Homelab Proxying With Cloudflare Tunnel
Traditionally, I’ve exposed my homelab directly to the internet.
I point a DNS record to my home IP, updating it with cloudflare-ddns as I don’t have a static IP, nor do I wish to pay for one.
The downside of this, is that you need to expose a server to the internet, exposing your IP, and you need to harden said server adequately.
While I haven’t run into any issues, I know others who have, so I’m still wary.
There are a few neat solutions to avoid exposing your IP, the most common is putting a VPS in front of your home server, and proxying requests down over a VPN like Wireguard. Alex Ellis’ project inlets is a great way to automate this. You can plug in your DigitalOcean (or other provider) API keys, and it will provision a server for you.
I do use inlets for some smaller projects, but Cloudflare Tunnel is more robust, and not self-hosted, which takes out a lot of work. I don’t need to worry about issues with the VPS, or other infrastructure. It also has a very compelling free tier.
I’ll spare you the set up details, as the documentation is excellent. If you want to take a look at my configuration in Kubernetes, my cloudflared deployment YAML is available here.
I had a few issues after first set up. I initially had cloudflared proxying to http://ingress-nginx-controller:80, which caused Authelia redirection to fail. I fixed this by proxying to https://ingress-nginx-controller:443 and setting noTLSVerify: true.
The next issue I hit was that Cloudflare DNS doesn’t seem to let you proxy directly to a tunnel from either the root domain, or a wildcard domain. Requests from my.domain or *.my.domain failed. The fix here was to set up a load balancer, which would then route traffic to my tunnel.
The infrastructure now looks like:
I no longer expose my IP, and have removed most open ports into my network. All in all, a neat solution!
Do you proxy your homelab via a tunnel? Why/why not? Let me know via email: blog <at> hu <dot> md, or via Twitter.
Looking for something related to read? Check out Nicholas Whittaker’s post: Live previewing Hugo sites with Cloudflare Tunnel.
On the web
Roadkill
Sun Mar 30 2025 by Kev QuirkWeek Notes W12
Wed Mar 26 2025 by Joel's Log FilesInstalling NPM Packages Very Quickly
Tue Mar 25 2025 by Andrew Healey's BlogDoing in-place, single-node Postgres upgrades with almost no downtime
Sun Mar 2 2025 by Stan's blogIntroducing laravel-tfa-confirmation
Sun Feb 2 2025 by stefanzweifel.dev
Generated by openring