Just getting started with self hosting. I was wondering if anyone had experience with Cloudflare Tunnels for exposing their services to the internet. I like the simplicity and security it offers but don’t love the idea of using Cloudflare. Like, I’m self hosting for a reason lol. Any tips would be greatly appreciated!

For context, I’m running all of my services in a very small k8s cluster and my priorities are mostly security then maintainability. Thanks yall!

EDIT: yall are great! Thank you so much for the replies. I’m going try my luck with pangolin but its good to know I have options.

    • 4grams@awful.systems
      link
      fedilink
      English
      arrow-up
      5
      ·
      18 days ago

      I’m in the same boat. I love that it makes self hosting easier for me. It does what I need and even gives me a small extra measure of security. I admit, I use it because I’m lazy, I could do it without Cloudflare and do for some services. So, I figure if it truly becomes urgent or intolerable I can drop it from the stack.

  • pfjarschel@lemmy.world
    link
    fedilink
    English
    arrow-up
    14
    ·
    19 days ago

    The service is ok, but if you (rightfully) do not want to be tied to Cloudflare, take a look at Tailscale Funnels. Same concept, but from a company that values the user and their privacy. Also, for regular personal/small user base, free tier is more than enough. And you get a free .ts.net subdomain to use with your apps, if you need that.

      • aaravchen@lemmy.zip
        link
        fedilink
        English
        arrow-up
        2
        ·
        18 days ago

        I’ve been trying to figure out what purpose Pangolin serves in this. Do they offer a paid service that has the internet-accessible entry/exit point that I’m not seeing?

        Self-hosters aren’t lacking in tools to connect between a home server and some internet exposed server so they can tunnel from that public internet server back to their home server, they’re lacking in affordable options for the internet accessible server itself. Cloudflare Tunnel, Tailscale Funnel, and similar can easily be trivially replaced by a simple Wireguard connection from your home server to a public VPS with a couple trivial routing rules. But you have to have an affordable VPS with reasonable bandwidth and high reliability. Pangolin appears to just be Tailscale-ike permission-based routing software, but without the actual connections tools or hosting. That’s already available for free with Headscale, but Headscale also includes the connections part too. Am I missing something that would make Pangolin even equivalent, let alone better than, the free Headscale project?

        • comrade_twisty@feddit.org
          link
          fedilink
          English
          arrow-up
          5
          ·
          18 days ago
          • Headscale is essentially a self-hosted, open-source alternative to Tailscale’s control server, enabling creation of a private WireGuard-based mesh VPN network. It lets you use Tailscale clients while running your own control server, focusing on secure device-to-device connections without exposing open ports. It requires a server with a public IP for the control server but does not natively manage reverse proxy or authentication for web services.

          • Pangolin is a more complete self-hosted solution built on WireGuard and Traefik, combining VPN tunneling with a modular reverse proxy and authentication management. It provides centralized management with role-based access control, 2-factor authentication, automated SSL via Let’s Encrypt, and can expose multiple private networks or services through secure tunnels without needing to open firewall ports. It includes a web UI and plugins for security features like WAF, API, and OAuth2/OIDC identity providers.

          • aaravchen@lemmy.zip
            link
            fedilink
            English
            arrow-up
            1
            ·
            14 days ago

            I see, so Pangolin includes the Tailscale Funnel functionality (which Headscale currently does not), integrates Authentik and Traefik, and sells it as a stand alone service. I guess there’s probably a narrow market for that, though it’s unlikely to be self-hosting. My experience is that any OAuth or RBAC solution is too involved and/or poorly supported by self-hosted applications to see more than a small number self-hosters using it, and those that do are advanced enough users that they would probably just build it themselves with free tools instead.

            • comrade_twisty@feddit.org
              link
              fedilink
              English
              arrow-up
              3
              ·
              14 days ago

              Pangolin is free for non commercial self-hosting purposes and used quite intensively in the Jellyfin community.

    • aaravchen@lemmy.zip
      link
      fedilink
      English
      arrow-up
      4
      ·
      18 days ago

      Funnel has some significant limits on what you can use it for, esp with respect to streaming media FWIW. Not sure if it’s relevant here, but worth noting.

  • talentedkiwi@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    11
    ·
    19 days ago

    I’m using Pangolin, which is the current hotness. It’s somewhat like cloud flare tunnels, but you need a VPS (find a cheap one). That tunnels back to your house. I opted into using crowdsec as another later. It’s a part of their setup process.

    • aaravchen@lemmy.zip
      link
      fedilink
      English
      arrow-up
      2
      ·
      18 days ago

      So what benefit does Pangolin actually provide then if you already have to provide the VPS? Routing back to your network from a VPS is trivially easy, it’s getting the affordable VPS (given bandwidth prices) that’s actually the sticking point of any solution.

  • hendrik@palaver.p3x.de
    link
    fedilink
    English
    arrow-up
    6
    ·
    edit-2
    19 days ago

    Cloudflare is very popular, there should be plenty people around with experience. And Cloudflare is convenient and fairly easy to use. I wouldn’t call them “secure” though. I mean that depends on your definition of the word… But they terminate the encryption for you and handle certificates, so it’s practically a man-in-the-middle, as they process your data transfers in cleartext. But as far as I know their track-record is fine. I have some ethical issues because they centralize the internet and some of their stuff borders on snake-oil… But it’s a common solution if you can’t open ports in your home internet connection, need some caching in front of your services, something to block AI scrapers, or you need a web application firewall as a service.

      • hendrik@palaver.p3x.de
        link
        fedilink
        English
        arrow-up
        2
        ·
        edit-2
        19 days ago

        Seems some people here advocate for a VPS, and I do it as well. I pay roughly 7€ a month for a small(ish) server with 4 cpu cores, 8GB of RAM and 256 GB of storage. That allows me to host a few services there, for example some websites and matrix chat, which I don’t want to go down if there’s an issue at home. And it allows me to do reverse proxying there, so I have the entire chain under my control. But there’s many ways to do it, and several other tunneling solutions (boringproxy.io, nohost.me, pagekite, ngrok, …) that I heard of.

        And a lot of home internet connections allow port-forwarding. Not sure what your provider does, but I can simply open ports in my router and make them accessible from the outside, no VPS or Cloudflare needed. That’d be the direct solution. (And what I use for my personal services on my NAS.) Just mind that discloses your internet connection’s IP address to visitors, so they’ll learn the name of your provider and your rough location.

      • hendrik@palaver.p3x.de
        link
        fedilink
        English
        arrow-up
        2
        ·
        edit-2
        19 days ago

        I’m fairly sure what you mean is, traffic is decrypted in the middle and the re-encrypted before it gets sent your way. Otherwise they couldn’t do proxying or threat detection/mitigation.

        • 3abas@lemmy.world
          link
          fedilink
          English
          arrow-up
          3
          ·
          19 days ago

          You’re right, sorry, that was a heavy brain fart. The data needs to be decrypted on cloudflare’s end before being proxied and send to your services.

  • topnomi@fedia.io
    link
    fedilink
    arrow-up
    6
    ·
    19 days ago

    I run a jellyfin server. I have gigabit fiber in ohio, USA. Some of my users found it basically unusable when they were geographicly far away, like Hawaii and Thailand. I switched to using cloudflare tunnel as an experiment and the difference was dramatic. They are now able to stream reliably almost as if they were geographically nearby. The fact of the matter is, the cloud flare CDN that’s traffic passes through using the tunnel is infinitely better connected to the rest of the world than whatever home ISP you have.

    That being said, cloudflare plays man in the middle to all your traffic, so I wouldn’t use it for anything that’s particularly secret. But for standard web pages it’s amazing. I run my vaultwarden server directly on my home ip address and not through cloudflare tunnel.

    • observantTrapezium@lemmy.ca
      link
      fedilink
      English
      arrow-up
      4
      ·
      19 days ago

      Vaultwarden isn’t actually susceptible to man-in-the-middle attacks, since the passwords are encrypted and decrypted on the end device. But some relevant metadata do go over the connection so it’d better have TLS.

    • aaravchen@lemmy.zip
      link
      fedilink
      English
      arrow-up
      3
      ·
      18 days ago

      Warning: Cloudflare Tunnel ToS explicitly prohibits hugh-bandwidth activities on it, naming media streaming in particular. Some people take the chance anyway until Cloudflare might suddenly terminate your connection, it’s merely a low-stakes risk to using it.

      Also worth mentioning: Cloudflare has historically had some involvement with DMCA detection and take down, so if your running a media server with them able to MitM your traffic, they’re almost certainly able to detect and scan if they so chose. They’re a big company so they may not do any relevant scanning on your Tunnel, or you may have only completely Public Commons content on your server, but something you should be aware of.

      Related: I was doing something similar also from Ohio not that long ago. It turned out that most of the ISPs in Ohio have horrible reputations in the global network routing, so they are given low-priority and poor interconnects to other Internet routing companies. It affected both my incoming and outgoing network speeds and reliability. Cloudflare speed tests were the only ones giving any good values, I constantly had disconnects and timeouts for everything else. But when I put a VPN (that had a decent interconnect) on my router with an exit node in D.C. or Chicago, suddenly all my speeds went back to normal values matching Cloudflare results.
      TL;DR your ISP having a poor reputation with their gobal interconnects is very likely to blame for the poor speed issues without Cloudflare Tunnel, and literally any tunneling solution would probably resolve it.

  • AbidanYre@lemmy.world
    link
    fedilink
    English
    arrow-up
    6
    ·
    edit-2
    19 days ago

    It’s easy to use and takes away some of the hassle.

    If you don’t like cloudflare you could find a VPS you do like and run Pangolin on it to get the same service but maybe not the same level of protection.

    I use Oracle’s free tier to host it. They’re probably worse than cloudflare as far as evil corporations go though.

  • chazwhiz@lemmy.world
    link
    fedilink
    English
    arrow-up
    6
    ·
    19 days ago

    I just started using them and I like it. It’s a good balance of easy and secure for me. I just added the container to my stack and then use their UI to point a subdomain at the internal port. Security can go pretty extreme if you set up their whole zero trust thing.

    An alternative similar option is Pangolin. I’ve seen a lot of people like it to avoid Cloudflare, but I haven’t used it myself. There still has to be an endpoint running it, so you’ll need an external VPS, which then adds a cost to the equation but at least you control it.

    • hereforawhile@lemmy.ml
      link
      fedilink
      English
      arrow-up
      3
      ·
      19 days ago

      Cloudflared CLI for reverse proxy is as dummy proof as hosting a hidden onion site over Tor. I like it’s simplicity but I know I’m relying on a non free network.

  • urvon@lemmy.world
    link
    fedilink
    English
    arrow-up
    5
    ·
    19 days ago

    Does your use case include random people on the internet accessing these services or is it just for you? If it’s just you and a couple friends and their devices look into Headscale

  • statiksh0ck@lemmy.usuck.fyi
    link
    fedilink
    English
    arrow-up
    5
    ·
    19 days ago

    Pangolin is also pretty straight forward. I set it up a few months ago to test out on a new server I was firing up and I’ve decided to just switch all my other servers running nginx-proxy-manager over to it.

    Also, if you’re just accessing it yourself and have maybe a handful of people who’d be using it, I’d recommend just setting up Headscale.

    TLDR: Pangolin or Nginx-Proxy-Manager or Tailscale + one of the previously mentioned reverse proxy solutions.

    • this@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      2
      ·
      18 days ago

      Pangolin is great, I can expose things like game servers on it and have my entry point in a geographically close data center to keep the ping time lower than other options would let me.

      I’m currently trying out the managed self hosted version, it seems a bit slower, but you also get ha with it which is pretty cool.

    • Sibyls@lemmy.ml
      link
      fedilink
      English
      arrow-up
      2
      ·
      edit-2
      18 days ago

      I wish I could like it. I followed the install directions to a tee, had it working, came across a random bug, hasn’t worked since. Posted an issue and devs said it must be related to using IPv6, but I’m using IPv4. That was a week ago. This is my second time installing by the way, the first time had other issues.

      I’m just bummed because I spent all night changing all my services and DNS to Pangolin after it was working fine, then waking up to find all of them have failed. Had to revert to Cloudflare and I’m probably going to need to spin up another VPS if devs aren’t sure either.

  • stu42j@piefed.social
    link
    fedilink
    English
    arrow-up
    5
    ·
    19 days ago

    What is the advantage of using a tunnel vs dynamic DNS directly to your home IP address?

    • cmnybo@discuss.tchncs.de
      link
      fedilink
      English
      arrow-up
      9
      ·
      edit-2
      19 days ago

      It only requires an outbound connection, which is needed if you’re stuck on CGNAT. It also provides DDoS protection and hides your IP address. It comes with the huge downside of using Cloudflare though.

  • aaravchen@lemmy.zip
    link
    fedilink
    English
    arrow-up
    5
    arrow-down
    1
    ·
    edit-2
    18 days ago

    Serious limits on Cloudflare Tunnels:

    1. Only works if you use Cloudflare as your domain registrar for that domain
    2. You can’t use it for anything high bandwidth, specifically including streaming media (e.g. Plex/Jellyfin)
    3. They reserve the right to terminate your service tunnel randomly at any time without warning for any/no reason unless you pay them for the service.

    And that doesnt address the issue of getting in bed with Cloudflare (which has its own ethical ramifications).

    I’d recommend one of the alternatives like localxpose.io that offer the same thing but without the limitations. Or you can slap together your own with a wireguard tunnel to a minuscule VPS with some routing rules on it. Both are about €5/month, which is cheaper (the same?) as paying for Cloudflare Tunnel to avoid the random termination and vendor lock in.

    • billhead@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      6
      ·
      18 days ago

      Regarding #1, you have to use Cloudflare for DNS but it doesn’t matter if they are your domain registrar or not.

    • bobalot@lemmy.world
      link
      fedilink
      English
      arrow-up
      3
      ·
      18 days ago

      I heard you can use Pangolin and self host your own tunnel.

      Haven’t looked into it.

      • aaravchen@lemmy.zip
        link
        fedilink
        English
        arrow-up
        2
        ·
        14 days ago

        Hosting the tunnel is the only real value add from these services, which is why I’m confused by Pangolin’s business model.

        • bobalot@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          ·
          13 days ago

          It is strange.

          The only reason people who use Pangolin is to have control over the tunnel rather than rely on a company.

      • aaravchen@lemmy.zip
        link
        fedilink
        English
        arrow-up
        1
        ·
        14 days ago

        To some extent. Cloudflare is extremely explicit about it for their free service though, and they do actively exercise the option if they think you’re getting too much benefit from it.

  • Rikudou_Sage@lemmings.world
    link
    fedilink
    English
    arrow-up
    4
    ·
    19 days ago

    If you want to self host, rent some cheap server somewhere (I use Hetzner) the will act as a proxy and then configure frp.

    It’s basically what Cloudflare tunnel does, except you need to provide the public server instead of Cloudflare giving you one for “free.”

  • solrize@lemmy.ml
    link
    fedilink
    English
    arrow-up
    3
    ·
    19 days ago

    I just found out about cloudflared, it looks straightforward but you need a cloudflare account to use it. IDK what (if anything) they charge for it.

    I have generally just used a VPS for this. I’ve done it through an ssh reverse proxy which is pretty crappy, but a more serious approach would use iptables forwarding or wireguard or whatever the current hotness is.

  • Bluefruit@lemmy.world
    link
    fedilink
    English
    arrow-up
    2
    ·
    18 days ago

    I used a cloudflare tunnel for streaming music in jellyfin. Didn’t so much else with it and it worked pretty well. Anything high bandwidth you should use something else, but for stuff that doesnt consume a ton of bandwidth like music streaming in my case, it worked fine, at least when I used it a few years back.

  • Abe@civv.es
    link
    fedilink
    arrow-up
    2
    ·
    19 days ago

    @WhosMansIsThis@lemmy.world You Could in theory just use wireguard with nginx.

    DNS pointing to Public VPS -> Nginx running on public vps -> Nginx resolving to internal wg IPS -> Any of your other devices.

    • WhosMansIsThis@lemmy.worldOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      19 days ago

      Yeah this is a great idea. I was thinking of doing something similar but saw someone mention cloudflare tunnels in another post and figured I’d ask the community. I appreciate you!