Secure Cloudflare Tunnels with vLANs and an Internal Firewall Before It's Too Late!
Рет қаралды 42,163
Күн бұрынShoutout to @christianlempa
Cloudflare Tunnels are great, but they come at a cost. Cloudflare sees all of your data, and if you're not careful you'll only have a single layer of defence in your network. In this video I show you how to reintroduce some of those layers by segmenting your Cloudflare Tunnel on its own vLAN, and then route this traffic through a firewall with IDS and IPS. I also show how to create a Cloudflare Tunnel.
Cloudflare Tunnel Docker Compose:
github.com/JamesTurland/JimsG...
Christian's Video:
• You should NOT use Clo...
Recommended Hardware: github.com/JamesTurland/JimsG...
Discord: / discord
Twitter: / jimsgarage_
Reddit: / jims-garage
GitHub: github.com/JamesTurland/JimsG...
00:00 - Introduction to the "Problems" with Cloudflare Tunnels
01:46 - Summary of how we "Fix" the problem
03:43 - Creating a Cloudflare Tunnel to Demonstrate the Problem
06:12 - "Fixing" the Problem with macvLANs and a Firewall
06:22 - Docker macvLAN Implementation
10:35 - Routing Cloudflare Tunnel Through a Firewall (Sophos XG)
12:34 - Testing It All Works
13:13 - Outro & Summary
@electricitymachine6401 8 ай бұрын
You're one of the few channels that has given me a better outlook on my homelab and how to make it all tick. Many content creators only scratch the surface, but you manage to go in depth and explain how this is all set up, why it should be set up, the pros and cons, and specifics like what rules you should be setting up in your firewall. Keep up the great work!!
@Jims-Garage 8 ай бұрын
Thanks, appreciate the feedback
@melaronvalkorith1301 6 ай бұрын
Well said. Getting the scope on a video right can be a challenge, and a lot of creators stay too high level.
@Glatze603 8 ай бұрын
Very good and important content! Thanks for making this video.
@cloud2050 8 ай бұрын
Like the way your explain everything in your videos. Keep up the good work.
@chrisumali9841 9 ай бұрын
Thanks for the demo and info, have a great day
@Jims-Garage 9 ай бұрын
You too, Chris.
@shorshfields 9 ай бұрын
Amazing video, thanks for your work.
@Jims-Garage 9 ай бұрын
Thanks!
@melaronvalkorith1301 6 ай бұрын
Really excellent job explaining. You can’t explain everything in one video and everyone is on a different part of the learning journey. You approach that challenge intentionally by adding brief explanations for each component and referencing other content for further explanation. Well done, sir.
@Jims-Garage 6 ай бұрын
I appreciate that! Thanks.
@ARedHerring 9 ай бұрын
Nice video mate. You explained it well and didn't go too far into the weeds. I'm keen to loop through your other videos. Keep making content!
@Jims-Garage 9 ай бұрын
Thanks 👍
@difegam3 18 күн бұрын
Thanks! Nice video a very well explained.
@Jims-Garage 18 күн бұрын
Much appreciated 👍
@t288msd 8 ай бұрын
Just implemented this for my cloudflare tunnel. great content. so easy to understand!
@Jims-Garage 8 ай бұрын
Great, thanks for the feedback 👍
@stevemazza 2 ай бұрын
Thank you for such a clear and succinct explanation. This has been most helpful!
@Jims-Garage 2 ай бұрын
You're welcome
@CTWilliams89 9 ай бұрын
Great video, thank you!
@Jims-Garage 9 ай бұрын
Thanks!
@codecrush_666 2 ай бұрын
Thanks a lot, this is what I was looking for, you did such a great job explaning things clear and precisely, keep up the good work sir!
@Jims-Garage 2 ай бұрын
Thanks 😊
@lossless4129 4 ай бұрын
Thank you, exactly what I was looking for! Great info and points here!
@Jims-Garage 4 ай бұрын
Glad it was helpful!
@cbaservs 6 ай бұрын
Christian is doing some very good work but so do you James. clear video's also the good stuff i want to learn
@Jims-Garage 6 ай бұрын
Thanks, appreciate the feedback 😃
@mrd4233 9 ай бұрын
I had also this concern about the "privacy" of these services when they became available! Mac-Vlans are pretty powerful feature! Thanks for the solution and the fantastic tutorial!
@Jims-Garage 9 ай бұрын
Thanks 👍
@leobottaro 3 ай бұрын
Great video! Thanks for reaching me how to secure my self hosted server!
@Jims-Garage 3 ай бұрын
You're welcome 😁
@romayojr 6 ай бұрын
excellent tutorial regarding added security. i’ll be adding mac vlan soon to my setup soon. i might also add 2fa and sso using authelia.
@Jims-Garage 6 ай бұрын
Awesome, always good to have multiple layers.
@Tripp111 5 ай бұрын
Thank you! ❤🍕
@Jims-Garage 5 ай бұрын
You're welcome 😊
@dastiffmeister1 9 ай бұрын
Great video and lovely of you to give Christian a shout-out. Have you thought about collabing with him or any of the other homelab tech youtubers (TechnoTim, LawrenceSystems, LearnLinuxTV etc.)?
@Jims-Garage 9 ай бұрын
Thanks! Yeah, would love to. Those guys are the homelab luminaries! Think I need to earn my stripes a little first though.
@dastiffmeister1 9 ай бұрын
@@Jims-Garage the quality of your content is right up there with theirs!
@Jims-Garage 9 ай бұрын
@@dastiffmeister1 thanks, that's high praise!
@eug1 9 ай бұрын
I agree, Jim’s content is awesome. But I guess if he wants to be up there with the big boys, he needs RGB!! 😂
@Jims-Garage 9 ай бұрын
@@eug1 lol! Red hair, check! Green jumper, check! Hmmm, something blue...
@Nightrapture 7 ай бұрын
Very interesting video. Now I have to realize how setup this without docker, as I installed CF tunnel for a Jellyfin service hosted in my proxmox server. I wonder if proxmox firewall could also be used for this. 🤔
@Jims-Garage 7 ай бұрын
Thanks, yes you could probably control access with Proxmox firewall
@antoniomax3163 9 ай бұрын
By the way, as I said, I don't use docker, but debian. The virtual machine is located in virtualbox, which is installed on windows 10. Because when I used docker, I couldn't figure out how to set up a network connection. Rather, I did not understand why there is no connectivity between the docker, which is installed on the Ubuntu virtual machine and the local network. The virtual machine was also on virtualbox, ubuntu was installed, there was a docker in it. There was connectivity between Ubuntu and the local network, there was a connection between docker and Ubuntu - the network worked. But there is no connection between docker and LAN. I couldn't ping or anything. It was as if Docker was isolated. That's why I used debian, because it's very simple there. Just one team.
@Jims-Garage 9 ай бұрын
It's probably the network setting you gave the VM in virtual box. You'll want to create a bridge so that VMs can access the lan. I recommend a dedicated hypervisor like proxmox or esxi if you can.
@nateify 5 ай бұрын
Great tutorial! However at 02:38 you mentioned not getting the visitor IP through the tunnel, is this not still exposed via the Cf-Connecting-Ip HTTP header similar to when using a standard Cloudflare proxy without the tunnel?
@Jims-Garage 5 ай бұрын
Yes, good point. That will work for http headers but not for non-http (at least from my testing and the docs)
Ай бұрын
Thanks for the video, good content! Now correct me if I'm wrong, but using this technique will allow me to block all traffic that is not using a FQDN (i.e. IP scanners) if I disable normal port forwarding on the my UDM SE firewall and then open ports for the incoming traffic from the Cloudflare tunnel? If so, is there any other way that I could accomplish that without using Cloudflare tunnels? Alt. provider of similar functionality, or with some firewall configuration...? Or is this a unique combination of functionality?
Ай бұрын
I was hoping you would honor me with an answer, would really appreciate it! I'm thinking it might work to host stuff through a tunnel this way, having a public facing server without actually opening any ports on it, and that the combination of DNS management (having a proper DNS entry for public access) and a tunnel (connected to that entry) is something that I have't seen elsewhere and might be unique. You can have CNAME entries pointing to TailScale network nodes, but that would require access to the TailScale network, which is different from this...
@justinbrennan11 5 ай бұрын
Are you running this along side the pihole/cloudflare you showed in an earlier video? Tried this but kept getting errors on the 2nd cloudflare container
@Jims-Garage 5 ай бұрын
No, I only run the one which is for outbound PiHole DNS queries. This was aimed more at people who use them for internal access.
@justinbrennan11 5 ай бұрын
@@Jims-Garage ahh ok. Yeah I tunnel out services on a different machine. Thought you might have had it so you could tunnel DNS queries through it but also tunnel internal services
@lejoe 6 ай бұрын
How would you set something similar on a cloud where you don't have the possibility to filter the traffic between devices (like hetzner)? Any way to achieve something similar with subnets?
@MohammedYasinRashid 26 күн бұрын
Dear Jim, looking at your network topology, after ISP modem, what firewall are you using? Hardware or software ?
@Jims-Garage 25 күн бұрын
I used to use Sophos XG, it's great and user friendly. I've since moved to OPNSense
@khanhthedag7269 4 ай бұрын
Can I ask something? if I run the docker-compose with maclan configuration, the cloudflare tunnel will be down. is that right?
@WesleyGDeSouza Ай бұрын
Again, great video Jim. My cloudflare container do not get the ip. Running "ip add" it shows no ipv4. Any help?
@Jims-Garage Ай бұрын
Try putting it on a vlan with DHCP enabled or manually specify the IP in the macvlan settings (what I do).
@avpr1c 9 ай бұрын
What do you think about Cloudflare authentication for the tunnel versus this option?
@Jims-Garage 9 ай бұрын
That's good for access control, but I still like the added comfort of having the traffic scanned by my firewall and crowdsec.
@kiomarperez7248 Ай бұрын
Newbie to networking and docker here! For this to work i assume i need to create a Vlan interface in the firewall for vlan 4 to act as a gateway for vlan memebers right? And does the switchport connected to the docker host must be configured as a trunkport to accept vlan 4 (cloudflare tunnel docker) and the watherver vlan the host is part of? Thank you for this video.
@Jims-Garage Ай бұрын
That's correct
@Nate-D 3 ай бұрын
Any chance you know how to add the macvlan when docker is running rootless?
@jbarr 3 ай бұрын
Interesting! What are your thoughts on a CF Application in front of a CF Tunnel? I that putting too many eggs in one basket?
@Jims-Garage 3 ай бұрын
How do you mean? Can you give an example?
@jbarr 3 ай бұрын
@@Jims-Garage I have a homelab running Proxmox hosting several VMs and LX Containers. (And Docker's in there as well.) I use a CloudFlare Tunnel to provide remote access to the VMs and Containers without needing to open any ports on my router. I then have CloudFlare Applications pointing to various services providing authentication. My understanding is that no one will be able to even get to my server until/unless they pass authentication through the Application. Do you think this is a good idea? I'd love to have a self-hosted alternative, but honestly, CF Tunnels & Applications seem to provide the access and security I need. Thoughts?
@Jims-Garage 3 ай бұрын
@@jbarr if the authentication is required before accessing the container that sounds good from an accessibility perspective. As long as you're happy with zero privacy (Cloudflare sees all traffic in plain text) then it's also fine from a security perspective.
@ws_stelzi79 3 ай бұрын
I hope 5 Months on you progressed a little towards a "Makro KZfaq Career" 😇🤪
@antoniomax3163 9 ай бұрын
What is smb? I know that this is a protocol for a local network to share files. But how does it work through the tunnel? As far as I know, smb is very critical of delays. At least it works very slowly through the VPN, even though the VPN channel is quite high-speed.
@Jims-Garage 9 ай бұрын
SMB is short for samba, you're right, it's a network share protocol. I would advise against using it in a Cloudflare Tunnel, you don't want to be exposing shares this way (i.e. to the internet - use a VPN instead).
@alexcostafotografia 4 ай бұрын
Dude aewesome video. Iknow it’s lots of work but could you make a tutorial of implementing this on a casaos environment? I have one server with all my apps and I want to set another one to run firewall tunnels and monitoring. As I’m not a security professional I need more details on it lol.if you can point ,e to a tutorial or create one would be amazing
@Jims-Garage 4 ай бұрын
Casa OS is on the to-do list. Hope to get round to it soon, thanks for the feedback.
@Tripp111 5 ай бұрын
I love the video, but I can't seem to match up your process with my pfSense fw.
@Tripp111 5 ай бұрын
I figured it out.
@antoniomax3163 9 ай бұрын
http_status, bastion -what is it? By the way, CF has the ability to install rdp on windows, and in the tunnel settings, choose an rdp tunnel, do you have a video or instructions on how to do this and how to secure such a tunnel?
@Jims-Garage 9 ай бұрын
As with SMB, I don't recommend exposing RDP to the internet, it'll likely be brute force attacked. You're better off putting this behind a proper VPN like WireGuard (I have a video on that, or headscale if you're unable to port forward - see other video)
@Brian-nz6ns 7 ай бұрын
why is the parent interface enp6s18.4...what's the .4 part? It looks like you're naming it macvlan4, but you're not assigning it a vlan ID. How's this a vlan?
@Jims-Garage 7 ай бұрын
The .4 is vlan 4 (the dot is the vLAN notation). You can read more here: docs.docker.com/network/drivers/macvlan/
@Krieger1883 3 ай бұрын
Really interesting video! Seems like Cloudflare tunnel is not the solution I was hoping for. I just need the option to grant different specific external people access to very specific devices of my home network (with 2FA/passkey etc.) . Do you know of a solution that is halfway user friendly (as near to plug and play as possible)? Thanks a lot!
@Jims-Garage 3 ай бұрын
Sadly that two are often at odds. Wg-easy can do part of that, otherwise it'll be something like headscale/tailscale I guess you could use something like Authentik and Authelia to restrict access by user accounts
@Krieger1883 3 ай бұрын
@@Jims-Garage thanks a lot for that super fast reply! I will look into these tools. Do you have a suggestion for a product for easy segmentation?
@Jims-Garage 3 ай бұрын
@@Krieger1883 running WireGuard on OPNSense should be able to achieve this
@andrew7396 2 күн бұрын
Would you recommend using this set up or a DDNS with a reverse proxy for a homelab?
@Jims-Garage 2 күн бұрын
I only use a reverse proxy
@andrew7396 2 күн бұрын
@@Jims-Garage so does that mean you have a static IP address?
@Jims-Garage 2 күн бұрын
@@andrew7396 no, I use ddns
@andrew7396 2 күн бұрын
@@Jims-Garage makes sense. Thank you. I really appreciate the response. Last question. Do you have a preferred DDNS service? Like do you use DuckDNS, Cloudflare DDNS or something else?
@Jims-Garage 2 күн бұрын
@@andrew7396 I use Cloudflare for DDNS and as my registrar
@davidwestra8181 3 ай бұрын
Would adding a user defined bridge network be just as secure? I have my cloudflare docker on a bridge network that only communicates with Traefik. All of my docker services have their own user defined bridge network that communicates with Traefik. The goal is that none of my services can be aware of the others and that all traffic must go through Traefik with crowdsec monitoring. Is there a flaw in my understanding of these bridge networks?
@jens994 18 күн бұрын
Did you learn more about this? I'm currently running CF also with a bridge network which only has CF & my reverse proxy.
@BigFourHead 9 ай бұрын
mm wouldnt a another option be to limit access to your web domains. I have setup limited access to my sub domains to two locations. Ill never be in AUS or Fiji accessing my sub domains.
@Jims-Garage 9 ай бұрын
Agreed, and mentioned with reference to using Cloudflare WAF. Why not add more 'transparent' layers though?
@andherium 3 ай бұрын
Can you please elaborate on why we needed to do this? The cloudlfare tunnel only communicates to your portainer instance at 192.168.200.X anyway no?
@Jims-Garage 3 ай бұрын
Yea, but Portainer controls everything (a bad example for a tunnel tbh, never expose Portainer to the web). The key problems are zero privacy, complete offloading of security to Cloudflare (no firewall), and if something is missed a compromised container could allow lateral movement. Use a VPN for accessing Portainer if possible.
@andherium 3 ай бұрын
@@Jims-Garage yea I wouldn't ever expose portainer. But say I was exposing a simple app (Trilium Notes for example); the only security concern would be a bug on either cloudflared or trilium notes itself, right? A vulnerability on the app itself wouldn't be saved by the introduction of vlan. So I guess the vlan just protects from a security bug in cloudflared ...?
@Jims-Garage 3 ай бұрын
@@andherium first concern is privacy, Cloudflare sees everything you do in plain text. vLAN can help to prevent network propagation but it wouldn't do anything against the host being compromised. I recommend having a firewall internally to scan the traffic, it's a free service after all.
@andherium 3 ай бұрын
@@Jims-Garage thanks!
@cloud2050 8 ай бұрын
I too use an XG firewall, i have CF tunnel working with Nginx. Unfortunately when i put the tunnel on it own vlan the tunnel now report error TLS handshake timeout, cannot reach origin server. I have the firewall rule setup to allow traffic from the tunnel vlan to NPM vlan just like the video. I can ping my Nginx proxy from the tunnel vlan. Not sure why its not working when they are on separate vlan.
@Jims-Garage 8 ай бұрын
What firewall rules do you have in place? Why not put an any any rule in place to troubleshoot the firewall?
@cloud2050 8 ай бұрын
@Jims-Garage the firewall rule in place is pretty open, I am not blocking any ports. In fact, I have it set to allow traffic from one vlan subnet to the other subnet with no service or IP restrictions or IPS during my testing. I am going to remove the NPM out of the equation to see if that's the issue. I will instead use cloudflare as the proxy on the tunnel. I would prefer to use an internal proxy, though.
@Jims-Garage 8 ай бұрын
@@cloud2050Hav eyou checked that it can resolve internal DNS?
@cloud2050 8 ай бұрын
@Jims-Garage DNS for what's behind the NPM proxy? If so, not yet. I was stuck on the tunnel error about it reaching my proxy, so most of my troubleshooting was making sure NPM and cloudflared can communicate.
@IntelBrow 7 ай бұрын
You need to check on cloudflare tunnel Dashboard the option to not check TLS (in the TLS section).
@sebasdt2103 9 ай бұрын
I've used Cloudflare tunnels before and it's too easy to setup. Unaware users don't know what security layers they lost... I'd rather use nginx rproxy over a VPN into a VPS.
@Jims-Garage 9 ай бұрын
Exactly, simplicity is often at the cost of security. Hopefully this helps people to add some control back.
@dastiffmeister1 9 ай бұрын
How exactly could network engineers at a company prevent someone from hosting an internal company service externally over their own domain through cloudflare tunnels? Block all Cloudflare traffic and break the company internet? 😅
@Jims-Garage 9 ай бұрын
@@dastiffmeister1 several ways. A couple of obvious ones, Block access to production, docker, kubernetes etc through privileged access management. Block egress traffic. Monitor and alert on new containers etc
@antoniomax3163 9 ай бұрын
What is unix/unix+tls? I don't understand the logic of the work, why is it necessary?
@Jims-Garage 9 ай бұрын
Hi Antonio, which part of the video are you referring to, I don't remember saying that?
@antoniomax3163 9 ай бұрын
youtube deleted my comments. I don't understand what I violated. Because of this, you didn't see all my comments@@Jims-Garage
@Jims-Garage 9 ай бұрын
@@antoniomax3163 you said "what is Unix/Unix+TLS" . I'm not sure what that means.
@dunno-jl7uz 8 ай бұрын
i html-only website, should i be fine without securing the tunnel?
@Jims-Garage 8 ай бұрын
That's probably the worst case scenario. All depends how much you care about privacy and how much risk you're willing to take, perhaps for your use case it's fine.
@dunno-jl7uz 8 ай бұрын
@@Jims-Garage yeah i moved back to a VPS. my ISP is very stingy. no bridge mode, no vLANs, hell i can't even change dns on router and have to do it on device-by-device bases :/
@rocket01666 4 ай бұрын
my biggest complaint with all the "How to" videos is the fact that no one talks about TLS and the importance of the Origin cert.
@JGNiDK 5 ай бұрын
But the problem here is, what to do, where to start? I was also looking into Cloudflare, and thought it was safe. But now you put an extra layer on top of it. And you’re even having Traefik (I think it was?) also?? I’m confused. What to do? Where to start? And end?!
@Jims-Garage 5 ай бұрын
Can you port forward? If so, you don't need to use tunnels, use their proxy.
@JGNiDK 5 ай бұрын
@@Jims-Garage and with "their proxy" you mean Cloudflare??
@Jims-Garage 5 ай бұрын
@@JGNiDKYes, the cloudflare proxy
@alexnder8401 5 ай бұрын
When you say you're punchunig a hole in your home security, do you understand that no one has any security rather than anything standard included. And I don't even know if anything is included in macos by default
@Jims-Garage 5 ай бұрын
Agreed. But most people running a Mac aren't exposing it directly to the internet. Moreover, most homelabbers will have a 3rd party firewall that they control tunnel. With a Cloudflare Tunnel you're effectively handing all trust over to Cloudflare. Granted, they're one of the biggest players in the game and therefore advanced, but it does also make them a prime target for attack. I feel it's worth taking control and doing it yourself, or doing both as I illustrate.
@alexnder8401 5 ай бұрын
@@Jims-Garage I mean, I don't have any firewall in my router, so anyone can break inside my lcoal network. I'm exposing my Synology NAS by trusting Synology to do that. I'm exposing my homeassistant by trusting nabucasa. I always trusting someone.
@ryanmalone2681 Ай бұрын
Watched it like 20 times and still can't recreate it. I just left it unsecure, bought a backup server that I sync once a week and keep it offline. If I get hacked, I just wipe it and bring up my backup server. Simples.
@dzmelinux7769 9 ай бұрын
Good video,but I really hate, very much any background music, why in the world would anyone need this?
@Jims-Garage 9 ай бұрын
Thanks for the honest feedback. I prefer videos without, but apparently most people like some ambient background music. I'll mix it up on future videos and see how it goes.
@dzmelinux7769 9 ай бұрын
Thanks, I don't watch your videos as entertainment, rather as technical information and tutorials. I find any kind of background music totally distracting.
@EduardoSantanaSeverino 9 ай бұрын
I personally prefer the background music. And also enjoy this video. Thank you.
@dzmelinux7769 9 ай бұрын
@@EduardoSantanaSeverino That's great, just imagine, if you use your own device for listening to music, you can even chose which song you want to play in the background ;-)
@Seekeroftruth191 9 ай бұрын
Bro you must have crazy good hearing for me it's so low I don't really notice it besides Jim has the voice on an angel ;p
@rickhernandez2114 8 ай бұрын
I have an internal reverse proxy (traefik) that routes all of my internal hosts by name i.e: proxmox.local.home.lan docker.local.home.lan portainer.local.home.lan Which is great as I don't have to put in port numbers or anything and everything all the time is https even inside my network. Is it more secure to point my cloudflare tunnel at one of those? In other words I would like to set this up exactly as you have outlined here (great job by the way) but not go to the actual server just go to my interal proxy. Is this better? Does cloudflare still see my traffic this way?
@Jims-Garage 8 ай бұрын
Routing through a proxy won't really do much. In my video I'm making sure the traffic goes through a firewall, and is scanned by crowdsec. Those are the two bits that add back some security.
@rickhernandez2114 8 ай бұрын
@@Jims-Garage the reverse proxy is also behind my firewall ( it isn't meant for external access) so I'll just make all the rules and see how it goes. Thanks again!
@Jims-Garage 8 ай бұрын
@@rickhernandez2114 the problem is the tunnel bypasses the firewall. You want to route traffic back through it to scan it and control access.
Lawrence Systems
Рет қаралды 179 М.
Bon Bon Media
Рет қаралды 23 МЛН
Jim's Garage
Рет қаралды 45 М.
Мозголом
Рет қаралды 412 М.
Blueberry Lutein
Рет қаралды 226 М.