I finally understand Cloudflare Zero Trust tunnels

I finally understand Cloudflare Zero Trust tunnels (david.coffee)
from artifex@piefed.social to selfhosted@lemmy.world on 16 Nov 21:42
https://piefed.social/c/selfhosted/p/1482339/i-finally-understand-cloudflare-zero-trust-tunnels

Everything you wanted to know about using Cloudflare Zero Trust Argo tunnels for your personal network. For those like me who were still confused even after reading the article, I think this is the lowdown:

ZT tunnels let you expose private resources/services to the internet (or your users) via Cloudflare’s edge network. You install cloudflared on an internal host, and register a “tunnel” so that requests to a hostname or IP get forwarded securely into your network (similar to tailscale).
Unlike classic VPNs (which open full network access) or traditional Cloudflare tunnels (which merely publish a service), this approach adds granular access control; you can define exactly who can access which resource, based on identity, device posture, login method, etc.
It also solves NAT/firewall issues often faced by P2P-based overlays (e.g., Tailscale) by routing everything through Cloudflare’s network, avoiding connectivity failures when peer-to-peer fails.

For in-browser auth you can then use Cloudflare Access, or you can install the cloudflare Warp client which is a VPN-like thing that would give you full control over the access to whatever service(s) you were exposing this way.

#selfhosted

threaded - newest

q7mJI7tk1@lemmy.world on 16 Nov 22:31 next collapse

I only started using Cloudflare tunnels recently, but I’m now using the self hosted alternative Pangolin on a VPS for private services, and I keep the Cloudflare tunnel for public web hosting, i.e WordPress. This also allows easy restriction to the WordPress login page for other users via Google auth etc which is something very simple with CF.

Having split up my private/public services to seperate tunnels also means I don’t stand the chance of taking the public services offline with my constant tinkering of Pangolin and the VPS it runs on.

I have pushed the CF tunnel for file transfers occasionally (which is against their terms), but it hits remarkable speeds for a ‘free’ service.

WalnutLum@lemmy.ml on 17 Nov 14:30 collapse

For those interested:

Pangolin

helix@feddit.org on 17 Nov 00:27 next collapse

I don’t trust cloudflare, especially not with stuff like zero trust. They’re a terrible company and I think they should fail.

lIlIlIlIlIlIl@lemmy.world on 17 Nov 02:38 collapse

Would you be willing to share more about your position? I’ve been happy with their service, but want to be fully informed about who I’m doing business with

Technus@lemmy.zip on 17 Nov 02:53 next collapse

Could start with the fact that they go down about once a month now and take half the Internet with them.

Holytimes@sh.itjust.works on 17 Nov 09:56 next collapse

That’s less a problem with cloud flare it self and more just a issue of anything the scope and scale of what they have become. Even a better company would face the same issues.

It’s fair to argue that they we should spread things out more to make them more resilient.

But that’s more a knock against centralization than the service at hand. It’s also fair to show that they’re good enough that they were able to reach this point. Or more accurately. Everyone else was worse so they reached this point.

It always feels like blaming cloudford at this point is much like blaming the horse for its Rider.

lIlIlIlIlIlIl@lemmy.world on 17 Nov 13:45 collapse

Ah OK, so when you said “terrible company” you meant performance? I’ve had great performance with them so far fortunately

helix@feddit.org on 17 Nov 17:59 next collapse

For me it’s reliability and generally scummy business practices.

They protect scammers and sell big data centres solutions that protect from DoS attacks 🤡

Technus@lemmy.zip on 17 Nov 18:32 collapse

I wasn’t the original person that replied.

Sunny@slrpnk.net on 17 Nov 15:15 next collapse

This read is a good start:

マリウス.com/thoughts-on-cloudflare/

deltapi@lemmy.world on 18 Nov 03:05 collapse

Looks like a totally legit domain. Much trusting.

helix@feddit.org on 17 Nov 17:58 collapse

They’re protecting scammers and other bad actors, their infra is run by junior DevOps “engineers” and every now and then they find another way to fuck half the internet.

They’re part of what’s wrong with USA-centric hosting nowadays.

Others posted good articles and thoughts aswell :)

[deleted] on 17 Nov 14:28 next collapse

tenebrisnox@feddit.uk on 17 Nov 15:51 next collapse

I’m interested to know if anyone is using a Cloudflare tunnel to stream audio? It breaks their terms but I’ve read that they tend to ignore it.

deltapi@lemmy.world on 18 Nov 03:03 collapse

I run audiobookshelf through it and it works flawlessly.

GreenKnight23@lemmy.world on 18 Nov 03:38 collapse