Comment by noduerme

Comment by noduerme 6 days ago

This seems really interesting for managing a lot of remote dev boxes or something like that...

so, kind of an uneducated question (from someone who isn't heavily involved in actual infrastructure)... I haven't used CF tunnels, and the extent of my proxying private services has pretty much been either reverse proxy tunnels over SSH, or Tailscale. Where pretty much any service I want to test privately is located on some particular device, like, a single EC2 instance, or my laptop that's at home while I'm out on my phone. Could you explain in layman's terms what this solves that e.g. tailscale doesn't?

fossorialowen 6 days ago

Thanks!

I think what you are using (SSH, Tailscale) is great for your use case! We see this as more of a static and permanent tunnel to a service - less ephemeral than a ssh tunnel - and more to get public users into your application. Meaning if you had a internal app for your business or some homelab application like Immich or Grafana at home/work that you want to expose to your family in their browser this could be a good tool to use. Does that make sense?

Reply View 5 replies

barbazoo 6 days ago

I’m using an nginxproxymanager as reverse proxy and ssl terminus for exactly that, Immich, home assistant, etc. What would I gain from your solution?

Reply View | 1 reply
- fossorialowen 6 days ago
  
  I think if that works for you then stick with it! Pangolin would mostly do the same thing. I think if you wanted more auth control like users and pin codes and OIDC and roles you might not get that with NPM out of the box but could add on.
  Pangolin has a tunnel component to it so if you were challenged on the ISP front you can put this on the VPS and it just makes configuring the connection back to the network easier so you don't need to set up WG back etc... It wraps it all up nicely in a UI and simple install script. It can also all be automated with the API if you are into that kind of thing.
  
  Reply View | 0 replies
wredcoll 5 days ago

If you have an internal app or homelab app or whatever, why don't you just... route to it? Configure your firewall to let traffic in and out?
I get there's a tunnel provided by this sort of software, I just don't understand how so many people actually need one.

Reply View | 1 reply
- zerd 5 days ago
  
  My ISP blocks port 25, 80 and 443, so need to tunnel those. Some don't want to expose their IP directly. If you have dynamic IP you don't have to update the IP in DNS (since the "application" connects to the tunnel endpoint).
  
  Reply View | 0 replies
noduerme 6 days ago

That makes a ton of sense actually! I'm excited to give it a try!

Reply View | 0 replies

j45 6 days ago

Tailscale (and headscale) is great for internal access to something that night not have public internet access. Others have mentioned an example of keeping a NAS off the public internet.

Cloudflare tunnels help expose a service to the internet with a bit more protection.

I have seen folks use both tailscale to access the backend and the public side is only Cloudflare tunnels.

It’s not unreasonable to point Cloudflare tunnels to a central and internal nginx proxy manager.

Tailscale can route the public internet into your services too can do this too but the protections in Cloudflare are likely a little more robust.

Panagolin looks interesting enough to try out, it could sit run behind Cloudflare tunnels while testing and then moved out.

Reply View 2 replies

Lord_Zero 5 days ago

I'm using caprover on a Linux VM with tailscale and cloudflare. Works great, it does require some tinkering because caprover doesn't like not being in control of SSL, and the nginx configs need to be manually edited per app if you want to set up headers for cloudflare real ip and stuff.

Reply View | 1 reply
- j45 4 days ago
  
  Sounds like a nice setup.
  I like being able to choose if I don’t want to maintain or think about it again, then going one direction.
  If it’s something I will be tinkering with, a different direction is better.
  
  Reply View | 0 replies

mbesto 6 days ago

I use CF tunnels pretty extensively with my home unraid server.

The TL;DR is this - there are certain apps I host that I want to be public and don't want to onboard a Tailscale node (for example my sister uses my Plex server). So, instead of setting up a reverse proxy, I simply create a subdomain in DNS (via CF) and then route that subdomain to the CF tunnel.

It's like 3 form entries to do all of this for one site/service and automatically creates an SSL cert for me. I love it.

Reply View 9 replies

jonotime 6 days ago

Out of curiosity why not give your sister restricted access to your tailnet instead? Then nothing is public.

Reply View | 7 replies
- omnimus 6 days ago
  
  My guess is that teaching and convincing someone to install tailscale on every device they need access is a lot harder than sending a link.
  Thats why i use pangolin.
  
  Reply View | 0 replies
- noduerme 6 days ago
  
  Tailscale and Plex do not play nicely, particularly since Plex implemented a bunch of shit to try to charge users for accessing their own files outside what it considers a local network. Switching to Jellyfin is on my maintenance list. It's very understandable that if you had given a family member access to your Plex server before this year and it "just worked" you might look now at Tailscale as a way to put them on your LAN and then decide that the complexity isn't worth it, given the hoops that Plex had apparently gone through to make that a non-viable option.
  Fuck Plex, by the way. Good on them for building up and turning themselves into a streaming service of sorts. Add value and I'll pay for it. But suddenly one day your free mobile viewer app updates and requires payment to stream your own mp4 files? Seriously, they can go to hell. No one streaming movie files to their family is doing so because they love paying middle-men, by the way. And no core function of Plex can't be done freely.
  
  Reply View | 5 replies
  
  wredcoll 5 days ago
  
  I don't want to defend plex too hard, but I was super confused by what you were talking about:
  > But suddenly one day your free mobile viewer app updates and requires payment to stream your own mp4 files
  I have a plex server that a dozen of my friends and family use and none of them have to pay a cent to access it.
  Then after thinking about it a bit longer, I remembered that plex was making some kind of distinction about "members of a household", apparently called Plex Home [1].
  I'm not sure what benefits you get from using it, since I haven't bothered trying to see what it needs to work.
  Long story short, however, is if you just have your family members sign up for their own plex account, then add them to your plex server as a separate user, things will continue to Just Work and do so for free.
  
  Reply View | 2 replies
  
  jonotime 5 days ago
  
  Ah ok. Admittedly I dont host a media server so it sounds like Plex brings new challenges.
  I would just prefer to not have to public expose a service for a single user. In my case when sharing an image server to family it has been easy enough to walk them through installing tailscale on their windows desktop that they use. I love adding friends and fam to my tailnet. It then also makes it easier to log in and troubleshoot their issues later too.
  It looks like CFs solution for restricted public access is CF access controll, but thats still publicly exposed. Their non-public option is WARP, but that requires installation on the client machine. At that point your user setup is even harder then tailscale.
  
  Reply View | 0 replies
  
  subscribed 5 days ago
  
  To me, another huge no-no is the apparent lack of option to stop Plex from sending all the filenames to the mothership.
  
  Reply View | 0 replies
hexfish 6 days ago

Are you aware that serving media streams over the tunnel might be against the ToS? This is what kept me from using it tbh.

Reply View | 0 replies

[removed] 6 days ago

[deleted]

Reply View 0 replies