InovinLabs
/
argobox
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
argobox/public/blog/posts/cloudflare-tunnel-setup.md

180 lines
4.6 KiB
Markdown
Executable File
Raw Blame History

---
title: Secure Remote Access with Cloudflare Tunnels
description: How to set up Cloudflare Tunnels for secure remote access to your home lab services
pubDate: 2025-04-19
heroImage: /blog/images/posts/prometheusk8.png
category: networking
tags:
- cloudflare
- networking
- security
- homelab
- tunnels
readTime: 7 min read
---
# Secure Remote Access with Cloudflare Tunnels
Cloudflare Tunnels provide a secure way to expose your locally hosted applications and services to the internet without opening ports on your firewall or requiring a static IP address. This guide will show you how to set up Cloudflare Tunnels to securely access your home lab services from anywhere.
## Why Use Cloudflare Tunnels?
- **Security**: No need to open ports on your firewall
- **Simplicity**: Works behind CGNAT, dynamic IPs, and complex network setups
- **Performance**: Traffic routed through Cloudflare's global network
- **Zero Trust**: Integrate with Cloudflare Access for authentication
## Prerequisites
- A Cloudflare account
- A domain managed by Cloudflare
- Docker installed (for containerized deployment)
- Services you want to expose (e.g., web apps, SSH, etc.)
## Setting Up Cloudflare Tunnels
### 1. Install cloudflared
You can install cloudflared using Docker:
```bash
docker pull cloudflare/cloudflared:latest
```
Or directly on your system:
```bash
# For Debian/Ubuntu
curl -L https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb -o cloudflared.deb
sudo dpkg -i cloudflared.deb
# For other systems, visit: https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/installation
```
### 2. Authenticate cloudflared
Run the following command to authenticate:
```bash
cloudflared tunnel login
```
This will open a browser window where you'll need to log in to your Cloudflare account and select the domain you want to use with the tunnel.
### 3. Create a Tunnel
Create a new tunnel with a meaningful name:
```bash
cloudflared tunnel create homelab
```
This will generate a tunnel ID and credentials file at `~/.cloudflared/`.
### 4. Configure your Tunnel
Create a config file at `~/.cloudflared/config.yml`:
```yaml
tunnel: <TUNNEL_ID>
credentials-file: /root/.cloudflared/<TUNNEL_ID>.json
ingress:
# Dashboard application
- hostname: dashboard.yourdomain.com
service: http://localhost:8080
# Grafana service
- hostname: grafana.yourdomain.com
service: http://localhost:3000
# SSH service
- hostname: ssh.yourdomain.com
service: ssh://localhost:22
# Catch-all rule, which responds with 404
- service: http_status:404
```
### 5. Route Traffic to Your Tunnel
Configure DNS records to route traffic to your tunnel:
```bash
cloudflared tunnel route dns homelab dashboard.yourdomain.com
cloudflared tunnel route dns homelab grafana.yourdomain.com
cloudflared tunnel route dns homelab ssh.yourdomain.com
```
### 6. Start the Tunnel
Run the tunnel:
```bash
cloudflared tunnel run homelab
```
For production deployments, you'll want to set up cloudflared as a service:
```bash
# For systemd-based systems
sudo cloudflared service install
sudo systemctl start cloudflared
```
## Docker Compose Example
For a containerized deployment, create a `docker-compose.yml` file:
```yaml
version: '3.8'
services:
cloudflared:
image: cloudflare/cloudflared:latest
container_name: cloudflared
restart: unless-stopped
command: tunnel run
environment:
- TUNNEL_TOKEN=your_tunnel_token
volumes:
- ~/.cloudflared:/etc/cloudflared
```
## Security Considerations
- Store your credentials file safely; it provides full access to your tunnel
- Consider using Cloudflare Access for additional authentication
- Regularly rotate credentials and update cloudflared
## Advanced Configuration
### Zero Trust Access
You can integrate Cloudflare Tunnels with Cloudflare Access to require authentication:
```yaml
ingress:
- hostname: dashboard.yourdomain.com
service: http://localhost:8080
originRequest:
noTLSVerify: true
```
Then, create an Access application in the Cloudflare Zero Trust dashboard to protect this hostname.
### Health Checks
Configure health checks to ensure your services are running:
```yaml
ingress:
- hostname: dashboard.yourdomain.com
service: http://localhost:8080
originRequest:
healthCheckEnabled: true
healthCheckPath: /health
```
## Conclusion
Cloudflare Tunnels provide a secure, reliable way to access your home lab services remotely without exposing your home network to the internet. With the setup described in this guide, you can securely access your services from anywhere in the world.
Reference in New Issue View Git Blame Copy Permalink