WingNews logo WingNews
top | item 44613865

(no title)

nicomt | 7 months ago

It's not open-source or self-hosted but putting it out there: CloudFlare zero-trust is amazing and free. In my setup, I have a cloudflared tunnel configured in my homelab machine and I expose individual services without a VPN or opening up my firewall. You can also set up authentication with SSO, and it happens before reaching the backend application which makes it more secure. This is easy for family and friends to use, because they don't need to setup anything from their side, just go to the URL and login. https://developers.cloudflare.com/cloudflare-one/connections...

discuss

order

cromka|7 months ago

I seriously don’t understand why would people choose this over not exposing anything at all, except for Wireguard port. I have my client to automatically connect my home LAN when I’m not on WiFi and get access to all my self-hosted services without risking anything. You rely on third party solution which may or may not be made to government agencies. You also need to trust they Cloudflare doesn’t make mistakes, either.

Also, how do you configure Cloudflare for a road warrior setup? How do you track ever changing dynamic IPs? As mentioned, all I need is a Wireguard client and I’m golden.

nicomt|7 months ago

> You rely on third party solution which may or may not be made to government agencies.

That's a fair point, but for my use case, I feel comfortable enough with CloudFlare given the trade-offs.

> You also need to trust they Cloudflare doesn’t make mistakes, either.

I think the chances of CloudFlare making a mistake are much lower than me or any other individual Developer.

> Cloudflare for a road warrior setup? How do you track ever changing dynamic IPs?

I think you need to read the docs. All of that works without any extra config when using tunnels.

javier2|7 months ago

CloudFlare zero-trust is very good, but i thought you need to have Cloudflare as man-in-the-middle on your domain to have this authentication flow work? ie. the TLS certs needs to live with Cloudflare.

nicomt|7 months ago

Yeah, that is how I use it. You can technically host any TCP including end to end encrypted data through CloudFlare tunnels but you need the cloudflared app installed on the client side to access it (SSO still works even for this case). I find having to manage certificates and installing cloudflared everywhere is too much of a hassle. I understand that proxing through CloudFlare gives them a lot of visibility and control, but I find that risk acceptable given my application.