious ones, Block access to production, docker, kubernetes etc through privileged access management. Block egress traffic. Monitor and alert on new containers etc
5 месяцев назад
Thanks for the video, good content! Now correct me if I'm wrong, but using this technique will allow me to block all traffic that is not using a FQDN (i.e. IP scanners) if I disable normal port forwarding on the my UDM SE firewall and then open ports for the incoming traffic from the Cloudflare tunnel? If so, is there any other way that I could accomplish that without using Cloudflare tunnels? Alt. provider of similar functionality, or with some firewall configuration...? Or is this a unique combination of functionality?
4 месяца назад
I was hoping you would honor me with an answer, would really appreciate it! I'm thinking it might work to host stuff through a tunnel this way, having a public facing server without actually opening any ports on it, and that the combination of DNS management (having a proper DNS entry for public access) and a tunnel (connected to that entry) is something that I have't seen elsewhere and might be unique. You can have CNAME entries pointing to TailScale network nodes, but that would require access to the TailScale network, which is different from this...
mm wouldnt a another option be to limit access to your web domains. I have setup limited access to my sub domains to two locations. Ill never be in AUS or Fiji accessing my sub domains.
Great tutorial! However at 02:38 you mentioned not getting the visitor IP through the tunnel, is this not still exposed via the Cf-Connecting-Ip HTTP header similar to when using a standard Cloudflare proxy without the tunnel?
Dude aewesome video. Iknow it’s lots of work but could you make a tutorial of implementing this on a casaos environment? I have one server with all my apps and I want to set another one to run firewall tunnels and monitoring. As I’m not a security professional I need more details on it lol.if you can point ,e to a tutorial or create one would be amazing
Very interesting video. Now I have to realize how setup this without docker, as I installed CF tunnel for a Jellyfin service hosted in my proxmox server. I wonder if proxmox firewall could also be used for this. 🤔
Thank you for the video, this is truly amazing. I just have one question. Would it be better if I also run my application docker client from within the macvlan and assign it its own ip? that way their network would be entirely isolated and I wouldn't have to make any rules in the firewall.
@@Jims-Garage I am trying to expose a simple golang website, and I can't afford to set up a firewall. If I isolate the tunnel and the application in their own macvlan, would that be okay? or do I absolutely need to isolate my host entirely? If so, what would you recommend for a third-world student who can't afford any network isolation hardware?
@@randyclark7433 the cheapest option is likely to use Cloudflare proxy (free) or Cloudflare tunnel (has privacy issues but likely scans all traffic). As someone in security it's hard to escape a hard recommendation for a firewall though. You can virtualize it like I do to use the same hardware.
Can you make a guide on adding these firewall rules in OPNsense? They are vastly different and don't seem to correlate with the ones you entered in sophos.
@@Jims-Garage I have a homelab running Proxmox hosting several VMs and LX Containers. (And Docker's in there as well.) I use a CloudFlare Tunnel to provide remote access to the VMs and Containers without needing to open any ports on my router. I then have CloudFlare Applications pointing to various services providing authentication. My understanding is that no one will be able to even get to my server until/unless they pass authentication through the Application. Do you think this is a good idea? I'd love to have a self-hosted alternative, but honestly, CF Tunnels & Applications seem to provide the access and security I need. Thoughts?
@@jbarr if the authentication is required before accessing the container that sounds good from an accessibility perspective. As long as you're happy with zero privacy (Cloudflare sees all traffic in plain text) then it's also fine from a security perspective.
Newbie to networking and docker here! For this to work i assume i need to create a Vlan interface in the firewall for vlan 4 to act as a gateway for vlan memebers right? And does the switchport connected to the docker host must be configured as a trunkport to accept vlan 4 (cloudflare tunnel docker) and the watherver vlan the host is part of? Thank you for this video.
why is the parent interface enp6s18.4...what's the .4 part? It looks like you're naming it macvlan4, but you're not assigning it a vlan ID. How's this a vlan?
http_status, bastion -what is it? By the way, CF has the ability to install rdp on windows, and in the tunnel settings, choose an rdp tunnel, do you have a video or instructions on how to do this and how to secure such a tunnel?
As with SMB, I don't recommend exposing RDP to the internet, it'll likely be brute force attacked. You're better off putting this behind a proper VPN like WireGuard (I have a video on that, or headscale if you're unable to port forward - see other video)
By the way, as I said, I don't use docker, but debian. The virtual machine is located in virtualbox, which is installed on windows 10. Because when I used docker, I couldn't figure out how to set up a network connection. Rather, I did not understand why there is no connectivity between the docker, which is installed on the Ubuntu virtual machine and the local network. The virtual machine was also on virtualbox, ubuntu was installed, there was a docker in it. There was connectivity between Ubuntu and the local network, there was a connection between docker and Ubuntu - the network worked. But there is no connection between docker and LAN. I couldn't ping or anything. It was as if Docker was isolated. That's why I used debian, because it's very simple there. Just one team.
It's probably the network setting you gave the VM in virtual box. You'll want to create a bridge so that VMs can access the lan. I recommend a dedicated hypervisor like proxmox or esxi if you can.
I've been using cloudflare for a while, but I couldn't figure out how to limit it to a few containers. What I really wanted was to find a way to limit docker to only use a single interface on my server, but it has proven impossible. It was possible to use incus to create a vm for docker to run in, and that could be limited. However it feels a little cumbersome. Your video really helped me find the right solution using macvlan. 👍
Thanks for the honest feedback. I prefer videos without, but apparently most people like some ambient background music. I'll mix it up on future videos and see how it goes.
Thanks, I don't watch your videos as entertainment, rather as technical information and tutorials. I find any kind of background music totally distracting.
@@EduardoSantanaSeverino That's great, just imagine, if you use your own device for listening to music, you can even chose which song you want to play in the background ;-)
@@Jims-Garage makes sense. Thank you. I really appreciate the response. Last question. Do you have a preferred DDNS service? Like do you use DuckDNS, Cloudflare DDNS or something else?
Really interesting video! Seems like Cloudflare tunnel is not the solution I was hoping for. I just need the option to grant different specific external people access to very specific devices of my home network (with 2FA/passkey etc.) . Do you know of a solution that is halfway user friendly (as near to plug and play as possible)? Thanks a lot!
Sadly that two are often at odds. Wg-easy can do part of that, otherwise it'll be something like headscale/tailscale I guess you could use something like Authentik and Authelia to restrict access by user accounts
But the problem here is, what to do, where to start? I was also looking into Cloudflare, and thought it was safe. But now you put an extra layer on top of it. And you’re even having Traefik (I think it was?) also?? I’m confused. What to do? Where to start? And end?!
Are you running this along side the pihole/cloudflare you showed in an earlier video? Tried this but kept getting errors on the 2nd cloudflare container
@@Jims-Garage ahh ok. Yeah I tunnel out services on a different machine. Thought you might have had it so you could tunnel DNS queries through it but also tunnel internal services
How would you set something similar on a cloud where you don't have the possibility to filter the traffic between devices (like hetzner)? Any way to achieve something similar with subnets?
Really excellent job explaining. You can’t explain everything in one video and everyone is on a different part of the learning journey. You approach that challenge intentionally by adding brief explanations for each component and referencing other content for further explanation. Well done, sir.
Yea, but Portainer controls everything (a bad example for a tunnel tbh, never expose Portainer to the web). The key problems are zero privacy, complete offloading of security to Cloudflare (no firewall), and if something is missed a compromised container could allow lateral movement. Use a VPN for accessing Portainer if possible.
@@Jims-Garage yea I wouldn't ever expose portainer. But say I was exposing a simple app (Trilium Notes for example); the only security concern would be a bug on either cloudflared or trilium notes itself, right? A vulnerability on the app itself wouldn't be saved by the introduction of vlan. So I guess the vlan just protects from a security bug in cloudflared ...?
@@andherium first concern is privacy, Cloudflare sees everything you do in plain text. vLAN can help to prevent network propagation but it wouldn't do anything against the host being compromised. I recommend having a firewall internally to scan the traffic, it's a free service after all.
That's probably the worst case scenario. All depends how much you care about privacy and how much risk you're willing to take, perhaps for your use case it's fine.
@@Jims-Garage yeah i moved back to a VPS. my ISP is very stingy. no bridge mode, no vLANs, hell i can't even change dns on router and have to do it on device-by-device bases :/
Would adding a user defined bridge network be just as secure? I have my cloudflare docker on a bridge network that only communicates with Traefik. All of my docker services have their own user defined bridge network that communicates with Traefik. The goal is that none of my services can be aware of the others and that all traffic must go through Traefik with crowdsec monitoring. Is there a flaw in my understanding of these bridge networks?
I too use an XG firewall, i have CF tunnel working with Nginx. Unfortunately when i put the tunnel on it own vlan the tunnel now report error TLS handshake timeout, cannot reach origin server. I have the firewall rule setup to allow traffic from the tunnel vlan to NPM vlan just like the video. I can ping my Nginx proxy from the tunnel vlan. Not sure why its not working when they are on separate vlan.
@Jims-Garage the firewall rule in place is pretty open, I am not blocking any ports. In fact, I have it set to allow traffic from one vlan subnet to the other subnet with no service or IP restrictions or IPS during my testing. I am going to remove the NPM out of the equation to see if that's the issue. I will instead use cloudflare as the proxy on the tunnel. I would prefer to use an internal proxy, though.
@Jims-Garage DNS for what's behind the NPM proxy? If so, not yet. I was stuck on the tunnel error about it reaching my proxy, so most of my troubleshooting was making sure NPM and cloudflared can communicate.
I appreciate your videos! You have been a lot of help on my journey. However, this isn't working for me. In my Sophos log, I see the my rule being used, and the traffic gets routed to the correct IP. However, it seems to end there. My Traefik access logs don't show any entries. So the traffic is being dropped somewhere between my firewall and the Traefik container. Any troubleshooting advice? I feel like somehow I am losing the name resolution, so Traefik ignores it. But I don't know how to check for that.
Just wanted to pop in and say awesome series - this has really made all the difference in my homelab journey. Thanks and keep up the good work! Question - does this still have value if you already host all your external accessible apps on a DMZ?
When you say you're punchunig a hole in your home security, do you understand that no one has any security rather than anything standard included. And I don't even know if anything is included in macos by default
Agreed. But most people running a Mac aren't exposing it directly to the internet. Moreover, most homelabbers will have a 3rd party firewall that they control tunnel. With a Cloudflare Tunnel you're effectively handing all trust over to Cloudflare. Granted, they're one of the biggest players in the game and therefore advanced, but it does also make them a prime target for attack. I feel it's worth taking control and doing it yourself, or doing both as I illustrate.
@@Jims-Garage I mean, I don't have any firewall in my router, so anyone can break inside my lcoal network. I'm exposing my Synology NAS by trusting Synology to do that. I'm exposing my homeassistant by trusting nabucasa. I always trusting someone.
What is smb? I know that this is a protocol for a local network to share files. But how does it work through the tunnel? As far as I know, smb is very critical of delays. At least it works very slowly through the VPN, even though the VPN channel is quite high-speed.
SMB is short for samba, you're right, it's a network share protocol. I would advise against using it in a Cloudflare Tunnel, you don't want to be exposing shares this way (i.e. to the internet - use a VPN instead).
I had also this concern about the "privacy" of these services when they became available! Mac-Vlans are pretty powerful feature! Thanks for the solution and the fantastic tutorial!
Great video and lovely of you to give Christian a shout-out. Have you thought about collabing with him or any of the other homelab tech youtubers (TechnoTim, LawrenceSystems, LearnLinuxTV etc.)?
I have an internal reverse proxy (traefik) that routes all of my internal hosts by name i.e: proxmox.local.home.lan docker.local.home.lan portainer.local.home.lan Which is great as I don't have to put in port numbers or anything and everything all the time is https even inside my network. Is it more secure to point my cloudflare tunnel at one of those? In other words I would like to set this up exactly as you have outlined here (great job by the way) but not go to the actual server just go to my interal proxy. Is this better? Does cloudflare still see my traffic this way?
Routing through a proxy won't really do much. In my video I'm making sure the traffic goes through a firewall, and is scanned by crowdsec. Those are the two bits that add back some security.
@@Jims-Garage the reverse proxy is also behind my firewall ( it isn't meant for external access) so I'll just make all the rules and see how it goes. Thanks again!
