Just getting started with self hosting. I was wondering if anyone had experience with Cloudflare Tunnels for exposing their services to the internet. I like the simplicity and security it offers but don’t love the idea of using Cloudflare. Like, I’m self hosting for a reason lol. Any tips would be greatly appreciated!
For context, I’m running all of my services in a very small k8s cluster and my priorities are mostly security then maintainability. Thanks yall!
EDIT: yall are great! Thank you so much for the replies. I’m going try my luck with pangolin but its good to know I have options.
I love it, but I’m also a hypocrite. Centralized internet is bad but cloudflared is incredible.
The service is ok, but if you (rightfully) do not want to be tied to Cloudflare, take a look at Tailscale Funnels. Same concept, but from a company that values the user and their privacy. Also, for regular personal/small user base, free tier is more than enough. And you get a free .ts.net subdomain to use with your apps, if you need that.
You also don’t want to be tied to Tailscale, another US company.
Take a look at Pangolin instead.
I’ve been trying to figure out what purpose Pangolin serves in this. Do they offer a paid service that has the internet-accessible entry/exit point that I’m not seeing?
Self-hosters aren’t lacking in tools to connect between a home server and some internet exposed server so they can tunnel from that public internet server back to their home server, they’re lacking in affordable options for the internet accessible server itself. Cloudflare Tunnel, Tailscale Funnel, and similar can easily be trivially replaced by a simple Wireguard connection from your home server to a public VPS with a couple trivial routing rules. But you have to have an affordable VPS with reasonable bandwidth and high reliability. Pangolin appears to just be Tailscale-ike permission-based routing software, but without the actual connections tools or hosting. That’s already available for free with Headscale, but Headscale also includes the connections part too. Am I missing something that would make Pangolin even equivalent, let alone better than, the free Headscale project?
-
Headscale is essentially a self-hosted, open-source alternative to Tailscale’s control server, enabling creation of a private WireGuard-based mesh VPN network. It lets you use Tailscale clients while running your own control server, focusing on secure device-to-device connections without exposing open ports. It requires a server with a public IP for the control server but does not natively manage reverse proxy or authentication for web services.
-
Pangolin is a more complete self-hosted solution built on WireGuard and Traefik, combining VPN tunneling with a modular reverse proxy and authentication management. It provides centralized management with role-based access control, 2-factor authentication, automated SSL via Let’s Encrypt, and can expose multiple private networks or services through secure tunnels without needing to open firewall ports. It includes a web UI and plugins for security features like WAF, API, and OAuth2/OIDC identity providers.
I see, so Pangolin includes the Tailscale Funnel functionality (which Headscale currently does not), integrates Authentik and Traefik, and sells it as a stand alone service. I guess there’s probably a narrow market for that, though it’s unlikely to be self-hosting. My experience is that any OAuth or RBAC solution is too involved and/or poorly supported by self-hosted applications to see more than a small number self-hosters using it, and those that do are advanced enough users that they would probably just build it themselves with free tools instead.
Pangolin is free for non commercial self-hosting purposes and used quite intensively in the Jellyfin community.
-
Funnel has some significant limits on what you can use it for, esp with respect to streaming media FWIW. Not sure if it’s relevant here, but worth noting.
I’m using Pangolin, which is the current hotness. It’s somewhat like cloud flare tunnels, but you need a VPS (find a cheap one). That tunnels back to your house. I opted into using crowdsec as another later. It’s a part of their setup process.
So what benefit does Pangolin actually provide then if you already have to provide the VPS? Routing back to your network from a VPS is trivially easy, it’s getting the affordable VPS (given bandwidth prices) that’s actually the sticking point of any solution.
Over cloudflare, it’s knowing you’re the man in the middle and not some company. It has a few other things like zero trust, and an authentication layer.
I use racknerd for VPS and it’s about $35/year. So definitely one of the cheapest part of my home lab.
The Racknerd $35/yr seems to be the 500MB RAM VPS with a 500GB/mo network data limit. That’s probably sufficient power for a wireguard endpoint for ingress, but that’s pretty low network data limit if you’re putting a media server behind it (10GB/hr of video isn’t unexpected, data is counted twice when having to ingress+egress thru the endpoint=25 hours of quality video per month)
Use the their New Year deals and get 7000 gb monthly transfer with 3.5 GB RAM. Only $32.49/year
Vs Cloudflare I agree. Giving up the MitM isn’t an acceptable trade off in my opinion either.
Serious limits on Cloudflare Tunnels:
- Only works if you use Cloudflare as your domain registrar for that domain
- You can’t use it for anything high bandwidth, specifically including streaming media (e.g. Plex/Jellyfin)
- They reserve the right to terminate your service tunnel randomly at any time without warning for any/no reason unless you pay them for the service.
And that doesnt address the issue of getting in bed with Cloudflare (which has its own ethical ramifications).
I’d recommend one of the alternatives like localxpose.io that offer the same thing but without the limitations. Or you can slap together your own with a wireguard tunnel to a minuscule VPS with some routing rules on it. Both are about €5/month, which is cheaper (the same?) as paying for Cloudflare Tunnel to avoid the random termination and vendor lock in.
Regarding #1, you have to use Cloudflare for DNS but it doesn’t matter if they are your domain registrar or not.
I heard you can use Pangolin and self host your own tunnel.
Haven’t looked into it.
Hosting the tunnel is the only real value add from these services, which is why I’m confused by Pangolin’s business model.
It is strange.
The only reason people who use Pangolin is to have control over the tunnel rather than rely on a company.
Does your use case include random people on the internet accessing these services or is it just for you? If it’s just you and a couple friends and their devices look into Headscale
I just started using them and I like it. It’s a good balance of easy and secure for me. I just added the container to my stack and then use their UI to point a subdomain at the internal port. Security can go pretty extreme if you set up their whole zero trust thing.
An alternative similar option is Pangolin. I’ve seen a lot of people like it to avoid Cloudflare, but I haven’t used it myself. There still has to be an endpoint running it, so you’ll need an external VPS, which then adds a cost to the equation but at least you control it.
Cloudflared CLI for reverse proxy is as dummy proof as hosting a hidden onion site over Tor. I like it’s simplicity but I know I’m relying on a non free network.
It’s easy to use and takes away some of the hassle.
If you don’t like cloudflare you could find a VPS you do like and run Pangolin on it to get the same service but maybe not the same level of protection.
I use Oracle’s free tier to host it. They’re probably worse than cloudflare as far as evil corporations go though.
I just found out about cloudflared, it looks straightforward but you need a cloudflare account to use it. IDK what (if anything) they charge for it.
I have generally just used a VPS for this. I’ve done it through an ssh reverse proxy which is pretty crappy, but a more serious approach would use iptables forwarding or wireguard or whatever the current hotness is.
No, there’s a very generous free tier on CF.
Two of my coworkers with kubernetes homeland use the Helm Chart deployment of this and they like it very much. All my domains are in Cloudflare so this is a no brainer.
I would like to try this with their SSO offering so that I could just handle auth at the tunnel instead of something like Dex in front of each service in the cluster.
I used a cloudflare tunnel for streaming music in jellyfin. Didn’t so much else with it and it worked pretty well. Anything high bandwidth you should use something else, but for stuff that doesnt consume a ton of bandwidth like music streaming in my case, it worked fine, at least when I used it a few years back.