Cloudflare Zero Trust Tunnels for Homelab access instead of VPN
There are at least two important things to keep in mind when using a Private Network instead of a Public hostname.
The first thing that I noticed is that Private Network is slower and you can’t access web servers like Portainer or others. They are probably meant to be used to SSH or send/receive structured data from the devices in the network. I use it to access my server through SSH from my phone with Termux and it works wonderfully.
The second thing is about security. When you add a network like 192.168.0.1/24 it means that whoever can access your WARP, can access any device in that subnet which can be a bad thing if you don’t use Cloudflare’s Access policies to control who can access what. If you connect a new device to that subnet and forget to add a policy for it, anyone would be able to access that device. To avoid this I only add specific devices to the Private Network, you can do that by using /32 as a subnet mask, an example would be 192.168.0.5/32 will allow you to access only the device at 192.168.0.5.
Use Cloudflare’s Access policies to allow traffic only on specific ports. As I said, I added only a specific IP to the Private Network but without any policy, anyone in the WARP can access any service on that device and that is not good. That is why I added a policy which only allows traffic on port 22 and only specific users by filtering their emails. When you add a Private Network policy, there will have to be a session timeout which is asked at the beginning and the default should be 1h:30m. If the session expires, you will have to login again to the WARP even if you are already connected, you can do that easily going to your Zero Trust domain. Sometimes it will send a notification that the session is expired, but sometimes it doesn’t and you would troubleshoot a connection issue which depends only on the fact that the WARP session is expired and not because there is something wrong with the tunnel or the services.
I’ve been using it since I started a while back and it’s amazing. I have a bunch of services (jellyfin, heimdall, etc.) with public domain names, but cloudflare’s Zero Trust Access login page in front of them, so I can login with an email, github, or google, and get access, but no one else can since the sites are all tunneled to Cloudflare. I haven’t had to open any ports either which is awesome.
And then I’m also using Zero Trust as a VPN for a few networks. It’s quite handy.
Just keep in mind that cloudflare handles https termination. This means they are effectively doing a mitm “man in the middle” solution here.
If you have sensitive things, like a password manager, keep in mind that they see *everything *.
CF Tunnels are great, except for VPN replacement. Better try Tailscale, ZeroTier or good old native Wireguard.
Zero Trust for a homelab makes so much sense. It’s easy to deploy, relatively safe, and as with everything you pass the trust to someone. Your isp gathers more data from you than Google and Cloudflare combined anyway so let’s get real.
Glad to see some more usage & sharing around this after the vBrownBag session on Wednesday. Cool to see this getting out to more people, since it seems new to many of them.
The article mentions of the benefits being that sometimes the network you are on blocks “all ports but 53/80/443 outbound” but then doesn’t explain how this helps. If it just creates a tunnel on one of those ports, why is it different than setting your OpenVPN server to run on port 443?
Read the article. It set up a VPN. Just because you don’t call it a VPN but some name brand doesn’t make it NOT a VPN.
I just deployed one at my home lab. I love it.
Zero trust… aside from cloudflare of course
Neat, but no thanks. This sort of solution is great for larger enterprises and service providers but for a homelab it’s more of a hassle and doesn’t replace the vpn fully. You can’t tunnel all your traffic through the connection so if you want to use public WiFi you still need a vpn service or else risk someone sniffing your traffic. It also means you no longer control access to your homelab, cloudflare does.
Also there is really zero threat of having a vpn opened inbound on your network. I run several publicly accessible services on my homelab and get 1-2 reported scans or attacks per day. To those not in IT it might seem like a lot, but it’s not. It’s 99.99% bots checking for common exploits which as long as you keep up to dates on patches won’t be a problem. In my 15 years of network security I’ve never seen a successful attack on a vpn server, of course that’s not to say it’s impossible, it’s just not common.
Finally this might seem like a shock, but no hacker in the world cares to hack your tiny little home network. Real hacks, like the ones you hear about on the news or see in movies and TV take weeks if not months to successfully pull of. They are also not doing it for shits and giggles, they do it to obtain valuable information or exploit financial companies. Most of them would ignore you the moment they realized the IP address was owned by Comcast.
it’s a near project and if you want to learn zero trust cool, but as someone who works in network security I wouldn’t bother using this for my home network, vpn is perfectly safe and a better solution that doesn’t involve a 3rd party snooping and controlling all the traffic I send them. Remember, if the product is free, you are the product.
First off, you DO NOT need top open a port on your firewall if you are hosting a WireGuard VPN connection.
Also, having to give up a credit card number to open one of these “Zero Trust” tunnels is just a really BAD security practice. I support Mulvad’s view on transactions. (Yes, I know CF does not charge it.)
CLoudflare is a good company, and they offer some very useful tools, but I would not touch this with a ten foot pole.
The big issue is that i need to put a credit card
Edit: mobile hates me. Reply went to post instead of what I was trying to reply to.
Any guidance on doing RDP over the tunnel? I’m a networking noob, I can reach my dockers but can’t for the life of me figure out rdp … help plz&tks!
I use cloudflare for my lab environment and also for a big company. I love it, anyway in my lab I came back to a traditional VPN on promise to avoid some surprise in the future. (The service is free for a small use right now, who know in the future…)
Has anyone had luck running a redis server behind a cloudflare tunnel?
My setup:
RPI: redis docker container with open ports :6379 and :8001
Cloudflare: I’ve tried both TCP and HTTP like tunnel with tcp://:6379 and http://:6379
This works well with RedisInsights port on the same IP using HTTP like http://:8001
I’m seeing this error: Error: Protocol error, got “H” as reply type byte
I want to add that there is no point in allowing ssh only to one ip in the subnet, as that ip can then be used as a bastion (ssh to it first) anyway and you can ssh in the entire lan from there. I would recommend splitting the servers on different subnets/vlans altogether, not only in warp
Absolutely agree. This is only for my homelab - so my policy is that only my email can register a warp client. And my laptop uses multi factor auth. So the OS auth is protecting the warp client access.
In my case, I didn’t want to limit it to certain applications as I’m constantly spinning up new, and want full access. Accessing vCenter and various VMs, ssh, RDP, anything I want. I’ve haven’t come across anything that doesn’t work properly at all.
Now if this were a real production environment with multiple users then absolutely don’t do it this way!