MikroTips: Cloudflare Zero Trust Tunnel

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

we already have a nice tutorial series about making containers in router OS so in this video I will not go into every detail on how to run your own container image instead I will simply give you another interesting use case on what you can run in your microtec router [Music] so this is from a real life situation in fact I just set it up myself I have a home network behind my hap ax2 router one of the Lan devices is a Nas server this Nas server hosts web pages and other services so it needs to be accessible with the https from the internet now the drawback of this is that the nas software itself becomes a target for all kinds of attackers or maybe I don't want my home IP to be visible to the internet at all I want to completely hide my real IP but still I want to host some web services there are many ways you can protect your devices like in this situation for example change the Synology access port to something obscure and then block access to the port for anyone outside the Lan that is the most common way to do this but you will still be exposing your IP in my specific situation I wanted the port to remain ssl443 so I went with a different approach using a nice service offered black cloudflare formerly called Argo now it's a called simply cloudflare tunnel and it is available for free under the cloudflare zero trust family of products there are many things you can do and it's quite powerful but I will concentrate on only one feature here what it does it runs a small program in your server or in my case on my router which then creates a tunnel to cloudflare in cloudflare it will set up a DNS record for your chosen service such as https in my case and then it will forward any requests to the specific specific DNS name to your Lan IP address in your network through the secure tunnel in fact you could actually block all incoming connections from the outside world and only provide your services through the cloudflare tunnel the benefit of this would be the ability to further protect your service with other cloudflare services such as their excellent DDOS protection bot protection or zero access portal which basically puts an additional login page on any URL you specify in your settings another thing is that you don't need a public IP at all anyway this is not an advertisement for cloudflare so let's move on to configuration alright let's talk about requirements you must be registered on cloudflare and your DNS name should already be managed by cloudflare it must be also able to create a record for you and well you must be somewhat familiar with how to use cloudfer that would be beneficial too also this assumes you already know how to set up containers in microtic so go watch our container video series first so let's go to the cloudflare side go to zero trust dashboard and under access make a new tunnel provide some name and you will get your access token click next now you should provide a new public subdomain for your service if the subdomain already exists in your normal cloudflare DNS dashboard you should first delete it there because in the in the tunnel section it will actually create a new DNS name so it can be an existing one so first delete it from there and go back to the tunnel settings and add it again so in my case it will be nas.example.com in the service section I will choose https as the service and the URL will be 192.168.88.100 which is my Nas server IP in my local area network what I'll also do is turn off TLS verification so that there are no certificate errors between the nas server and the router because well my my Nas server only has an IP address and there is no DNS in my local network so let's go to TLS and uh no TLS verify now moving on to Microtech side of things I will not be using a separate bridge for the container I will make a new V eth interface and I will actually give it an IP address from my local network 192.168 88.123 24 and the Gateway is my router 192.168.88.1 now if you watched our previous videos about containers uh just a reminder you must be sure you have enabled container mode in your device mode menu and that you also have provided a container registry address in the container menu so in the container menu just click on config there is the registry URL registry1 Docker dot IO let's click add and specify the container remote image then choose the newly created Veith interface and from your cloudflare dashboard copy the provided run parameters in the CMD field now you can start the container if you see that the container is running you can now check the cloud for a tunnel status if it shows healthy it means it's working and you can now use the nas.example.com address and be safely forwarded to your Nas device login screen the benefit is that your IP is not exposed to the internet at all and nobody can know your actual IP address like I said previously you don't even need a public IP address since the connections are going through a tunnel which can be made even from parameter IPS there are many more powerful use cases for this but that's not the point of this video anyway I hope this helps you get started and thanks for watching foreign [Music]

Info

Channel: MikroTik

Views: 39,076

Rating: undefined out of 5

Keywords: mikrotik, routerboard, routeros, latvia

Id: BbDnBxlBTdY

Channel Id: undefined

Length: 6min 1sec (361 seconds)

Published: Wed Jan 04 2023