This is post number 9 in my 100 Days To Offload challenge. View all posts or subscribe via RSS.

Traditionally, I’ve exposed my homelab directly to the internet.

I point a DNS record to my home IP, updating it with cloudflare-ddns as I don’t have a static IP, nor do I wish to pay for one.

The downside of this, is that you need to expose a server to the internet, exposing your IP, and you need to harden said server adequately.

While I haven’t run into any issues, I know others who have, so I’m still wary.

There are a few neat solutions to avoid exposing your IP, the most common is putting a VPS in front of your home server, and proxying requests down over a VPN like Wireguard. Alex Ellis' project inlets is a great way to automate this. You can plug in your DigitalOcean (or other provider) API keys, and it will provision a server for you.

I do use inlets for some smaller projects, but Cloudflare Tunnel is more robust, and not self-hosted, which takes out a lot of work. I don’t need to worry about issues with the VPS, or other infrastructure. It also has a very compelling free tier.

I’ll spare you the set up details, as the documentation is excellent. If you want to take a look at my configuration in Kubernetes, my cloudflared deployment YAML is available here.

I had a few issues after first set up. I initially had cloudflared proxying to http://ingress-nginx-controller:80, which caused Authelia redirection to fail. I fixed this by proxying to https://ingress-nginx-controller:443 and setting noTLSVerify: true.

The next issue I hit was that Cloudflare DNS doesn’t seem to let you proxy directly to a tunnel from either the root domain, or a wildcard domain. Requests from my.domain or *.my.domain failed. The fix here was to set up a load balancer, which would then route traffic to my tunnel.

The infrastructure now looks like:

I no longer expose my IP, and have removed most open ports into my network. All in all, a neat solution!

Do you proxy your homelab via a tunnel? Why/why not? Let me know via email: blog <at> hu <dot> md, or via Twitter.

Looking for something related to read? Check out Nicholas Whittaker’s post: Live previewing Hugo sites with Cloudflare Tunnel.