You should NOT use Cloudflare Tunnel (if you do this...)

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
I bet you have all seen the videos on YouTube where people use cloudflare tunnels these days to expose internal Services some even claim it's a VPN killer or simply say something like it's safe and to be honest I was no different I also recently made a video tutorial about how to set up cloudflare tunnels look at this smart guy here but it's time that we also talk about the elephant in the room here and shed some light on the possible implications and problems with cloudflare tunnels because there are some situations in where you should not be using it so grab yourself a cup of coffee or tea or water I don't care what you're drinking and let's talk about cloudflare tunnels [Music] okay so how do we start well to First understand the problems with this service we need to take another look at its architecture remember this is the diagram that I've shown you before and explained in my tutorial and let's assume you decide to use cloudflare tunnels in your home lab because you want to give somebody access to an internal service that's behind your router or firewall and to do that you simply install a small application by cloudflare somewhere in your internal Network that initializes a secure reverse tunnel from inside to cloudflare and transmit all the data from the user to the actual application and vice versa cloudflare will act as a proxy service here to handle hddps certificates and DNS entirely for you that sounds pretty straightforward right there's no configuration on your firewall or router no certificates you need to set up cloudflare made this so easy for you that you even don't need to think about it but when we take a closer look at how it technically works you will see that you basically just just wrote all your data through a layer 7 proxy in the cloud so cloudflare will negotiate a secure https connection with the client using its own certificate the client will send the data encrypted to cloudflare they will decrypt it scan it and then send it through their secured reverse tunnel to the cloudflare agent where it's finally sent out to the actual application in your home lab which might be an HTTP or https Target it actually doesn't matter so if you paid attention to this you will notice that cloudflare always has the full control and the full visibility about the data and the payload that is transmitted so all the requests and responses that might include sensitive information such as usernames and passwords personal data or IP addresses cloudflare can all read it and do whatever they need to do with it and that is even the case when you're using the strict TLS option in cloudflare so when you're running a reverse proxy inside your home lab like I've shown you in my tutorial that is a bit better for protein affecting the internal Network traffic but still because the layer 7 proxy of cloudflare will not just forward the client requests but always initialize two separate connections yes one to the client and another one to your application it is no different from a privacy standpoint they always can read all your data so no matter if you're using strict TLS or not if you're using HTTP or https it is no different now this might sound pretty alarming to some of you and from a privacy standpoint it literally is but to put it into the right perspective here it wouldn't be fair to just jump on that train and claim oh cloudflare is all about stealing your data you should never use it and blah blah blah you shouldn't forget cloudflare is one of the biggest CDN providers in the world and they make a shitload of money by selling security services such as DDOS mitigation malware protection and so on to Enterprise companies and that type of protection only really works when they can look inside the traffic and send it through their scanners and you also have to take in consideration that their Core Business is providing CDN and Security Services not selling your data for ads as a conclusion the fact that they decrypt all the payload doesn't necessarily have to be a red flag for you I personally I don't have a problem with that in my personal project I just have to say for companies that route customers data through cloudflare tunnels it might be more critical especially if you fall under data regulation laws such as the gdpr or if you are really cautious about privacy in your home lab then you probably should not use cloudflare tunnels anyway you can now say well your Germans are crazy about your data I don't care about that and that's fine but there are still other problems with cloudflare tunnels that I need to address and the next issue is not less important because have you noticed something strange in this diagram there is a router slash firewall in your home lab but you don't to configure it to allow incoming traffic or do port forwarding why is that well that's because you're basically bypassing it by initializing a reverse tunnel from inside your network to cloudflare similar to how you would connect to the internet and if you just have a simple and damp router at home this might not be a big deal for you because these devices don't protect your network anyway but for people who are using network protection devices such as Next Generation firewalls like the sofas XG or pfSense Palo Alto I could name any other firewall vendor here if you're using any of these devices this is a pretty big deal to be fair it's not a problem with cloudflare tunnels alone it actually is a problem for any kind of remote access service that likes to punch holes into internal firewalls services like tailscale or twin gate follow a similar approach just without the whole decryption and privacy violation stuff but they all simply say hey just go and deploy our apps somewhere in your network we'll connect to all of your apps directly from that exit node and let us just handle all the security for you and this is in my opinion not always a good solution as you're completely Outsourcing your entire network security to these providers meaning you need to put a lot of trust into them of course cloudflare provides you a strong protection out of the box they do have services like authentication malware scanning web application firewalls and DUS mitigation I'm sure they are doing a great job but just keep in mind if you are using any other network protection devices like firewalls proxies or intrusion prevention systems they might become useless as cloudshare tunnels is not directly integrated into these systems and punches a hole into your incoming firewall rules also I have seen many people who just expose any internal service to the public internet without any restrictions using cloudflare tunnels such as home lab dashboards portal or other administrative interfaces because it's safe right that also introduces a potential security risk because nothing thing is 100 secure especially when it's accessible for anyone on the internet so my conclusion with this is if you decide to trust cloudflare with your network security and use it to expose internal administrative Services you should at least make sure to add a proper authentication to it as well I've by the way shown you that in my cloudflare tunnels tutorial so I will link this in the description down below make sure to check it out and you should also keep in mind if you are deploying the cloudflare tunnel service directly in your network you might bypass incoming policies of your next Generation Fireball if you have one that is at least for me one of the reasons why I'm personally not so excited about using it in my home lab but hey I'm sure somebody will disagree with me here and tell me in the comments why I'm all wrong however last but not least there is another use case where cloudflare tunnel is undeniably not a good option for many people still don't know that but you will likely run into problems when you are trying to use it for exposing non-web applications for instance IP camps Game servers or upload huge amount of data through this service that's where you might get blocked by cloudflare I need to make one quick update to this video here because cloudflare had a section in their self-serve subscription agreement where they had a class about this topic you can still find this in older Forum posts this was called the section 2.8 the limitation on serving non-html content where they basically said the use of their services for serving video or a disproportionate percentage of pictures audio files or other non-html content is prohibited now since a recording and editing of this video this section was actually removed from the official documents and I'm currently not sure what that actually means for us if you still get blocked by cloudflare for serving non-html content through cloudflare tunnel or not I don't know however the following statement here is still true as cloudflare is primarily created for serving and cash websites and HTML content you might not be legally allowed to use it for non-html stuff but I don't know what would happen if you really exhaust their services streaming huge amount of data through their proxies and how good the performance then is you also shouldn't forget you are still limited to only use the target protocols that they allow you to create in the tunnel service so it is by no means as flexible as a VPN for streaming data where you can send any network protocol that you want through a secure tunnel between two end points that are fully under your control so if you ever wanted to have a clear reason why this is still not a VPN killer that's it and to summarize my opinion about it it is really a two-sided sword yes it is a great service that's very easy and straightforward to use it solves some of the biggest problems in a home lab remote access scenario no discussion but at the same time you have to put all your trust into cloudflare it introduces some serious privacy concerns especially for companies that fall under gdpr and it's not that big of a VPN killer as most people claim it is anyway I hope this gave you some clarity on cloudflare tunnels and you can now decide for your own if you care about these problems or if you are fine with that in your home lab if you're up for more Tech content make sure to like And subscribe and as always thanks everybody for watching I will catch you in the next video take care
Info
Channel: Christian Lempa
Views: 54,714
Rating: undefined out of 5
Keywords:
Id: oqy3krzmSMA
Channel Id: undefined
Length: 10min 7sec (607 seconds)
Published: Tue May 16 2023
Related Videos
How to use Cloudflare Tunnel in your Homelab (even with Traefik)
Christian Lempa
63K
The Easiest Home Assistant Install I've Ever Done
Everything Smart Home
84K
Things you SHOULD NOT do while visiting IRELAND 🇮🇪
Laura Grace - Live Adventure Travel
612K
Top 5 Mistakes HomeLabs Make (watch before you start)
SpaceRex
23K
The 80TB 8x HDD Node 304 Server is FINALLY done!!!!
TT99C5
8.8K
Fixing my worst TrueNAS Scale mistake!
Christian Lempa
67K
1.1.1.1 - What You Need to Know
ThioJoe
793K
Raycast: The MacOS App That Revolutionized My Workflow
Christian Lempa
9.4K
Crazy 48TB SSD NAS and Cheap 6TB Version Asustor Flashstor FS67
ServeTheHome
272K
Docker vs Kubernetes, what's better in a Homelab?
Christian Lempa
45K
How to structure networks with VLANs
Christian Lempa
77K
Cloudflare Tunnels: Restrict Access with Google and Github
DB Tech
17K
subnetting my coffee shop
NetworkChuck
241K
Windows vs MacOS, why I switched…
Christian Lempa
73K
This web UI for Ansible is so damn useful!
Christian Lempa
161K
How To Access Your PCs and Servers from Anywhere Using Guacamole and Cloudflare Tunnels
DB Tech
42K
EVEN EASIER way to use Cloudflare Tunnels to access Home Assistant and remote network access.
mostlychris
36K
Best for Homelab? Traefik vs Nginx Proxy Manager
Christian Lempa
101K
You all NEED these Obsidian community plugins
Christian Lempa
128K
What's the BEST home server operating system?
Christian Lempa
298K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.