In the past if you wanted to expose a service or application in your home lab environment to the internet you had 2 options:
- use a VPN to connect to your local network and then gain acces to your home lab
- buy a domain name and use a DDNS service to link your public IP address to the domain
Both options are decent and somewhat secure, but they have some drawbacks.
The first drawback and the biggest one in my opinion is the fact that you have to expose some ports to the internet.
And by doing so you must make sure to have a decent router/firewall at home to configure some strict ACL rules and to make sure that suspicion attempts to acces those ports are blocked.
Even so this can lead to suspicious traffic and in some rare cases hacking/flooding attempts.
Also some IPS are not allowing certain ports to be publicly exposed and they may apply some traffic limitations.
And in the case of using a DDNS to update the A record of your domain name, it can be a little complicated to setup.
Especially if you have multiple services that you want to acces from a public internet connection.
You need to use an extra application on your server (a reverse proxy) that manages all the incoming traffic and then make the correct connections to your local machine.
I know! For most of you that are reading this article those are not huge drawbacks. Because im sure you are pretty tech-literate and can figure those quirks out. But if you are a beginner in this space it can be overclaiming and the learning curve can be a little steep.
But i have a better way! Using a Tunnel from Cloudflare
How does a Cloudflare Tunnel Work?
„Cloudflared establishes outbound connections (tunnels) between your resources and Cloudflare’s global network. Tunnels are persistent objects that route traffic to DNS records. Within the same tunnel, you can run as many cloudflared processes (connectors) as needed. These processes will establish connections to Cloudflare and send traffic to the nearest Cloudflare data center.”
So basically a secure connection is established between your Server and Cloudflare though a domain name that you setup in your Tunnel Configuration, without exposing any ports to the internet and without ACLs.
Learn more about Cloudflare Tunnels here.
Configure a Cloudflare Tunnel connection in 3 minutes (on average)
Before we start!
Register a Cloudflare account here that is free.
Make sure that you have acquired a public domain name. You can register a domain name on Cloudflare or you can use any other TLD providers out there.
After that you need to change the nameservers of your domain with Cloudflare ones.
This method is for configuring a Cloudflare Tunnel inside of docker, but if you dont have Docker or dont want to use Docker there are other options available such as Debian, Red Hat, Windows or MacOS.
The configuration process will be done one the home lab server that has an active internet connection.
- Go to https://dash.cloudflare.com/ and add a website
- Then click next and you will see the nameservers that you need to change for your domain
- After changing the nameservers wait a few minutes so the update propagates
- Now click on Acces (the option is on the left side menu) and then click on the blue Launch Zero Trust button
- Go through the configuration process
- You will see again in the left side menu an Acces option, expand it and then click on Tunnels
- Click on Create tunnel and give it a name
- Now choose your environment in witch you want to configure the tunnel connection & follow the instructions for your operating system
- All is left to do is configure the domain or subdomain for the tunnel and the service IP
Important things to take into consideration
Some limitations apply to streaming services/file sharing services
Because Cloudflare is not really meant for Big Data services or Streaming Services, in some cases the connection to the tunnel may be interrupted.
On the free plan Cloudflare if you use also the Proxy feature for your domain, you will be limited to a request size of 100mb, so in this case you need to disable the Proxy.
If you disable the Proxy some of the security features of a tunnel will be disabled.
| WARP disabled | WARP enabled | |
|---|---|---|
| Proxy disabled | No limit | No limit |
| Proxy enabled (Free) | 100 MB | 100 MB |
| Proxy enabled (Pro) | 100 MB | 100 MB |
| Proxy enabled (Business) | 200 MB | 200 MB |
| Proxy enabled (Enterprise) | 500 MB (default) | 500 MB (default) |
Activate full SSL/TLS encryption
I highly recommend you enable SSL/TLS from the Cloudflare control panel.
To do so go to https://dash.cloudflare.com and select your domain that youve just added then click on SSL/TLS and set it to full and also check SSL/TLS Recommender.
Enable no TLS Verify for https services with a locally signed certificate
Go into your Zero Trust menu and select your subdomain or domain.
Click configure and scroll down for Additional application settings and under TLS disable No TLS Verify.
Are you planning in using a Cloudflare Tunnel? Let me know in the comment section below
