Cloudflare Tunnel for Self-Hosting: privacy, security and convenience?

Introduction

If you’re a self-hosting enthusiast, you’re probably already aware of the benefits that come with running your own applications and services on your hardware. However, exposing these resources to the internet can be challenging, especially when it comes to balancing privacy-, security-, and convenience concerns.

Cloudflare Tunnel is a remarkable solution to bridge this gap with its ability to securely connect your applications to the internet. This blog post will present the key aspects of using Cloudflare Tunnel that self-hosters need to be aware of.

What is Cloudflare Tunnel?

Cloudflare Tunnel, formerly known as Argo Tunnel, is a feature within Cloudflare’s “Zero Trust” portfolio of products that establishes a secure and private connection between a user’s infrastructure and Cloudflare’s global network. It allows self-hosted applications to be exposed to the internet without the need for a publicly accessible IP address. Instead, you can use a hostname on a custom domain with Cloudflare managing traffic encryption and routing.

How Cloudflare Tunnel Works

Cloudflare Tunnel utilizes a lightweight daemon called cloudflared installed on your infrastructure, creating an outbound-only connection to Cloudflare’s edge network. It’s simple to run as a Docker container in e.g. a Compose stack. Here’s an example that would host excalidraw, an excellent virtual whiteboard web application:

version: '3.3'

services:
  excalidraw:
    image: excalidraw/excalidraw:latest
    restart: unless-stopped
    container_name: excalidraw
  
  excalidraw-cftunnel:
    container_name: excalidraw-cloudflared-tunnel
    image: cloudflare/cloudflared
    restart: unless-stopped
    command: tunnel run
    environment:
      - TUNNEL_TOKEN=<CF_TOKEN_HERE>

Once the cloudflared container is running, it creates a “tunnel” from Cloudflare’s network into your private network, allowing incoming requests to reach your application securely without exposing your server’s IP address. This is a simplified logical diagram:

Users can assign their own domain to the tunnel, and Cloudflare provides security features such as DDoS protection, firewall, and SSL/TLS encryption. In addition, using Tunnel’s related product - Cloudflare Access, allows users to be authenticated using various Auth providers such as as Google, GitHub, AzureAD, Email OTP etc.

Advantages of Using Cloudflare Tunnel

  1. Privacy - Cloudflare Tunnel allows you to keep your server’s IP address hidden from the public. This prevents direct attacks and reduces your infrastructure’s exposure to external threats.
  2. Security - Cloudflare’s built-in security features such as SSL/TLS encryption protect your application’s data in transit, and can mitigate DDoS and other attacks.
  3. Convenience - The service simplifies the process of making a self-hosted application accessible online. You don’t need to worry about configuring a NAT device or maintaining firewall rules for incoming traffic. For self-hosters with ISP using CGNAT, this tunnel will still work whereas opening ports on your router would not.

Disadvantages of Using Cloudflare Tunnel

  1. Trust - Using Cloudflare Tunnel necessitates placing trust in a third-party provider and their infrastructure. For some privacy-conscious users, this could be a concern. Despite the branding of “Zero Trust”, you have to have a high degree of trust in Cloudflare.
  2. Cost - While Cloudflare Tunnel offers a free tier, the availability of various features depends on your subscription plan, which may come at a cost. You also need to provide credit card details when signing up.
  3. Complexity - The cloudflared daemon adds an extra layer of complexity to your infrastructure and could slightly increase server resource usage. It’s also a single point of failure; if your cloudflared agent is stopped for any reason, your application will become unavailable.

Conclusion

Cloudflare Tunnel is an excellent solution for self-hosting enthusiasts looking for a compromise between convenience, privacy, and security. If you trust Cloudflare enough to let them handle traffic, knowing that they could inspect your traffic transparently, then Tunnel is a joy to use.

Its features streamline the process of deploying self-hosted applications online and provide protection from numerous threats. However, it’s crucial to carefully weigh the pros and cons based on your requirements and trust levels.

By understanding how Cloudflare Tunnel works, you can make a well-informed decision on whether it’s a suitable solution for your self-hosted applications. Just because the marketing team calls something “Zero Trust” doesn’t mean you don’t need to trust them. For many, this will (and perhaps should be) a dealbreaker.

Table of content

Share article with