I’ve seen a post on here before about Cloudflare tunnels being unsafe for exposing your locally hosted services to the web which I totally get.

However I’m a bit of a noob with complex VPN set ups and I tried to get Wireguard working in Docker but couldn’t. I got a tunnel configured and exchanged all the peer keys and things but I think my initial networking docker-compose stack was incorrect possibly. Also the windows client for it is a bit ugly but that’s by the by.

I’ve also used Tailscale in the past which is great but it feels like a temporary solution to me as you still have to remember ports and things (there may be a way around that if I remember correctly but I’d rather stay away from Tailscale. I prefer having control myself or through my domain name - probably illogical I know).

Instead I decided to try to protect the Cloudflare tunnel to my home network and I’ve made a policy in Cloudflare Access that won’t let you in without emailing you a code (only my email address works) and having you enter it. I’d also rather adjust that to my 2FA app but I can’t seem to get that to work here.

My question is: is that secure enough? And if not, what would you all suggest as an alternative (preferably an alternative that is pretty easy and means I can use my domain name)?

  • atheken@alien.topB
    link
    fedilink
    English
    arrow-up
    0
    ·
    1 year ago

    This is basically my config:

    wireguard:
        container_name: wireguard
        image: weejewel/wg-easy
        volumes:
          - ./data/wiregaurd:/etc/wireguard
        environment:
          - WG_DEFAULT_DNS=192.168.10.3
          - WG_HOST=public.example.com
        env_file:
          - ./env/wg-easy.secrets
        ports:
          - 51820:51820/udp
          - 51820:51820/tcp
        expose:
          - 51821
        restart: always
        cap_add:
          - NET_ADMIN
          - SYS_MODULE
        depends_on:
          - pihole
        sysctls:
          - net.ipv4.ip_forward=1
          - net.ipv4.conf.all.src_valid_mark=1
    

    In my case, I reverse proxy port 51821 through caddy to configure clients (with Authelia in front of it), but you could expose it interally only if you want to prevent that interface from being publicly accessible.

    Note that public.example.com needs to be replaced with your connection’s public dns hostname (you can use something like duckdns for this if you want), and that you need to expose 51820 on your firewall/router. In my example above, 192.168.10.3 is the IP for pihole, and resolves some internal hostnames. You should look over the config provided once you set up a client and make sure it uses accessible hostnames, etc.

    I don’t think there’s any specific reason to worry about using cloudflare tunnels over any other VPN solution, and if your connection uses NATCG, you might actually need something that tunnels out to a central hub.

  • superglue_chute115@alien.topB
    link
    fedilink
    English
    arrow-up
    0
    ·
    1 year ago

    One thing to keep in mind when using CF tunnels is that Cloudflare can see all of your server’s traffic. If your goal is privacy I recommend staying away

    • Boomam@alien.topB
      link
      fedilink
      English
      arrow-up
      0
      ·
      1 year ago

      I wish people would stop making this statement.

      There’s a difference between “seeing traffic” and “being able to understand what it is and do something about it”.

      • KN4MKB@alien.topB
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        Brother, there is no difference. I think you are confused. They can “understand your traffic and do something about it” it’s unencrypted, and you agree to a fairly strict terms of service that allows them to basically do whatever they like. Maybe you should read the agreement, and if you’re using the tunnels, maybe turn them off until you understand your security posture and exposure of your network

  • MyTechAccount90210@alien.topB
    link
    fedilink
    English
    arrow-up
    0
    ·
    1 year ago

    Cloudflare is as safe as you design it to be. Once you’re tunnel is set up, you configure and access app and set up whatever rules you want. For me personally, for ultra protected stuff like my proxmox management I require warp to be in use and then an email MFA code. Along of course with my proxmox login.