this post was submitted on 16 Nov 2025
119 points (96.1% liked)

Selfhosted

53034 readers
848 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
119
I finally understand Cloudflare Zero Trust tunnels (david.coffee)
submitted 3 days ago by artifex@piefed.social to c/selfhosted@lemmy.world
49 comments fedilink hide all child comments
 

Everything you wanted to know about using Cloudflare Zero Trust Argo tunnels for your personal network. For those like me who were still confused even after reading the article, I think this is the lowdown:

  • ZT tunnels let you expose private resources/services to the internet (or your users) via Cloudflare’s edge network. You install cloudflared on an internal host, and register a “tunnel” so that requests to a hostname or IP get forwarded securely into your network (similar to tailscale).
  • Unlike classic VPNs (which open full network access) or traditional Cloudflare tunnels (which merely publish a service), this approach adds granular access control; you can define exactly who can access which resource, based on identity, device posture, login method, etc.
  • It also solves NAT/firewall issues often faced by P2P-based overlays (e.g., Tailscale) by routing everything through Cloudflare’s network, avoiding connectivity failures when peer-to-peer fails.

For in-browser auth you can then use Cloudflare Access, or you can install the cloudflare Warp client which is a VPN-like thing that would give you full control over the access to whatever service(s) you were exposing this way.

you are viewing a single comment's thread
view the rest of the comments
[–] q7mJI7tk1@lemmy.world 23 points 3 days ago (2 children)

I only started using Cloudflare tunnels recently, but I'm now using the self hosted alternative Pangolin on a VPS for private services, and I keep the Cloudflare tunnel for public web hosting, i.e WordPress. This also allows easy restriction to the WordPress login page for other users via Google auth etc which is something very simple with CF.

Having split up my private/public services to seperate tunnels also means I don't stand the chance of taking the public services offline with my constant tinkering of Pangolin and the VPS it runs on.

I have pushed the CF tunnel for file transfers occasionally (which is against their terms), but it hits remarkable speeds for a 'free' service.

[–] theparadox@lemmy.world 1 points 1 day ago (1 children)

Do you have any solution for services that aren't over a browser? I've been using Tailscale but I'm looking for alternatives. Pangolin only seems to work for either browser-based services or opening ports to the Internet, unless I'm missing something.

Ex. How do I connect a client app on my phone to my subsonic server for music without opening my home server to the net?

[–] q7mJI7tk1@lemmy.world 1 points 1 day ago

Pangolin is a reverse proxy, so it can forward a URL to any backend service on any port. But you're right in that you have to be signed in on the browser you access it on. Therefore an app won't directly work without prior login. You can create a 'shareable link' in Pangolin, which I use for the Immich app. This gives me header tokens that the Immich app can take in its advanced settings, and that's how that one works.

I've recently moved away from dedicated apps for mobile services and toward web-based access for most things (I use Music Assistant in browser). This isn't perfect for everything and everyone, but I realise now with your question that it's worked well for me transitioning to Pangolin (and at least Immich app works).

[–] PeriodicallyPedantic@lemmy.ca 1 points 2 days ago (1 children)

Is there a reason not to use pangolin for the public stuff too?

I'm just about to make the switch from CloudFlare to pangolin on VPS, and I wanna make sure I'm not missing anything

[–] q7mJI7tk1@lemmy.world 1 points 1 day ago* (last edited 1 day ago) (1 children)

If today's outage is anything to go by, you're better off not using Cloudflare!!

I have continued to use it for public websites so that, in my thinking, at least the Cloudflare network is scrutinising who is accessing my webpages in case of attacks etc.

Pangolin is a simpler cloud reverse proxy, whereas Cloudflare has more bells 'n whistles for quick-set security. You just need to harden your VPS that Pangolin runs on. You can activate Crowdsec etc on it as well.

I run mine on a Hetzner VPS which has a nice firewall feature in the control panel securing the VPS ports for SSH and Pangolin tunnel to my home IP. Then it's only ports 80 & 443 exposed. And I think from memory Pangolin doesn't play nicely with UFW (well, Traefik doesn't).

[–] PeriodicallyPedantic@lemmy.ca 1 points 1 day ago (1 children)

Outside of VPS firewalls settings and fail2ban, is there anything else you'd recommend to harden the VPS?

[–] q7mJI7tk1@lemmy.world 1 points 1 day ago

Not my expertise I'm afraid. Geoip blocking is straightforward with traefik (and Pangolin docs), Crowdsec is a little more complicated, and with the external firewall into the VPS, there isn't much more I can think to do.

It's likely more a factor of how secure Pangolin itself is at that stage.