Setting up your own VPN can be complex

In this post , I went through how I’ve setup Wireguard to be able to connect back to my home network when on the road. When it comes to choosing a VPN, Wireguard stands out for me in terms of speed, security and ease of configuration. However, there are a few complexities associated with setting up any VPN to securely connect back to a home network.

Firewall configuration

For many, firewall configuration on a home-based router is unnecessarily complex, and some users may not have home networking equipment which offers this functionality.

Restricted outbound ports

Some public wifi networks can be choosy about which outbound ports are allowed. This means that outbound access back to your VPN endpoint to won’t be possible, unless your VPN is listening on a common port such as TCP/443 or UDP/53.

Carrier Grade Network Address Translation (CGNAT)

My backup internet connection uses a 4G mobile network. Like a lot of mobile network carriers, this ISP uses CGNAT which means you can’t address anything on the home network from the internet because you’re not allocated an IP address which is on the internet. This means that there’s no public facing IP address which you could have a VPN listen for connections on.

Cloudflare tunnels represent a useful VPN alternative when you have a service running on your home network which you want to access via the internet when on the road. It works by initially creating an outbound tunnel to cloudflare, which means that it the VPN limitations which listed are above don’t apply.

Using Cloudflare Tunnels as an alternative to a VPN at home

Cloudflare tunnels will allow you to access applications on a private network without needing to configure your firewall to accept inbound traffic. This is achieved by running an instance of the cloudflare connector, cloudflared inside your home network, which will create an outbound connection to cloudflare to setup the tunnel. With the cloudflare connector running, all that remains is to configure the application access from within the cloudflare dashboard.

Cloudflare tunnels don’t represent a VPN alternative if you need to route all internet traffic back through your home network to mitigate risks associated with using public wifi networks. If this use case applies to you, then you’ll also need to make use of a VPN to ensure that all your internet traffic is sent through an encrypted tunnel.

This diagram shows a simple setup with a web application which is hosted internally, on a home network using a Cloudflare tunnel:

Cloudflare Tunnel Diagram (click to expand)


Key Considerations

There are some key considerations and prerequisites that should be understood before opting to set up a Cloudflare tunnel:

Adhere to other security principles

You need to make sure you combine exposing the tunnel with the right security measures. For example, you should use complex passwords and admin accounts other than those which are provided as a default. Cloudflare also provide a mechanism to restrict access to your applications to certain users, which is often a very good idea.

It’s not a VPN

As discussed earlier in this post, Cloudflare tunnels aren’t a substitute for a VPN if you’re using an unencrypted WiFi network/hotspot and want to ensure that none of your traffic is sent unencrypted.

Addition configuration for some types of application

Configuring SSH and RDP to work over a Cloudflare tunnel is possible, but it is a bit more complex than exposing a web application.

Things you’ll need

  • Cloudflare insists on taking credit card information for their zero-trust services, even if you select the free tier (there is no charge for free-tier services)
  • You need to own a domain and have administrative access to it, for the purposes of changing the associated nameservers
  • You need to have (or create a cloudflare account)
  • You need to have a suitable platform to run cloudflared such as a linux box or docker host.

Getting Started

Nameservers

If Cloudflare isn’t your domain registrar, you’ll need to point your domain at Cloudflare’s dns servers.

To setup a CloudFlare tunnel, login to the Cloudflare dashboard and click on the Zero Trust link on the left hand navigation bar. You’ll be asked to enter a valid credit card, despite Cloudflare tunnels being a free service. You card won’t be charged. Once this is complete, you’ll be able to create your first cloudflare tunnel

Cloudflare Dashboard (click to expand)


Choosing an application to make available via the tunnel

Next, we need to think about the application that we want to expose using the tunnel. For demonstration purposes, I’ll use docker to quickly start and run an nginx-instance, like this (in a new terminal window):

docker run --name nginx-demo -p 80:80 nginx

This will download the nginx container image, and run nginx in the foreground exposing port 80. This means that the machine running the container will listen on port 80, and forward these requests to the container.

nginx container running in the foreground(click to expand)


Creating a Tunnel in the CloudFlare UI

With our application running, we need to get the tunnel setup inside the CloudFlare UI. To do this, click on the blue “create a tunnel” icon and provide a name for the tunnel you want to create:

Create and name a new tunnel (click to expand)


On the next page you’ll be presented with various options for installing the cloudflare connector into your environment. In this example, I’ll go with the docker container, which I think is one of the easiest methods. The docker command which is provided will download the cloudflare container image, and start cloudflared in the foreground. Copy and paste it into a terminal.

Select a connector type (click to expand)


cloudflared running as a container (click to expand)


With both our example application (nginx) and cloudflared running (as docker containers), we can move on to the next stage and give cloudflare the final required pieces of required information.

  1. Provide a subdomain entry. In this example, I’ve used nginx
  2. Select the cloudflare registered domain you want to use
  3. Provide an optional path for the application to be exposed at
  4. Provide the location of the service to be exposed. In my example, I have the nginx container running on host 192.168.0.101:80
  5. Click “Save Tunnel”
Final cloudflare tunnel config (click to expand)


On the next page, you’ll see a summary of the tunnels you have, and their individual statuses:

Final cloudflare tunnel config (click to expand)


An easy way to test is to disable WiFi on your mobile and navigate to the external URL of the service, like this:

The nginx web page being served via the CloudFlare tunnel (click to expand)


That’s it! You now have a test application available over the internet via a CloudFlare tunnel without the need to open a port on your firewall and configure a VPN.