 Tom here from Orange Systems, and we're going to talk about Cloudflare Tunnels. Now this is a free offering from Cloudflare that enters no need to open ports. It does not expose your public IP address. It works behind NAT. It works behind CG NAT. And you're probably thinking, well, how do they offer that for free? And is it too good to be true? Is this really that easy to host my servers without exposing any of those things and creating those extra complexities of having to deal with certificates? Yeah, it's actually free. Now, why is it free? Best speculation is Cloudflare wants you signing up for services, so they hope to upsell you on more services. Now, there's a couple prerequisites here. You do need a domain. Now, you don't have to transfer your domain to Cloudflare, although that is an option. They will handle domain registration. You can register domains to Cloudflare. I simply took my name servers for one of my domains. The one we're using in this demo is going to be Lawrence.video. And I just swapped over the DNS settings for it. Pretty simple to do. My domain register is hover, so you just go in there and change out whoever you want the name servers to be. Next, you need to have a server that can run the Cloudflare tunnel server or a tunnel client. This client can run as a Docker, can run on Mac, Windows, Linux. It can run as a standalone daemon in Debbie and Linux. So there's a lot of different options that we'll talk about when we're using the Docker one specifically. And you need to have wherever that server is, the ability to talk to the other servers or the servers on that system, that you want to talk to, to broker that connection. Now, what I mean by that, and I'll have a layout that we'll be covering of how that works, the server that you load this on, I have Docker on it and I have a few other Docker containers, you can talk directly to those other Docker containers, but it can also reach out laterally and move to the other servers that it has access to. And that's something that matters a lot for this final prerequisite and that is trusting Cloudflare. The Cloudflare dashboard talks to the Cloudflare server to say which ports seem to be open and which services should be exposed. If someone else were to take control over that dashboard, it would be able to send down commands and say expose things that maybe you didn't want exposed. That's just something you should keep in mind when you're thinking about how the security works. It's not a reason not to do it. It's just understanding who's in those trust boundaries when you set up services. Final note is about how the encryption works in terms of the data that may pass through a local service back out to the Cloudflare cloud because Cloudflare is working as a reverse proxy. Any data that goes through that reverse proxy could be seen. So whatever is sent over those connections, because they're terminating the SSL for you via their tool, there's a way to pick that data out of it via that tool itself. Now the tool being open source means we should be able to see how they're doing it and look at it. But it's just one more thing to put in consideration and why trust Cloudflare is part of the final prerequisite because they're all in your trust circle and so is any data that will be traversing it. The consideration you may want is to limit where these servers live and what else is on there. So if you have something that absolutely should never be public exposed, you may not want to have it within reach of where this Cloudflare service runs. I just want to throw this out there. There's not any reason I have not to trust Cloudflare, not that I don't think they've done good job security. It's just always being aware of who you have in your circles of trust when you're building out technology. Now before we get started with this tutorial, let's first are you an individual or company looking for support on a network engineering storage or virtualization project? Is your company or internal IT team looking for someone to proactively monitor your system security or offer strategic guidance to keep your IT systems operating smoothly? Not only would we love to help consulting your project, we also offer fully managed or co-managed IT service plans for businesses in need of IT administration or IT teams in need of additional support. With our expert install team, we can also assist you with all of your structured cabling and Wi-Fi planning projects. If any of this piques your interest, fill out our Hire Us form at laurancesystems.com so we can start crafting a solution that works for you. If you're not interested in hiring us but you're looking for other ways you want to support this channel, there's affiliate links down below to get your deals and discounts on products and services we talk about on this channel. And now back to our content. All right, let's start by covering some of the basics of how this lab is set up and the layout and the goals. So we want some service.laurance.video to be accessible publicly with a certificate. The way you would do that with, for example, HA proxy would be to load HA proxy on a PF sense firewall. I've got a whole video on that, set it up and then point it to the services that are running over here on this Ubuntu server that's at 192.168.1.4 and it's running Docker with a few different containers on it. The other option might be to run a reverse proxy in Docker as well and then have certificates that then go through here and you port forward so you can expose the service. You have to make sure the DNS for that service is pointing there. All of this though comes with the, well, problem of it's going right through your firewall and you're exposing your public IP address. You're wondering why that is bad. Well, generally, if you're a home user building your home lab, you may not have a very robust ISP that can deal with any type of DDoSing that may occur. This is a problem that you can ask Jeff Geerling about. He has videos about DDoSing and his setup and mitigations he's done about it. Back to the topic here though, let's talk about a simpler way of handling this in a simpler way of handling the certificates. So here is the same idea, some service.laurance.video reaching out to the cloudflare edge. The cloudflare edge sits between you and the services. So the tool is going to run and we're going to run this in Docker, but it can run as a daemon. It can run as a service in Windows. It can run on Mac. The cloudflare connecting tool is going to be running on this Ubuntu server at that same IP address of 192.168.1.4. It's just going to pass you to firewall like any other service reaching out to the internet. So there's nothing we have to do the firewall to configure it. If the firewall IP address changes, or if it's behind CG NAT or double NAT, doesn't really matter as long as it can reach the cloudflare servers publicly. From there, anything that this particular server has lateral access to. So if it is able to reach out to, and we'll do this in a demo here, this Synology server at 192.168.60.15, then no problem. It's going to be able to reach out to that server and broker the connection back out to the cloudflare edge. And then any client trying to access it are always accessing via the cloudflare edge and not exposing your public IP address. And it doesn't matter if your firewall IP address changes, this can change dynamically and it resynchronizes quite fast because the cloudflare tool is always reaching out to their servers to let it know where it's at and it can broker those new connections. So it's not a big deal if your IP address changes. Now let's talk about functionally how to get this set up. Now for simplicity, we're only going to be talking about using HTTP and HTTPS, but there are actually more services this cloudflare tunnel can support and there's a lot more it can do. But this will get you started with the common things of just exposing things that you maybe want to sell posts that are web based services. So this is the documentation, plenty of it, lots to read. We're going to be using the documentation as a reference, but I'm not going to go through every detail in here, but they have plenty of use cases and lots of details. The other thing you're going to need to set up is the cloudflare zero trust dashboard. I'm going to skip setting that up. It's really easy. You just go through the basics of registering an account with cloudflare for that. And also as I said in the beginning of the video, there's an assumption that the DNS has already been done for whatever domain you have. In this case, Lawrence dot video. Now we're over here in the cloudflare zero trust dashboard. It's your first time signing up for it. Just scroll down to the bottom and always look for the free option that they have. We're going to be here to access, we're going to over here to tunnels, and we're going to create our first tunnel, Tom's tunnel for YouTube. Sounds like a great name for this. Save tunnel. And don't worry, this will be deleted by the time I post this publicly. Therefore, anything that you see in here, I'm aware of could cause a security risk as in for you because if you add your service to my dashboard, that would be really interesting because I'd be able to map things in here to whatever services you may have. But here, store your token carefully as command includes a server token, a lot of the connector at anyone, anyone access token will be able to run the tunnel. That's the point that they're making here. We have a Debian option, 64 bit, 32 bit arm options. I've tried it with the Debian Damon works perfectly fine. Didn't have any problems with it. Because we're running portainer and a few other things in Docker, I thought, Hey, why not do it in Docker? A lot of you do run Docker images in the home lab because well, they kind of make things easy. I'll admit. So we have Docker run cloudflare latest tunnel. No auto update run in here's the token. We're going to go here and copy this, but we're going to add a couple things before we paste it into the server. Let's go ahead and paste it in and add those extra parameters. So right after Docker run, we're going to add dash D dash dash name cloudflare tunnel give it a nice name dash dash restart unless stopped and then the rest. That's a really simple add. But what this does is runs it Damon road names a cloudflare tunnel and says restart unless stopped. This means it will automatically restart or start whenever you restart the server that is running this. And let's go over here and see if it's up and running. Go here to the portainer and hey, look, there's our cloudflare. If we click on the logs icon on portainer. There we go. We can see it. We can see the logs makes it really easy. If you're not familiar with portainer, check it out. It's free. It's also a Docker image itself. It does making managing Docker images really easy. All right, let's go back over here and hit next. Now let's create the different domains that we want the subdomains if we will. So I have uptime kuma running and I have it running right here. If we click on uptime kuma and the port we see it's running at one nine two one six eight one dot four colon three thousand ones. It's on the same server that this is running at. So we know it has access to it. Let's go back over here and we'll call it uptime kuma demo YT or YouTube. Now you could not put the subdomain and just have it right there where it would be Lawrence that video, but we're going to have several services. So I'm going to create a series of subdomains. So Lawrence that video, the type is HTTP because this is a not secure standard HTTP not HTTPS connection. So go over here, paste in the IP address. We don't want HTTP in front of it. So it's one nine two one six eight one dot four colon three thousand one. Nothing else we really have to get this working. Save Tom's tunnel. Now we see that the tunnel status is healthy because it's up and running in Docker. There's the origin IP of this tunnel. Now this is what's kind of cool is you can see this public IP. Don't worry it's not my public IP. It's just one of them I have sit up here. But if your IP changes where this is coming from this updates really fast matter of fact if we go over here to the portainer and we're going to hit stop on this one. So we'll take down the cloudflare tunnel. It's exited. We click here and click back we can see this tunnel is down. We go back over here and we'll restart that tunnel. So hit start. It started look at the logs. It's already registered with it. So if we go here real quick just click off it and click on it again healthy. It's right back up and running. So the restart times on it is really fast. Now let's see how I do is go in and check to see if the system we set up with this public host name this uptime kuma demo is working. So we're taking this public IP address which is going to wrap over to this particular instance of uptime kuma. So we'll go ahead and click on it brings us right back up to the dashboard here and now we can log into my uptime kuma by the way if we click here and we say connection is secure certificate is valid. It gave us a wildcard certificate here. So now I didn't have to do anything and it's brokering the connection of note as I mentioned earlier because this is not secure but the security is being added by the cloudflare tool the communication that's going from this painter instance which also runs on the same cloudflare server at 192 168 1.4 it's brokering the connection. So any visibility for plain text traffic is going to be occurring within this particular system not over the public internet from the connection from this server outgoing once it reaches in the cloudflare tool it's encrypted all the way through to the endpoint where we have it right here but we can also add trust for things that are internally using HTTPS so let's go ahead and do that let's go ahead and add another public host name and we're going to do this one with the Synology Surveillance Station and this is my Synology Surveillance Station model dba so we'll give it that same name this does have an HTTPS connection so this has got a self sign certificate and we'll pull it up real quick to show you what it looks like here says not secure but we're at the 192 168 60 dot 15 dot 5001 and yes this server does have access to that go back over here so we'll go ahead and put that IP address in here HTTPS one more thing because it's a self sign certificate we're going to go here to additional application settings tls and we want to skip verification if you don't do this you let up a little bit ahead trying to figure out why it won't connect in what you're doing is skipping validating whether or not that self sign certificate is valid because it's not that way when it talks to it we can just skip that verification save host name so now we have an HTTPS connection which means the connection from this server at 192 168 1.4 to 192 168 60 dot 15 5001 that connection across my local network is encrypted then it's encrypted again and that information is passed along to cloudflare via their edge and we should be able to click on this and log into the analogy dva so i can do my full login login with my username my password view my cameras everything else on here and i've not done any public exposing of any of my systems and it's easy enough for me to you know quickly changed that dns setting and if you looked up the dns for any of these let's do that real quick when we ran as a dig command surveillance station dva dot launch that video and the public IP addresses it shows are the 104 21 72 and the 172 67 187 because it actually registers with redundant servers with 2a records over in cloudflare so these are both cloudflare owned servers that are handling the proxying of this so nothing is exposed in terms of my system itself other than what i showed you in the control panel now let's talk about adding an extra layer of security that they have in here this is just really amazing they added this and offer it for free i really recommend doing this if you have a service that you don't quite want publicly exposed but you want it publicly exposed for certain people and let's talk about how you can do restrictions on that let's go ahead and add another one such as our uptime kuma but let's make it different you can add more than one even if they point to the same thing so we'll edit this one so we can just copy that make it easy so this is uptime kuma demo and let's go ahead and configure public hostname add one and we'll call this one uptime secure kuma same thing here http so all parameters are the same here but we're going to call this one uptime secure because i want to add an extra layer of security so if i click this it's going to look just like the other one but let's go ahead and go to our applications here add application self hosted give it a name the name is going to be uptime secure kuma the domain uptime secure kuma launch that video there's no other path we'll leave all this at default there's a lot of details you can do in here but for now we'll just keep it pretty simple and our policy name let's keep the same name consistent here and then we want to choose how you want to authenticate we can say anyone with an email so they have to provide an email address to make this work or maybe we want to get more specific emails ending in domain but there's actually ip ranges country common name bailout certificate lots of other login methods in here but ending in domain and so the domain would be at laurance systems because i want to share this only with my employees for example so anyone at laurance systems dot com is going to be able to get into this so great we'll see if everything else at default like there's a lot of things you can do in here add application so here's all the details now let's go to the domain and see what happens copy the link here it seems to need a domain so let's type in demo test at laurance systems dot com and send me a code i'm going to wait for an email to come as soon as that email comes i'm going to put that code in cloudflare here's email me a code we're going to go ahead and hit sign in with this code and now it brings me to the secure version of the uptime kuma this is a really nice extra layer that you can put in front of things so they can't just poke at it they being anyone who wants to publicly find these addresses they would need whatever those parameters are that you apply to add that actual layer of security this is a really nice thing that they're doing because you know if there's a problem with one of your publicly hosted servers and you don't get it updated in time this is one more layer in front of it that someone would have to get through in order to get to that server but of course at the added inconvenience that once your session expires you would have to go through the same of inconvenience as well but it's a nice feature that you do have the option of adding my overall feelings are that i like the cloudflare tunnel system there is a bug that i think is a little weird i'm going to do a little testing and maybe report it to cloudflare that i found and that's if you create a tunnel and create a bunch of those different names and then you delete the tunnel but don't delete the names that were created it seems to leave all those dns entries and therefore you can't create a new tunnel like you would in a youtube demo where you want to use the same names again and find out they don't work because it's already has those extra connections in there now if you delete the names in the tunnel prior to deleting the tunnel they delete perfectly fine and it's probably not an issue you may run into unless you are creating tunnels deleting tunnels and not deleting the attached domains you created within that tunnel but i don't think it's too big of a deal it's just something i noticed as someone who's creating demos where i usually test all of this many times to make sure i can do the demo properly before creating content around it but i thought it's worth mentioning if someone from cloudflare sees this and tells me what it is that'd be great or if you have seen this problem you know it's a known bug or if those domains expire after a day of not having a tunnel attached to them that would be interesting as well that's the part i'm going to be testing leave your thoughts in your comments down below let me know how you like this service or if you've had some problems with it or you just really enjoy it so far all the testing i did i didn't find anything buggy or weird about it it seems to be pretty simple to do it has a lot more than i've covered there's a million other features it can do but i figured for most people this is enough to get them started i did that bit warden video the other day and people said well hey isn't this good for using it for like self-hosted bit warden yes as well as a lot of self-hosted web applications which are pretty popular in a home lab this is a great way to put things in front of it and also a great way to add a little bit of security in front of it as well with that you know registering only a domain or maybe a specific email that requires sending something to authorize it before it's viewable i just like these little extra layers of security they put on there and i think it's a really cool service that cloud flare offers links down below to the documentation lots to read through over there or how to my forums for a more in-depth discussion thank you and thank you for making it all the way to the end of this video if you've enjoyed the content please give us a thumbs up if you would like to see more content from this channel hit the subscribe button and the bell icon if you like to hire a short project head over to laurancesystems.com and click the hires button right at the top to help this channel out in other ways there's a join button here for youtube and a patreon page where your support is greatly appreciated for deals discounts and offers check out our affiliate links in the description of all of our videos including a link to our shirt store where we have a wide variety of shirts that we sell and designs come out well randomly so check back frequently and finally our forums forums.laurancesystems.com is where you can have a more in-depth discussion about this video and other tech topics covered on this channel thanks again for watching and look forward to hearing from you