 Welcome to the Home Lab Show episode 86. We're going to talk about Cloudflare Tunnels and Reverse Proxy over VPN, which is technically what a Cloudflare Tunnel is. I want to define it because there's mixed feelings I have. We'll talk about that in this video. I do already have a tutorial on how to use it, linked down below as well as the documentation for it. But Jay brought this up when we were talking the other day and said, let's talk about Cloudflare Tunnels because he hadn't used them, and they're just pretty cool, aren't they? The idea does sound really interesting, and the things you're going over without getting into any spoilers really did impress me because I heard about it. I just haven't looked into it yet. But the only problem I have is I barely ever leave the house. I don't really have a need to access things out of the house, but sometimes I do. But I was curious about how it handles certificates, especially because sometimes in Home Lab, that could be a major pain, especially when some people might have two DNS entries for every single thing because they have one that's attached to the SSL cert and the other that's local. It's complicated. The HA proxy is hard. Well, at least it's not hard because we have a video on your channel that goes over it. But then when we were talking about this, it's like, yeah, it might even be easier. Yeah, and that's the trade-off you always have to make. We'll get into some of those details about what those trade-offs are. But a couple of housekeeping things. First, feedback at the Home Lab.show. We love hearing from you, and the questions are starting to come in, and I think as people learn about this, we're going to have some regular segment of the show we do where you do some feedback. Not going to be in this particular episode, but hey, we love hearing from you, and maybe if enough people have feedback, we will cover this in next week's video. Well, podcast. Next, final thing, housekeeping before we get started. Let's thank Linode. If you need a place to host things, Linode is a great place for that. There's all these different projects we talk about, and not all of them need to be publicly exposed on your servers, or maybe you can't publicly expose them, but I believe that's today's topic of the video is different methodologies by which you can. But Linode, we also have a list of all these different reverse proxies that allow you to take your local and put it remote. And Linode would be a great place to run any of those. So if you are interested in getting started with Linode, we have an offer of the Home Lab.show, link down in the description below. Great place to run some of the tools that we're going to at least mention today, but specifically today, we're going to be talking about a few other things, but Linode is a great place for our project. Great place to host a lot of your things. We host this show on there, and we'll thank them for being a sponsor of this show. All right, housekeeping's out of the way. Now it's time to dive into reverse proxy over VPN, or RPOVP, we love acronyms, right? Can we make up a new one? Is there a name collision if we say RPOV? I think it would be better than that, honestly, but given more thought, maybe. Yeah, it's a little interesting. I don't know, we have to come up with something. So what this is about? Well, pro VPN, proxy over VPN. Pro, proxy over, yeah, but it's reverse proxy over VPN. All right, so close. Our pro VPN, all right. We'll stop doing that. We'll get into the details here. Good news is, linked in the description below because the question that comes up of, okay, before we dive into Cloud for Tunnels, is there an alternative option? Well, nothing is as turnkey as Cloud for Tunnels, which is one of the reasons I covered it as a topic. And in some ways, yes, it's open source in terms of the client side that you're using, but it's also somewhat proprietary because it relies on Cloudflare's infrastructure to work. So you can see in the clear what's going on. This is a transparent way they're doing it. I think they've done a good job of it, but it's not like I can just point this at another server that being said, in the description is a list of called awesome remote VPN. I think his name is a list. Nonetheless, there's a link for it. It lists out all the different projects, not all of them probably, but at least a good number of them probably 10, 15 projects in there to do this. But zero of them are going to be as absolute turnkey as this particular one. But they do exist. I think they're good projects. And this comes down to your decision of what your goal is. Maybe you just want to work on applications. Maybe you just want to have something hosted and you don't have time to learn one of those more complicated ones. And you're like, well, I can register a domain with Cloudflare. That's really cheap. And then I can put that domain, leave it in Cloudflare and set up one of these tunnels, which is free. So that's easy. It's going to handle certificate for me. Awesome. It's going to handle DDoS. It's going to handle hiding my IP address. It's going to handle me not having to open up my firewall because it's creating a reverse proxy. So if my IP changes, I don't have to deal with dynamic DNS. It just kind of takes all those problems and solves them with one simple tool. And that's this Cloudflare tunnel. The downside is, and I always like to cover some of these risks before you say, great, I listened to half the video. I can run off and get this started. I'm going to watch Tom's tutorial. You have to trust Cloudflare is the risk. Say it like that because not that Cloudflare is an untrustworthy place. It's just thinking about your data. And Jay brought this up when he was talking about, well, can I just store my Proxmox system on there? And I'm like, well, you could, but... Yeah, hypothetically. And that's saying I'm going to publicly expose that, but hypothetically, yeah. I mean, I was just curious at what level can you go with this? Yeah. And it just becomes kind of the nuance back and forth of, yes, you can, but do you want to, but maybe you do. Cloudflare has a lot of features they put on top to add extra security, but because they're the ones wrapping the VPN, wrapping the reverse proxy, they would have technically visibility into the data that traverses it. So that's just something to keep in mind. It's not really, you know, a huge deal, so to speak, because you're putting it out on the internet anyways, but it's just, if you're passing some incredibly sensitive data, because they're the ones doing the endpoint termination, but the other side of Cloudflare. Cloudflare has proven to be a good force over all, I think, in the internet. I'm not going to segue into controversies because by being someone who does DDoS prevention, they've also got into content arbitration sometimes that they don't want to get into, but that's the world we live in. So that's outside of the scope of this particular video, but I will mention, yes, I'm aware of all the controversies of Cloudflare, we just want to be a DDoS people that does content provisioning, that being said. I've seen one of the first questions that I wanted to answer here, and double NAT networks. CG NAT is technically double NAT, and it doesn't matter, you can have triple NAT. As long as the daemon that Cloudflare loads is able to get out to the major internet, get out to Cloudflare servers specifically, it doesn't really matter because it's not doing anything at your firewall level. Daemon itself is really simple. It's just a little service that runs. It can run in Docker, it can run as a package. I believe they have a Windows package for it too. I've not tried that at all, but I've tested the Linux methodologies, both Docker and using it as a dub package, works perfectly fine. You run this on even something like a Raspberry Pi, because cool, yes, they have ARM compilations for it. And as long as that device or that Docker can talk to the services that you want brought out to the public, it'll work. That's the key for how simple this is. So let's say I have a Raspberry Pi on my network and then I want it to connect a handful of other devices on my network, whether those devices may be, provided the Raspberry Pi has access to those devices, it can broker the connection, even if they're not encrypted. So Jay's Proxmox question, maybe he has a VM running in Proxmox or he has this little Raspberry Pi, either way, it works. And you take this daemon and you kick it off and then you say, all right, where are you gonna talk to locally? Locally, I wanna talk to the Proxmox. Or do you wanna talk to on the public world of the internet? Well, learnlinux.tv, probably not slash Jay's Proxmox, but you could do that, you could do that. You gotta have a domain he owns, you gotta have the domain in Cloudflare. I don't think there's a way to do it without it being in Cloudflare, at least I didn't see it. There might be some ways to just replicate C names or something complicated, but for the most part, just stick your domain in Cloudflare, which by the way, having Cloudflare do your DNS is free. And then from there, you're going to be able to broker those connections. Now, the connection from the device in your local network to the device you wanna share, let's say UptimeCuma, which by default doesn't have a certificate with it, that part can be unencrypted. This is where running it in Docker gets really handy because if you run it in Docker and you're running, let's say, UptimeCuma in Docker, you can have them talk on the same network interface inside a Docker so the data unencrypted never leaves that particular system. This is a popular setup and implementation of it where you're gonna load a Docker container, you're gonna load a bunch of other Docker containers and one of them being the Cloudflare, then talks to the other Docker containers. Now you have one system that can talk to all the other systems kind of self-contained on that network. And then the data leaving it from your system, that Docker image in your network, goes out to the Cloudflare and then into the matching tunnels that you have system in there and the matching domains, subdomains that you've configured and there you go. That's all encrypted. From the time it leaves your Docker container to Cloudflare, then Cloudflare is gonna slap a certificate on there and then that certificate is valid. You didn't have to validate it. And as long as you have an internet connection, it will work. If your internet connection changes, your IP address changes. And I covered this in my demo. It's really slick because one of the things is, if you're on dynamic IP or you have a failover connection, well, it's gonna go out the primary connection, then it fails. That's what going out the secondary connection and the system is constantly talking to Cloudflare to realize where it's coming from and updating that information. Therefore, you're not worried about all those changes coming in. This is where it's just, they've done a great job of making this absolutely convenient and yes, yes, it is free. Not just putting your domain in Cloudflare, but the tunnel. So there are some limitations to these tunnels we're gonna cover real quick. Actually, Tom didn't have the note ready. I'll have it there in just a second. I think you get the idea of how this works though, right, Jay? Yeah, I am totally getting an idea of how it works and also based on the conversation last night as well. It's kind of one of those things where, why didn't anyone think of this before? I think people did because there's other solutions out there that do a similar thing, but it's almost like this was developed by a homelab person that understands some of the things that we're looking for. Yeah, it's really neat. Now, I will mention there are some account limits. Now, this is the free account limits and you can contact Cloudflare if you want more. Number of application count is like 500. I think that's enough for a homelab person. Email address rules, you get 1,000 of them. There's IP addresses per rule, you get 1,000 of those. And we'll talk about what that means in a moment. It looks like you get, let's see, service tokens, because you can create tokens. Well, that goes back to the security side. There's like 50 token limits. You can do some granular rules that looks like you can add to about 1,000 different rules on there. There's just all these little details on there. Tunnels, total number of tunnels you can have though is still 1,000. So you actually have a number of applications and a number of tunnels. You can have multiple applications per tunnel. So I think all these limitations pretty much set well with the homelab users in terms of use that makes it pretty easy to do. Couple of one caveat here though, you're before you get ahead of yourself and go, can I run my Plex server on this and create an entire movie library for all of my friends? Now you get into a slightly different use case called terms and conditions. Terms and conditions do apply. First, they do reserve the right to if they notice you're publicly hosting a bunch of copyrighted materials and they can see it. Yeah, you probably have a problem because it does say you may not use this for kind of like illegal use. They blanket that in their terms and conditions. I don't think I highlighted this enough in my video or at least clearly based on all the people who commented on my tutorials that you didn't highlight that they could shut you down if you run a host of media server on there. And I'm like, this is where you're getting into don't break the law. I mean, if you're hosting a bunch of stuff and publishing movies you don't know, you can have a problem just in general, not just with Cloudflare. Next, limitations on bandwidth. That one's a little bit fuzzier. There are some bandwidth limitations for the free tier but they're not hard like this much bandwidth if once again goes back to if you, it says it's not designed for primarily using for video sharing. I think they have that as a general statement but they don't define it very deeply. It's not like cut and dry, don't ever share a video on this. I tested it, I shared a video, it didn't break. I didn't share it with many people. I shared it with myself from my office to my studio and it didn't have an error and it worked. So will it work? Sure, would I recommend this all the time? Not necessarily and that's why I wanted to be kind of clear on that part right there. They have terms and conditions. Cloudflare generally keeps those as many companies do kind of broad because they don't want to tell people not to use it but they go just use it with some common sense, use it with some thought into it that you can't just blanket use it for anything you want. That totally makes a lot of sense. Yeah, we don't like some of the rules out there but we're also not in control. So yeah. Well, this is those things because if you're not hosting the server yourself, I mean, if you spun this up on the node and use one of those other tools to do this exact same thing and built it out, put a let's encrypt cert and auto-renews on the node instead of reverse proxy back to your system, you can do whatever you want because it's just you and doing what you want with the bandwidth that you have purchased from your node instance. That is absolutely a valid reason to build it yourself. And when you rely on other companies, you are always subject to those other companies terms and conditions. I mean granted, even the nodes can have terms and conditions that do apply because you're hosting on their servers and if you do illegal things with it, they're gonna hand over the subpoena to whoever has them for it. So that's at least worth noting. Yeah, that's exactly right. In one of the use cases I was thinking of is because on the node, I have an RSS server on there which is fine. I also kind of feel like that's almost underkill for a node instance because it's just me using an RSS service that barely even touches the CPU. I should probably just put that in a container and just expose it somehow for the RSS thing. So that was immediately kind of what the thought process was for me about a use case for this that I could potentially use. Just run that in a Kubernetes cluster and then make it accessible. Because I do check my news everywhere because I want to keep up to date. So that's always important. Yeah, and that's a really good use case for it. You have your news feed, your RSS news feed which turns out by coincidence, me and Jay and I actually see Veronica in here. Veronica mentioned she's using a news reader and did a video on it. I think she uses, is it called News Boat? Yeah, and me and Jay picked by coincidence the same one which is called, what is that one called? Fresh RSS. We're both been testing it ourselves and putting our news in there. And this is a good use case because this is something you may even want to be publicly accessible. And when I'm done with setting mine up, I might make mine publicly accessible at least for people say, hey, Tom, where do you get all your Linux and tech and security news from? I can share with you exactly where I pull it from because it's just a public feed. It's just me aggregating a groups of public feeds into one news reader. Making this publicly available also means, like Jay said, I want to read my news wherever I'm at and when I find myself somewhere where I'm bored because I'm stuck somewhere, I want to be able to pull up my phone, have my own news feed, not only have to worry about a VPN and then I can easily share it with others. That being said, why would you do this over a reverse proxy such as HAProxy, Jay mentioned? Well, one of the other things is this doesn't expose my public IP address at all. So you only ever see Cloudflare's IP address. Now, let's swing over to the security side of this because I think this is a really cool feature too. Cloudflare lets you add rules, go back to something easy like UptimeCuma or even RSS feed. I can make a public RSS feed, but maybe I don't necessarily want just anyone to blanket have access to it like a bot that's just wandering the internet and it finds this particular site I linked. One of the things that Cloudflare does is it lets you build rules around this. You can do IP restrictions. You can say only these IP addresses, you can get granular with that, but even cooler, you can say things like require email registration. And what that will do is when they hit the site, Cloudflare is intercepting and going, nope, you can't see this site unless you give me an email and we're gonna email you a link. And that link is basically like a magic link that's gonna set a cookie that sends it to that person's email and then boom, lets you proceed to whatever site. That's just one of the included features. You can also do restrictions, for example, say only people at this certain domain. And I use that as an example when I did my tutorial because I said, what if I wanted to restrict, like I want to make something publicly available, but only to people who work at a certain company and have access to that email. So I said domain at laurancesystems.com as long as they have whatever email address at that domain and you can filter, you can have multiple domains, you can have specific emails are allowed to do this. These are different methodologies by which you can restrict unfettered access. You can also put some other restrictions around it like username and password, even though the service may not offer it, you're allowing Cloudflare to handle some of that. Now, besides the annoyance of when your public IP address is exposed, as Jeff Gehrling will attest to in all the DDoS scene that comes with it, you're actually on the upstream from Cloudflare getting some of that DDoS protection. But by the way, also watch Jeff Gehrling's videos on DDoS protection, because they're great. I think he stopped making them because I think every time he made them, he got DDoS'd again. I think they just wanted to make more videos, but that does have to be a real concern. Yeah, that's my theory at it. Well, I mean, it is a symbiotic relationship, right? If someone does that and then someone mentions that in the public and the clear, then that just gives them more incentive to keep doing that because they got a minute in the spotlight, so. Yeah, so it's kind of a... Steve Gibson too. Yeah, Steve Gibson, he got hammered for a little while too. So by having some of this behind Cloudflare, Cloudflare being one of the biggest DDoS protection sites out there, this gives you a really solid advantage of having that already. And it's just one of those services, like even though it's so dependent on Cloudflare and everything else, the fact that they're offering it for free, it's kind of a loss leader upsell at the other side of it too. If you, from a business standpoint, why would Cloudflare do these nice things for all of us home labbers? Well, it's not for us home labbers. Businesses have the same use case. Businesses want to expose applications, but they want to put restrictions on it. But maybe the application they want to expose doesn't offer good restrictions, such as limiting access to a certain domain of people registering via email. Cloudflare's an easy way for companies, instead of having to develop or add these features to their application, they can expose their application with a level of confidence that one is going to be protected from people without that domain access, and it's going to be more resilient to potential DDoS problems and saves them from sticking it in a larger data center. Because once you start going to the data center route to do some of these things, you start talking about, oh, okay, I want this on there, but now I want to beef up my data center and build a load balancer in a Kubernetes cluster and everything else. And while that's fun for a project, when you hit the real world, it's not that those things aren't used in the real world, you have to think about how much those things cost. Because when you build a dozen servers in the cloud, well, that has an expense to it that maybe or maybe not you don't want to bear. And this is where for businesses, they have really inexpensive packages. That's kind of like why it's free. But it's still a good offering and one of the reasons I want to bring it up, is if you are just looking for the turnkey solution to getting everything we mentioned done, Cloud Start just makes it so simple to do. I'm calling it now. The whole homelab movement is going to just explode in the next couple of years and some really amazing solutions are going to come out of that. I know this isn't just for homelab people, just like you were saying, but I think another thing is that they, the fact that they're putting this out there for free gets people talking about it. I mean, we're doing this podcast. So I mean, there's all kinds of public exposure that they get for this, for doing that. So I'm sure that's part of it. Yeah, it could be less because there's several YouTubers have all done videos on this topic. Someone asked if Cloud Fair was sponsoring a lot of this. They're not. You know, Linode is still the sponsor of this video. It's just one of those things, Cloud Fair came out with it and any of us who work with the homelab people going, man, that's easy. By the way, our friend, DB Tech, he's got some videos on this as well. He's worked with this commercially a lot. And so he worked with this on the business side, not his YouTube channel, but some of the businesses he's helped support is build this out and work with Cloud Fair. So it's got a lot of commercial usage as well. Definitely a great service. Now, kind of related here, and I put this in the show notes is going to be the other episode, which is going to be show number 51. And show number 51, we covered zero tier global area networks, SD-WAN network overlays. There's always this kind of conflation people ask about network overlays and this. It seems to pop up quite a bit. Could you do this with something like tail scale? Kind of. It would take a little bit of actual rule writing to try to make it work. It's not what it was designed for, but overlay networks are another way that you can dynamically have a changing IP without opening any ports, but be able to get to other services. And those services could be, for example, you have tail scale on your system and you want to run tail scale on a Lenovo instance and get your data out there publicly. There's ways to make that work a little bit more complicated, like I said, but it's not exactly the same because overlay networks are not exactly, but can be kind of worked into being like a reverse proxy. So I'll at least mention it as an option on there. I'll even go a step further and just say that that might just be something solvable by just having a separate management network where let's just say you had some servers in Lenovo that are not publicly accessible and you don't want them to be and you could have tail scale or something like that to bridge your local resources to Lenovo out in the cloud on a separate network. And then the front end network could just be the one that you expose through that tool. So you could basically use, I would assume anyway, correct me if I'm wrong, use both by just having each one on a different interface. There's ways to do that. And I'll mention something else because these are a couple of nefarious ideas I've had. I didn't bring them up in my video, but because Veronica threw in the other word shadow IT, that word has a lot of meanings. And sometimes it is because users have access to things. So users will do things. Your overlay networks and my friend Xavier who does penetration testing and cybersecurity for very, very large companies has actually found they don't have much defense yet. They're still getting better at it from people doing shadow IT. What that means is we have an IT department at this large XYZ company, but a user who watched the homelab show realized he could bring a Raspberry Pi to work and have access to his home or have access to things that are in that network because the IT people said, no, we will not open a firewall for you. And he says, well, this Raspberry Pi will give me access to my local computer and I will broker the connection out to Cloudflare. Now, here's the thing. The reason it's called shadow IT is because it's operating in the shadows. You didn't notice it was happening here. You're probably thinking, well, don't corporate networks have the way to detect all these things. Not as much as you think because Cloudflare being Cloudflare is a very trusted source. So it's not going to some weird nefarious place. It's going to Cloudflare. And so could you use this to access things at work? Yes, yes, it's likely. So that is where the term shadow IT comes in. It's also a good learning experience both for the IT department that goes, how are they getting in? For the internal users is evasion. I don't recommend this. This could be putting your job in jeopardy. But yes, this is definitely where I think we're going to see in the future. There's going to be at some point a debrief that we read from a security incident at a large company. Maybe not caused by a person but maybe these were the same tools used because they absolutely could be used for the wrong reasons to go through and expose anything in a large corporate network. My friend, he's actually added this to his red teaming because he says it's shocking how many things just don't detect it because they're popular services. They're going to Cloudflare. He goes, they're not going to notice this and he wasn't wrong. Thanks for a great red team report. Yes. Yeah. I liked that someone says you'd have IT policies that would prohibit use of equipment in this way. I absolutely agree with you that there's a policy that undoubtedly exists at every company that says don't do it. Someone who manages IT, users, one, I don't think they've read the handbook. There's HR departments for a reason and they're handling people who use things in ways you didn't expect or clearly violating terms and maybe that caused their termination. So I'm not recommending anybody do this at all but I will mention that, oh, I'm positive it's happening. So. I'm sure. I mean, generally speaking, I feel like companies can always do better understanding what's on their network. I think that's the reason why penetration testers exist and analysts exist because there's things that they don't catch. I mean, famously there was a story where somebody at work, a developer was outsourcing their job to someone in another country for probably over a year, I don't know how long but a very long time and they never caught on until a random audit like some time later. And for an entire year, this person is getting away with it, but of course the person was caught. So it happens eventually. So people can't get away with it forever. You can always get away with it until you don't. And then when you don't, well, that's when you have a hard realization that they finally decided to look at the firewall. And unfortunately you are on it. Yeah. Yeah. You know, I'm curious if any of us, I realized I have a few people that work Red Team that follow if any of you have used this. I know Xavier has mentioned it before. I haven't talked to him recently but he uses some of these tools too he's actually shocked at some of these consumer-level tools that just pass right through corporate firewalls but they kind of will because they're, like I said, it's Cloudflare. Cloudflare traffic isn't suspicious traffic. It's not like some, ooh, nefarious command and control server that's on a blacklist here that we've triggered on in our security team. No, it's, oh, Cloudflare traffic. Yeah, Cloudflare traffic happens every day. Half the sites are, so many sites are protected by Cloudflare. It's not an easy, you can't just block Cloudflare. You'll break part of the internet. They're not just big. They manage part of the internet is hitting a lot of Cloudflare servers. But nonetheless, we love hearing from you. This was a fun episode. Do you have anything else to cover on this? I think it was like, it's a little bit shorter of a topic but I think we- No, I think this is a good foundational topic. I do wanna mention the OpenStack series debuts today on the channel. Oh, yes. So just wanted to throw that out there for anyone that wants to get started with that. A new episode will be out every week and there's gonna be six episodes total. Yeah, this is, we've talked before and we're gonna do some of the more announcements that we have here. Like Jay's got his, that series, but Jay's also got his Bash series, which is already out. So that's definitely another great series if you wanna get started with Bash. So we're gonna try and break these out till a few more segments where we have some of the news and topics that are direct interest here to the HomeLab. Things that we're doing, the other educational things that you can just get started with. And if you don't know Bash, go over there and learn it, man, it's awesome. I actually, I started watching it because Jay's production value has gone up really good. First, I started to go- It's gone up again. It's gone up again. But it's like I watched you because I wanted to see the latest things he was doing. I got actually drawn in. I'm not gonna lie to you, your Bash series is really good. So now I, there's a lot of gaps I had and more so than I knew. So even if you already think you know Bash, even if you've been doing Linux for 20 years, I might say go watch that because you're gonna go, oh, yeah, you can do that. So it's definitely pretty cool. Yep, that was a lot of fun to produce. I think it was probably filmed four or five months, maybe even six months before it even saw the light of day. So sometimes these things take a while, but what I think people are gonna notice is that the production quality is going to go up again, but it's gonna be hit or miss at first because I always have those dozen or so videos that were recorded before I made a change. So sometimes you'll see the new camera and then sometimes I'll put out a new video that looks like it was from months ago and it probably was, but when those age out and we only have new footage, it's going to look really great. Yeah, so it's pretty exciting. This is some of the stuff we talk about behind the scenes. We've joked about recording some of our behind the scenes and it's mostly me and Jay rambling about technology and video editing stuff. So I don't think it really interests the homeland people as much, but nonetheless, our production quality is increasing so we can increase how much training we're able to offer for free via YouTube, the trade of watching a few dumb ads to, or if you pay for YouTube premium, you don't have to watch those dumb ads. You watch a few dumb ads, listen to a couple of sponsor reads and you get a lot of great training. So that's a near and dear to me and Jay's heart on here. We love hearing back from you feedback at the homelab show. We've had that up on there. We want to get this to be regular. We want to hear what you want us to talk about. What are the challenges you might be having in your homelab? And we're gonna probably next week cause a few of you started sending in questions and we're gonna, we're pouring through them. We have a form on our website if you don't want to give your email just throwing it out there. But we also realized some people didn't want to fill out a form, they'd rather send an email. Now we've got both options covered. So we can talk about how you need help in a homelab and other show discussion topics you'd like to see. Thanks everyone for joining. Have a wonderful day.