Using Cloudflare Tunnels For Hosting & Certificates Without Exposing Ports On Your Firewall

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
Tommy here from Orange systems and we're going to talk about cloudflare tunnels now this is a free offering from cloud player that enters no need to open ports it does not expose your public IP address it works behind that it works behind cgnat and you're probably thinking well how do they offer that for free and is it too good to be true is this really that easy to host my servers without exposing any of those things and creating those extra complexities of having to deal with certificates yeah it's actually free now why is it free best speculation is cloudflare wants you signing up for services so they hope to upsell you on more services now there's a couple prerequisite here you do need a domain now you don't have to transfer your domain to cloudflare although that is an option they will handle domain registration you can register domains through cloudflare I simply took my name servers for one of my domains the one we're using in this demo is going to be launch.video and I just swapped over the DNS settings for it pretty simple to do my domain registrar is hover so you just go in there and change out whoever you want the name servers to be next you need to have a server that can run the cloudflare tunnel server or tunnel client this client can run as a Docker can run on Mac Windows Linux it can run as a standalone Daemon in Debian Linux so there's a lot of different options that we'll talk about we'll be using the docker one specifically and you need to have wherever that server is the ability to talk to the other servers or the servers on that system that you want to talk to to broker that connection now what I mean by that and I'll have a layout that will be covering of how that works the server that you load this on I have Docker on it I have a few other Docker containers you can talk directly to those other document containers but it can also reach out laterally and move to the other servers that it has access to and that's something that matters a lot for this final prerequisite and that is trusting Cloud Player the cloudflare dashboard talks to the cloudflare server to say which ports seem to be open and which Services should be exposed if someone else were to take control over that dashboard it would be able to send down commands and say expose things that maybe you didn't want to expose that's just something you should keep in mind when you're thinking about how the security works it's not a reason not to do it it's just understanding who's in those trust boundaries when you set up services final note is about how the encryption Works in terms of the data that may pass through a local service back out to the cloudflare cloud because cloudflare is working as a reverse proxy any data that goes through that reverse proxy could be seen so whatever is sent over those connections because they're terminating the SSL for you via their tool there's a way to pick that data out of it via that tool itself now the tool being open source means you should be able to see how they're doing it and look at it but it's just one more thing to put in consideration and why trust cloudflare is part of the final prerequisite because they're all in your trust Circle and so is any data that will be traversing it the consideration you may want is to limit where these servers live and what else is on there so if you have something that absolutely should never be public exposed you may not want to have it within reach of where this cloudflare service runs I just want to throw this out there there's not any reason I have not to trust cloudflare not that I don't think they've done good job security it's just always being aware of who you have in your Circles of trust when you're building out technology now before we get started with this tutorial let's first are you an individual or company looking for support on a network engineering storage or virtualization project is your company or internal I.T team looking for someone to proactively monitor your system security or offer strategic guidance to keep your it systems operating smoothly Not only would we love to help consult on your project we also offer fully managed or co-managed it service plans for businesses in need of it Administration or it teams in need of additional support with our expert install team we can also assist you with all of your structured cabling and Wi-Fi planning projects if any of this picture interest fill out our higher us form at lawrencesystems.com so we can start crafting a solution that works for you if you're not interested in hiring us but you're looking for other ways you want to support this channel there's affiliate links down below to get your deals and discounts on products and services we talk about on this channel and now back to our content all right let's start by covering some of the basics of how this lab is set up and the layout and the goals so we want some service.lorns.video to be accessible publicly with a certificate the way you would do that with for example ha proxy would be to load ha proxy on a pfSense firewall I've got a whole video on that set it up and then point it to the services that are running over here on this Ubuntu Server that's at 192.168.1.4 and it's running Docker with a few different containers on it the other option might be to run a reverse proxy in Docker as well and then have certificates that then go through here and you report forward so you could expose the service you have to make sure the DNS for that service is pointing there all this though comes with the well problem of it's going right through your firewall and you're exposing your public IP address and you're wondering why that is bad well generally if you're a home user building your home lab you may not have a very robust ISP that can deal with any type of ddosing that may occur this is a problem that you can ask Jeff geerling about he has little videos about ddosing and his setup and mitigations he's done about it back to the topic here though let's talk about a simpler way of handling this in a simpler way of handling the certificates so here is the same idea some service.lorange.video reaching out to the cloudflare edge The cloudflare Edge sits between you and the services so the tool is going to run and we're going to run this indoctor but it can run as a Daemon it can run as a service in Windows it can run on Mac the cloudflare connecting tool is going to be running on this Ubuntu server at that same IP address of 192.1681.4 it's just going to pass through to fire law like any other service reaching out to the Internet so there's nothing we have to do the firewall to configure it if the firewall IP address changes or if it's behind cgnat or double Nat doesn't really matter as long as it can reach the cloudflare servers publicly from there anything that this particular server has lateral access to so if it is able to reach out to and we'll do this in a demo here this Synology server at 192.168-60.15 then no problem it's going to be able to reach out to that server and broker the connection back out to the cloudflare edge and then any client trying to access it are always accessing via the cloudflare edge and not opposing your public IP address and it doesn't matter if your firewall IP address changes this can change dynamically and it re-synchronizes quite fast because the cloudflare tool is always reaching out to their servers to let it know where it's at and the can broker those new connections so it's not a big deal if your IP address changes now let's talk about functionally how to get this set up now for Simplicity we're only going to be talking about using HTTP in HTTPS but there are actually more services this cloudflare tunnel can support and there's a lot more it can do but this will get you started with the common things of just exposing things that you maybe want to sell post that are web-based services so this is the documentation plenty of it lots to read we're going to be using a documentation as a reference but I'm not going to go through every detail in here but they have plenty of use cases and lots of details the other thing you need to set up is the cloudflare zero trust dashboard I'm going to skip setting that up it's really easy you just go through the basics of registering an account with cloudflare for that and also as I said in the beginning of the video there's an assumption that the DNS has already been done for whatever domain you have in this case lawrence.video now we're over here in the cloudflare's hero trust dashboard it's your first time signing up for it just scroll down to the bottom always look for the free option that they have we're going to be here to access we're going over here to tunnels and we're going to create our first tunnel Toms tunnel for YouTube sounds like a great name for this save tunnel and don't worry this will be deleted by the time I post this publicly therefore anything that you see in here I'm aware of could cause a security risk as in for you because if you add your service to my dashboard that would be really interesting because I'd be able to map things in here to whatever Services you may have but here store your token carefully this command includes the server token allow the connector to anyone anyone access token will be able to run the tunnel that's the point that they're making here we have a Debian option 64-bit 32-bit arm options I've tried it with the Debian Damon works perfectly fine didn't have any problems with it because we're running pertainer and a few other things in Docker I thought hey why not do it in Docker a lot of you do run Docker images in the home lab because well they kind of make things easy I'll admit so we have Docker run cloudflare latest tunnel no auto update run and here's the token we're going to go here and copy this but we're going to add a couple things before we paste it into the server but let's go ahead and paste it in and then add those extra parameters so right after Docker run we're going to add dash dash name cloudflare tunnel give it a nice name dash dash restart unless stopped and then the rest it's a really simple ad but what this does is runs it in Demon mode names the cloudflare tunnel and says restart unless stopped this means it will automatic automatically restart or start whenever you restart the server that is running this then let's go over here and see if it's up and running go here to the portaner and hey look there's our cloudflare if we click on the logs icon and pertainer there we go we can see it we can see the logs makes it really easy if you're not familiar with protein or check it out it's free it's also a Docker image itself it does making managing Docker images really easy all right let's go back over here and hit next now let's create the different domains that we want the subdomains if we will so I have uptime Kuma running and I have it running right here if we click on uptime Kuma and the port we see it's running at 192.168 1.4 colon 3001. it's not the same server that this is running at so we know it has access to it let's go back over here and we'll call it up time Kuma demo YT for YouTube now you could not put the subdomain and just have it right there where it would be launch that video but we're going to have several services so I'm going to create a series of sub domains so launch.video the type is HTTP because this is a not secure standard HTTP not https connection let's go over here paste in the IP address we don't want HTTP in front of it so it's 192.168 1.4 colon 3001 nothing else we really have to do to get this working Save times tunnel now we see that the tunnel status is healthy because it's up and running in Docker there's the origin IP of this tunnel now this is what's kind of cool is you can see this public IP don't worry it's not my public IP it's just one of them I have set up here but if your IP changes where this is coming from this updates really fast matter of fact if we go over here to the pertainer and we're going to hit stop on this one so we'll take down the cloudflare tunnel it's exited we click here and click back we can see this tunnel is down we go back over here and we'll restart that tunnel so we'll hit start it started look at the logs it's already registered with it so if we go here real quick just click off it and click on it again healthy it's right back up and running so the restart time zone is really fast now next thing I want to do is go in and check to see if the system we set up with this public host name this uptime Kuma demo is working so we're taking this public IP address which is going to wrap over to this particular instance of uptime Kuma so we'll go ahead and click on it brings us right back up to the dashboard here and now we can log into my uptime Kuma by the way if we click here and we say connection is secure certificate is valid it gave us a wildcard certificate here so now I didn't have to do anything and it's brokering the connection of note as I mentioned earlier because this is not secure but the Securities being added by the cloudflare tool the communication is going from this painter instance which also runs on the same cloudflare server at 192.168.1.4 it's brokering the connection so any visibility for plain text traffic is going to be occurring within this particular system not over the public internet from the connection from this server outgoing once it reaches in the cloudflare tool it's encrypted all the way through to the endpoint where we have it right here but we can also add trust for things that are internally using https so let's go ahead and do that let's go ahead and add another public hostname and we're going to do this one with the Synology surveillance station and this is my Synology surveillance station model DVA so we'll give it that same name this does have an https connection so this has got a self-signed certificate and we'll pull it up real quick to show you what it looks like here it says not secure but we're at the 192 168 60.15.5001 and yes this server does have access to that go back over here so we'll go ahead and put that IP address in here https one more thing because it's a self-signed certificate we're going to go here to additional application settings TLS and we want to skip verification if you don't do this you let up a little bit of headache trying to figure out why it won't connect and what you're doing is skipping validating whether or not that self-signed certificate is valid because it's not that way when it talks to it we can just skip that verification save host name so now we have an https connection which means the connection from this server at 192.1681.4 to 192.168 60.15 5001 that connection across my local network is encrypted then it's encrypted again and that information is passed along to cloudflare Via their Edge and we should be able to click on this and log into the salesy DVA so I can do my full login log in with my username my password view my cameras everything else on here and I've not done any public exposing of any of my systems and it's easy enough for me to you know quickly change that DNS setting and if you looked up the DNS for any of these let's do that real quick when we ran as a dig command surveillance stationdva dot launch that video and the public IP addresses it shows are the 104 2172 and the 172 67187 because it actually registers with redundant servers with two a records over in cloudflare so these are both cloudflare owned servers that are handling the processing of this so nothing is exposed in terms of my system itself other than what I showed you in the control panel now let's talk about adding an extra layer of security that they have in here I this is just really amazing they added this and offer it for free I really recommend doing this if you have a service that you don't quite want publicly exposed but you want it publicly exposed for certain people and let's talk about how you can do restrictions on that let's go ahead and add another one such as our uptime Kuma but let's make it different you can have more than one even if they point to the same thing so we'll edit this one so we can just copy that make it easy so this is uptime Kuma demo and uh let's go ahead and configure public hostname add one and we'll call this one up time secure Kuma same thing here HTTP so all parameters are the same here but we're going to call this one uptime secure because I want to add an extra layer of security so if I click this it's going to look just like the other one but let's go ahead and go to our applications here add application self-hosted give it a name the name is going to be of time secure Kuma the domain up times kirkuma launched that video there's no other path we'll leave all this at default there's a lot of details you can do in here but for now we'll just keep it pretty simple and our policy name let's keep the same name consistent here and then we want to choose how you want to authenticate we can say anyone with an email so they have to provide an email address to make this work or maybe we want to get more specific emails ending in domain but there's actually IP ranges country common name balance certificate lots of other login methods in here but ending in domain and so the domain would be at Lawrence systems because I want to share this only with my employees for example so anyone at lawrencesystems.com is going to be able to get into this so great we'll see if everything else at default like I said there's a lot of things you can do in here uh ad application so here's all the details now let's go to the domain and see what happens copy the link here it seems to need a domain so let's type in demo test at laurentsystems.com and send me a code I'm going to wait for an email to come as soon as that email comes I'm going to put that code in cloudflare has emailed me a code we're going to go ahead and hit sign in with this code and now it brings me to the secure version of the uptime kuma this is a really nice extra layer that you can put in front of things so they can't just poke at it they being anyone who wants to publicly find these addresses they would need whatever those parameters are that you apply to add that extra layer of security this is a really nice thing that they're doing because you know if there's a problem with one of your publicly hosted servers and you don't get it updated in time this is one more layer in front of it that someone would have to get through in order to get to that server but of course with the added inconvenience that once your session expires you would have to go through the same convenience as well but it's a nice feature that you do have the option of adding My overall feelings are that I like the Cloud Player tunnel system there is a bug that I think is a little weird I'm going to do a little testing and maybe report it to cloudfoot I found and that's if you create a tunnel and create a bunch of those different names and then you delete the tunnel but don't delete the names that were created it seems to leave all those DNS entries and therefore you can't create a new tunnel like you would in a YouTube demo where you want to use the same names again and find out they don't work because it already has those extra Connections in there now if you delete the names in the tunnel prior to deleting the tunnel they delete perfectly fine and it's probably not an issue you may run into unless you are creating tunnels deleting tunnels and not deleting the attached domains you created within that tunnel but I don't think it's too big of a deal it's just something I noticed as someone who's creating demos where I usually test all of this many times to make sure I can do the demo properly before creating content around it but I thought it's worth mentioning if someone's from cloudflare sees this and tells me what it is that'd be great or if you have seen this problem you know it's a known bug or if those domains expire after a day of not having a tunnel attached to them that would be interesting as well that's the part I'm going to be testing leave your thoughts in your comments down below let me know how you like this service or if you've had some problems with it or you just really enjoy it so far all the testing I did I didn't find anything buggy or weird about it it seems to be pretty simple to do it has a lot lot more than I've covered there's a million other features it can do but I figured for most people this is enough to get them started I did that bit Warden video the other day and people said well hey isn't this good for using it for like self-hosted bit Warden yes as well as a lot of self-hosted web applications which are pretty popular in the home lab this is a great way to put things in front of it and also a great way to add a little bit of security in front of it as well with that you know registering only a domain or maybe a specific email that requires sending something to authorize it before it's viewable I just like these little extra layers of security they put on there and I think it's a really cool service that cloudflare offers links down below to the documentation lots to read through over there or head over my forums for a more in-depth discussion thank you and thank you for making it all the way to the end of this video if you've enjoyed the content please give us a thumbs up if you would like to see more content from this channel hit the Subscribe button and the bell icon if you'd like to hire a sure project head over to lawrencesystems.com and click the hires button right at the top to help this channel out in other ways there's a join button here for YouTube and a patreon page where your support is greatly appreciated for deals discounts and offers check out our affiliate links in the description of all of our videos including a link to our shirt store where we have a wide variety of shirts that we sell and Designs come out well randomly so check back frequently and finally our forums forums.lorentsystems.com is where you can have a more in-depth discussion about this video and other Tech topics covered on this channel thanks again for watching and look forward to hearing from you
Info
Channel: Lawrence Systems
Views: 150,964
Rating: undefined out of 5
Keywords: LawrenceSystems, cloudflare, tunnel, cloudflare tunnel, home network, safe, linux, home lab, nginx reverse proxy, reverse proxy, traefik, traefik reverse proxy, cloudflared, home lab setup, host website, homelab, cloudflare tunnel docker, cloudflare tunnel setup, cloudflare tutorial, cloudflare tunnel tutorial, cloudflare argo tunnel, how to uise cloudflare tunnel, cloudflare tunnel localhost
Id: eojWaJQvqiw
Channel Id: undefined
Length: 20min 56sec (1256 seconds)
Published: Fri Dec 30 2022
Related Videos
Secure Cloudflare Tunnels with vLANs and an Internal Firewall Before It's Too Late!
Jim's Garage
8.1K
Which is Better: Overlay Networks or Traditional VPN?
Lawrence Systems
85K
How to use Cloudflare Tunnel in your Homelab (even with Traefik)
Christian Lempa
102K
Self Hosting on your Home Server - Cloudflare + Nginx Proxy Manager - Easy SSL Setup
Raid Owl
239K
Self-Hosting Tutorial 1: Step-by-Step Guide to Run Your First Self-Hosted App
Easy Self Host
5.6K
you need this FREE CyberSecurity tool
NetworkChuck
918K
Cloudflare Zero Trust Tunnel Guide: Exposing Self-Hosted Services Safely
Techdox
7.4K
Cloudflare Tunnel Setup Guide - Self-Hosting for EVERYONE
Raid Owl
117K
Quick and Easy SSL Certificates for Your Homelab!
Wolfgang's Channel
412K
The Downfall of Amazon: Dangerous Products, Fake Reviews & Vanishing Brands
Louis Rossmann
302K
Meet netboot.xyz - Network Boot Any Operating System
Techno Tim
476K
Which Is The Best DNS for Secure Browsing: CloudFlare, Quad9, NextDNS, and AdGuard DNS
Lawrence Systems
38K
STOP using VPN, embrace Zero-Trust networking!
Christian Lempa
50K
Self-Hosting Security Guide for your HomeLab
Techno Tim
236K
Cloudflare Tunnels: Getting Started with Domains, DNS, and Tunnels
DB Tech
110K
How To Guide For HAProxy and Let's Encrypt on pfSense: Detailed Steps for Setting Up Reverse Proxy
Lawrence Systems
36K
Why VPNs are a WASTE of Your Money (usually…)
Cyberspatial
1.1M
Cloudflare Zero Trust - FREE! - Overview
Techdox
14K
Tailscale VS Zerotier
Lawrence Systems
106K
Put Wildcard Certificates and SSL on EVERYTHING - Traefik Tutorial
Techno Tim
500K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.