VMware
Secure Cloudflare Tunnels with vLANs and an Internal
Secure Cloudflare Tunnels with vLANs and an Internal Firewall Before It’s Too Late!
#Secure #Cloudflare #Tunnels #vLANs #Internal
“Jim’s Garage”
Shoutout to @christianlempa
Cloudflare Tunnels are great, but they come at a cost. Cloudflare sees all of your data, and if you’re not careful you’ll only have a single layer of defence in your network. In this video I show you how to reintroduce some of those layers by segmenting your…
source
To see the full content, share this page by clicking one of the buttons below |
You're one of the few channels that has given me a better outlook on my homelab and how to make it all tick. Many content creators only scratch the surface, but you manage to go in depth and explain how this is all set up, why it should be set up, the pros and cons, and specifics like what rules you should be setting up in your firewall. Keep up the great work!!
I hope 5 Months on you progressed a little towards a "Makro YouTube Career" 😇🤪
Can you please elaborate on why we needed to do this? The cloudlfare tunnel only communicates to your portainer instance at 192.168.200.X anyway no?
Would adding a user defined bridge network be just as secure? I have my cloudflare docker on a bridge network that only communicates with Traefik.
All of my docker services have their own user defined bridge network that communicates with Traefik. The goal is that none of my services can be aware of the others and that all traffic must go through Traefik with crowdsec monitoring.
Is there a flaw in my understanding of these bridge networks?
Any chance you know how to add the macvlan when docker is running rootless?
Really interesting video! Seems like Cloudflare tunnel is not the solution I was hoping for.
I just need the option to grant different specific external people access to very specific devices of my home network (with 2FA/passkey etc.) .
Do you know of a solution that is halfway user friendly (as near to plug and play as possible)?
Thanks a lot!
my biggest complaint with all the "How to" videos is the fact that no one talks about TLS and the importance of the Origin cert.
Thank you, exactly what I was looking for! Great info and points here!
Can I ask something?
if I run the docker-compose with maclan configuration, the cloudflare tunnel will be down.
is that right?
Dude aewesome video. Iknow it’s lots of work but could you make a tutorial of implementing this on a casaos environment? I have one server with all my apps and I want to set another one to run firewall tunnels and monitoring. As I’m not a security professional I need more details on it lol.if you can point ,e to a tutorial or create one would be amazing
Thanks for the information. I just started using CF tunnels, so this was really good knowledge to gain.
When you say you're punchunig a hole in your home security, do you understand that no one has any security rather than anything standard included. And I don't even know if anything is included in macos by default
Great tutorial! However at 02:38 you mentioned not getting the visitor IP through the tunnel, is this not still exposed via the Cf-Connecting-Ip HTTP header similar to when using a standard Cloudflare proxy without the tunnel?
Are you running this along side the pihole/cloudflare you showed in an earlier video? Tried this but kept getting errors on the 2nd cloudflare container
I love the video, but I can't seem to match up your process with my pfSense fw.
Thank you! ❤🍕
But the problem here is, what to do, where to start? I was also looking into Cloudflare, and thought it was safe. But now you put an extra layer on top of it. And you’re even having Traefik (I think it was?) also??
I’m confused. What to do? Where to start? And end?!
Really excellent job explaining. You can’t explain everything in one video and everyone is on a different part of the learning journey. You approach that challenge intentionally by adding brief explanations for each component and referencing other content for further explanation.
Well done, sir.
Christian is doing some very good work but so do you James. clear video's also the good stuff i want to learn
How would you set something similar on a cloud where you don't have the possibility to filter the traffic between devices (like hetzner)?
Any way to achieve something similar with subnets?
Hide secret information(token) from envs to secrets:
conf.yml
tunnel: 8…2
credentials-file: /etc/cloudflared/token.json
ingress:
– hostname: someservice.example.com
service: https://traefik
– service: http_status:404
token.json
{
"AccountTag": "8…d",
"TunnelSecret": "Z…Vk",
"TunnelID": "8c…02"
}
cloudflared tunnel token –cred-file ~/token.json 8c-tinnel-id-ca02
and finally
version: "3.8"
services:
cloudflared:
image: cloudflare/cloudflared:latest
command: tunnel –no-autoupdate –config /etc/cloudflared/config.yml run
excellent tutorial regarding added security. i’ll be adding mac vlan soon to my setup soon. i might also add 2fa and sso using authelia.
Very interesting video. Now I have to realize how setup this without docker, as I installed CF tunnel for a Jellyfin service hosted in my proxmox server. I wonder if proxmox firewall could also be used for this. 🤔
why is the parent interface enp6s18.4…what's the .4 part? It looks like you're naming it macvlan4, but you're not assigning it a vlan ID. How's this a vlan?
i html-only website, should i be fine without securing the tunnel?
I have an internal reverse proxy (traefik) that routes all of my internal hosts by name
i.e:
proxmox.local.home.lan
docker.local.home.lan
portainer.local.home.lan
Which is great as I don't have to put in port numbers or anything and everything all the time is https even inside my network.
Is it more secure to point my cloudflare tunnel at one of those?
In other words I would like to set this up exactly as you have outlined here (great job by the way) but not go to the actual server just go to my interal proxy. Is this better? Does cloudflare still see my traffic this way?
Very good and important content! Thanks for making this video.
Nice idea, still all traffic going through cloudflare tunnel will also be readable by cloudflare. Cloudflare tunnels act as a man in the middle attack. The sub domain from the subnetwork might not be available to others but it's available to cloudflare.
I too use an XG firewall, i have CF tunnel working with Nginx. Unfortunately when i put the tunnel on it own vlan the tunnel now report error TLS handshake timeout, cannot reach origin server. I have the firewall rule setup to allow traffic from the tunnel vlan to NPM vlan just like the video. I can ping my Nginx proxy from the tunnel vlan. Not sure why its not working when they are on separate vlan.
Like the way your explain everything in your videos. Keep up the good work.
Just implemented this for my cloudflare tunnel. great content. so easy to understand!