azorius.vedetta.com

Cloudflare Tunnel Alternatives
from taters@piefed.social to selfhosted@lemmy.world on 01 May 09:08
https://piefed.social/post/712029

I am currently self hosting multiple services with Docker containers. A file server, Kiwix with Wikipedia and a PieFed instance sitting behind a Caddy reverse proxy. The PieFed instance is not federated and is more acting like a forum which is meant for a local community within a city. If I do federate in the future, it would be to whitelisted instances from within my physical local community. I am also hosting from behind a Cloudflare Tunnel since my ISP blocks incoming data on lower ports.

I was hesitant to use Cloudflare originally but decided to use it since it was the most suggested recommendation. Now that America and American companies are losing trust world wide, I’d like to explore some other options for tunneling.

Since what I am hosting isn’t really meant for a large user base, I am okay with losing some of the security offered by Cloudflare’s free tier services. I’ll probably look into setting up Fail2Ban and rate limiting to stop a single petty person but that would be something I can do at a later time.

What would be some options to look into when it comes to tunneling behind an ISP with blocked lower ports?

#selfhosted

threaded - newest

broton33@lemmy.world on 01 May 09:12 next collapse

ngrok is a straightforward, powerful, and secure option. Check it out! I run it for my k8s cluster at home.

Shimitar@downonthestreet.eu on 01 May 09:21 next collapse

Rent any low cost vps and setup wireguard tunnel or ssh tunnel to it with port forward, done.

Check wiki.gardiol.org where I detail my setup which is exactly this.

This page wiki.gardiol.org/doku.php?id=networking%3Aexterna… is a good starting point

Engywuck@lemm.ee on 01 May 10:19 collapse

Hey, man… I used to run your LineageOS on Surya until recently. Glad to see you here 😀

Shimitar@downonthestreet.eu on 01 May 10:23 collapse

Cool! We just released 22.2 for surya ;)

Glad to see you here too!

afk_strats@lemmy.world on 01 May 09:44 next collapse

Look into a VPS + pangolin or headscale Also, check out Crowdsec

comrade_twisty@feddit.org on 01 May 10:06 collapse

Pangolin is amazing and completely replaced cloudflare tunnels for me.

I have a cheap VPS at Infomaniak that handles a boatload of traffic with no issues whatsoever.

dfense@lemmy.world on 07 May 14:50 collapse

Can second Pangolin, switched from cloudflare tunnels to it a couple weeks ago and I am very happy with it. Latest version now supports external OIDC!

Xanza@lemm.ee on 01 May 10:09 next collapse

Pangolin.

Only complaint is that it uses Traefik instead of Caddy.

ThugLaTaupe@lemmy.world on 01 May 13:02 collapse

It looks very good, and you can use crowdsec with it!

HelloRoot@lemy.lol on 01 May 11:18 next collapse

I run frp but I also like Pangolin

towerful@programming.dev on 01 May 11:38 next collapse

Chisel, Rathole, an SSH tunnel with port forwarding, a VPN with port forwarding.
Keywords are “self hosted tunnel” or “reverse proxy over VPN”.

Run a VPS for like $5 a month, your local reverse-proxy tunnels out to the VPS, and your VPS forwards port 80/443 over the tunnel to your reverse-proxy.

brownmustardminion@lemmy.ml on 01 May 11:47 next collapse

I recommend it every time this question pops up and I’m surprised more people aren’t privy to it:

Rent a VPS as your public gateway. Connect the VPS to your server with a simple wireguard tunnel.

The only thing on the VPS should be a reverse proxy with SSL/TLS pass through.

Send the traffic at the VPS reverse proxy to a reverse proxy on the main server. Configure this proxy to use letsencrypt certs.

The benefit and importance of the SSL pass through reverse proxy, is that it allows all data in transit to remain encrypted until it reaches your physical server. Traditionally, most would suggest the one and only reverse proxy exist on the VPS but all traffic would then be decrypted on the VPS. This could obviously compromise your traffic if the VPS provider snoops or your VPS is compromised.

Cloudflare tunnels decrypt on their hardware as well, which is why I always recommend avoiding their services.

Voroxpete@sh.itjust.works on 01 May 12:15 collapse

A question I have about this setup, because I’ve been contemplating out myself: If all the traffic flows through the VPS, I presume that will count against any usage limits / cost per GB with the VPS, right? Have you found that to be a problem with large file transfers or video streaming?

cantankerous_cashew@lemmy.world on 01 May 15:55 next collapse

Yes, unless you use a provider that doesn’t have bandwidth caps; I personally use OVH for that reason

brownmustardminion@lemmy.ml on 02 May 03:04 collapse

Yes, it will count towards your bandwidth.

I typically don’t get anywhere close to this though.

The few times I did were due to initiating large backups between devices, upwards of 2TB. But I’ve since moved my backup system to a mesh network and haven’t hit bandwidth overages since.

Jason2357@lemmy.ca on 01 May 19:16 next collapse

I use a $2 VPS in Quebec that proxies my home stuff over Tailscale. It uses Caddy and does the TLS encryption and caching. It has the providers DDOS protection, plus I have configured the firewall to have some further protection.

It could also just directly forward TLS packets over any sort of VPN if you didn’t trust the VPS provider or wanted to reduce cpu load.

ohshit604@sh.itjust.works on 01 May 20:30 collapse

My ASUS WRT router running Merlin firmware offers to host a WireGuard server, I simply use the WireGuard app, dump the config file in and hit connect.

Took a little configuration but eventually got it working how I want it.

Edit: Reason for the Merlin Firmware is because I can route my VPN server through my VPN provider, goes a little like this;

5G/LTE > WireGuard to my router > Router routes that connection to ProtonVPN

This gives me access to the resources in my home while also reaping the benefits of my VPN provider.