Just getting started with self hosting. I was wondering if anyone had experience with Cloudflare Tunnels for exposing their services to the internet. I like the simplicity and security it offers but don’t love the idea of using Cloudflare. Like, I’m self hosting for a reason lol. Any tips would be greatly appreciated!
For context, I’m running all of my services in a very small k8s cluster and my priorities are mostly security then maintainability. Thanks yall!
EDIT: yall are great! Thank you so much for the replies. I’m going try my luck with pangolin but its good to know I have options.
It’s easy to use and takes away some of the hassle.
If you don’t like cloudflare you could find a VPS you do like and run Pangolin on it to get the same service but maybe not the same level of protection.
I use Oracle’s free tier to host it. They’re probably worse than cloudflare though as far as evil corporations go.
I love it, but I’m also a hypocrite. Centralized internet is bad but cloudflared is incredible.
I’m in the same boat. I love that it makes self hosting easier for me. It does what I need and even gives me a small extra measure of security. I admit, I use it because I’m lazy, I could do it without Cloudflare and do for some services. So, I figure if it truly becomes urgent or intolerable I can drop it from the stack.
I just started using them and I like it. It’s a good balance of easy and secure for me. I just added the container to my stack and then use their UI to point a subdomain at the internal port. Security can go pretty extreme if you set up their whole zero trust thing.
An alternative similar option is Pangolin. I’ve seen a lot of people like it to avoid Cloudflare, but I haven’t used it myself. There still has to be an endpoint running it, so you’ll need an external VPS, which then adds a cost to the equation but at least you control it.
Cloudflared CLI for reverse proxy is as dummy proof as hosting a hidden onion site over Tor. I like it’s simplicity but I know I’m relying on a non free network.
The service is ok, but if you (rightfully) do not want to be tied to Cloudflare, take a look at Tailscale Funnels. Same concept, but from a company that values the user and their privacy. Also, for regular personal/small user base, free tier is more than enough. And you get a free .ts.net subdomain to use with your apps, if you need that.
You also don’t want to be tied to Tailscale, another US company.
Take a look at Pangolin instead.
I’ve been trying to figure out what purpose Pangolin serves in this. Do they offer a paid service that has the internet-accessible entry/exit point that I’m not seeing?
Self-hosters aren’t lacking in tools to connect between a home server and some internet exposed server so they can tunnel from that public internet server back to their home server, they’re lacking in affordable options for the internet accessible server itself. Cloudflare Tunnel, Tailscale Funnel, and similar can easily be trivially replaced by a simple Wireguard connection from your home server to a public VPS with a couple trivial routing rules. But you have to have an affordable VPS with reasonable bandwidth and high reliability. Pangolin appears to just be Tailscale-ike permission-based routing software, but without the actual connections tools or hosting. That’s already available for free with Headscale, but Headscale also includes the connections part too. Am I missing something that would make Pangolin even equivalent, let alone better than, the free Headscale project?
-
Headscale is essentially a self-hosted, open-source alternative to Tailscale’s control server, enabling creation of a private WireGuard-based mesh VPN network. It lets you use Tailscale clients while running your own control server, focusing on secure device-to-device connections without exposing open ports. It requires a server with a public IP for the control server but does not natively manage reverse proxy or authentication for web services.
-
Pangolin is a more complete self-hosted solution built on WireGuard and Traefik, combining VPN tunneling with a modular reverse proxy and authentication management. It provides centralized management with role-based access control, 2-factor authentication, automated SSL via Let’s Encrypt, and can expose multiple private networks or services through secure tunnels without needing to open firewall ports. It includes a web UI and plugins for security features like WAF, API, and OAuth2/OIDC identity providers.
-
If you want to self host, rent some cheap server somewhere (I use Hetzner) the will act as a proxy and then configure frp.
It’s basically what Cloudflare tunnel does, except you need to provide the public server instead of Cloudflare giving you one for “free.”
I just found out about cloudflared, it looks straightforward but you need a cloudflare account to use it. IDK what (if anything) they charge for it.
I have generally just used a VPS for this. I’ve done it through an ssh reverse proxy which is pretty crappy, but a more serious approach would use iptables forwarding or wireguard or whatever the current hotness is.
I’m using Pangolin, which is the current hotness. It’s somewhat like cloud flare tunnels, but you need a VPS (find a cheap one). That tunnels back to your house. I opted into using crowdsec as another later. It’s a part of their setup process.
I only used their quick tunnels for some testing as it doesn’t need a domain and natively runs under Termux. For that at least it worked fine.
But I probably wouldn’t use them for anything serious. Typically you’re doing everything to avoid MITM, and now this is just the opposite of that.Cloudflare is very popular, there should be plenty people around with experience. And Cloudflare is convenient and fairly easy to use. I wouldn’t call them “secure” though. I mean that depends on your definition of the word… But they terminate the encryption for you and handle certificates, so it’s practically a man-in-the-middle, as they process your data transfers in cleartext. But as far as I know their track-record is fine. I have some ethical issues because they centralize the internet and some of their stuff borders on snake-oil… But it’s a common solution if you can’t open ports in your home internet connection, need some caching in front of your services, something to block AI scrapers, or you need a web application firewall as a service.
Edit: removed inaccurate and potentially misleading information.
I’m fairly sure what you mean is, traffic is decrypted in the middle and the re-encrypted before it gets sent your way. Otherwise they couldn’t do proxying or threat detection/mitigation.
You’re right, sorry, that was a heavy brain fart. The data needs to be decrypted on cloudflare’s end before being proxied and send to your services.
I run a jellyfin server. I have gigabit fiber in ohio, USA. Some of my users found it basically unusable when they were geographicly far away, like Hawaii and Thailand. I switched to using cloudflare tunnel as an experiment and the difference was dramatic. They are now able to stream reliably almost as if they were geographically nearby. The fact of the matter is, the cloud flare CDN that’s traffic passes through using the tunnel is infinitely better connected to the rest of the world than whatever home ISP you have.
That being said, cloudflare plays man in the middle to all your traffic, so I wouldn’t use it for anything that’s particularly secret. But for standard web pages it’s amazing. I run my vaultwarden server directly on my home ip address and not through cloudflare tunnel.
Vaultwarden isn’t actually susceptible to man-in-the-middle attacks, since the passwords are encrypted and decrypted on the end device. But some relevant metadata do go over the connection so it’d better have TLS.