Submitted 9 months ago by node815@lemmy.world to selfhosted@lemmy.world
Someone here brought up that they were able to replace Cloudflare Tunnels with Tailscale - I can’t seem to find the post, as it was a comment and deeply buried in a thread I’ve since forgotten the title of. :)
Can anyone explain the process for doing this? I assume it’s through the use of their Funnel? I have three primary services I require to be accessible through Authentik (that’s one of them) via my domain name.
Just curious what the reason behind not wanting to use Cloudflare Tunnels is?
Because it’s a large company slowly taking over the internet?
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
| Fewer Letters | More Letters |
|---|---|
| CF | CloudFlare |
| CGNAT | Carrier-Grade NAT |
| DNS | Domain Name Service/System |
| HTTP | Hypertext Transfer Protocol, the Web |
| HTTPS | HTTP over SSL |
| IP | Internet Protocol |
| NAT | Network Address Translation |
| SSH | Secure Shell for remote terminal access |
| SSL | Secure Sockets Layer, for transparent encryption |
| TLS | Transport Layer Security, supersedes SSL |
| VPN | Virtual Private Network |
| VPS | Virtual Private Server (opposed to shared hosting) |
[Thread #331 for this sub, first seen 3rd Dec 2023, 11:45] [FAQ] [Full list] [Contact] [Source code]
Thanks! That’s one part of the equation. I think. I have a lot to read up on, I just got set up about an hour ago with Tailscale so a lot to ingest.
Ideally, I want to replace my Wireguard connection which I am currently using (WG-Easy) to stay connected to my home network when I’m away from home so far that’s been hit/miss on 2 out of 3 phones I have running Android 13. I’m working on getting that to work with my new setup on Tailscale.
Then try just regular Tailscale first, see how reliable it is for keeping you connected to your server.
CF Tunnels and Tailscale Funnel are for exposing websites over internet, as you probably know, but ideally you shouldn’t need to do that if you can use a VPN.
So my post was the one to get rid of the cloudflare tunnel.
Basically I set up a tailscail docker on my home server and connected it with a one time key from tailscale. There I exposed my local network. (Perhaps secure that only to your homeserver IP)
Then I set up a Debian Server which hosts a lot of other stuff. But there I also installed tailscail and connected it to my account.
After this the most important part! I wasted hours to find this line of code sudo tailscale up --accept-routes
With that you allow the external server to accept routes. Otherwise you can’t redirect to your homeserver
The next step I took was to install nginx and setup a reverse proxy to my traefik docker on my home network
Here I routed the domain with every subdomain (*.your.domain) to my homeserver.
My homeserver took care of the https certificate so my nginx server only redirects traefik from port 80.
I can share my configs later but I have a little problem with large nextcloud uploads. And I don’t have the previously working nginx config anymore… So I need to dig a bit further again.
Ask me questions, but I can only answer them in about 7h Hope my late night writing makes sense.
Nice! So, using the --accept-routes part, does that allow you to use a CNAME record to your funnel’s address (machine.tailscale-id.ts.net) ? I tried to do this and it failed to resolve for reasons of too many redirects.
I didn’t try that, I use the static local ipv4 address of my network. Like http(s)://192.168.1.3:443
New Lemmy Post: Replacing Cloudflare Tunnels with Tailscale? (https://lemmy.world/post/9075160)
Tagging: #SelfHosted
(Replying in the OP of this thread (NOT THIS BOT!) will appear as a comment in the lemmy discussion.)
I am a FOSS bot. Check my README: https://github.com/db0/lemmy-tagginator/blob/main/README.md
Cloudflare can decrypt the data before it hits my site before it encrypts it
Give Tailscale funnel a try, it provides similar functionality but does not need to terminate yout TLS to do it.
I ran a funnel test and yes it works, but still have to use the ts.net
Out of curiosity, why is that a deal breaker for you?
Simply put - I won’t risk making my work’s IT mad by logging into my machinename.tailscale-defined.ts.net. I don’t know if it’s blocked there, but you never know with IT polices and such. I’ve already been able to get through to my foo.example.com address without issue so I’m letting a sleeping dog alone so to speak.
Also, I think it’s easier to tell someone to go to videos.example.com than machinename.tailscale-defined.ts.net. :)
I saved this recent comment, maybe it was somewhere in this thread?
Except you can condense that whole thread into
lemmyvore@feddit.nl 9 months ago
Is there a reason to expose your services to the whole internet? That’s what CF tunnels and Tailscale Funnel do.
I can’t really recommend either of them, Funnel forces you to use a .ts.net subdomain you can’t use your own domain. CF allows it but forces you to use their DNS service. Both CF and Tailscale play MITM with your HTTPS connection, meaning they decrypt and reencrypt it on the fly, meaning they are able to look at your unencrypted traffic.
If you really must expose your services publicly then get a cheap VPS, point your domain
AandAAAArecords at its public IPs, make a clear TCP tunnel from your server to the VPS, and forward connections to port 443 on the VPS public interface through the tunnel to the reverse HTTP proxy running on your server (with mandatory TLS encryption and Let’s Encrypt certificates for your domain).This way you get an unbroken TLS connection all the way through, with nobody in the middle.
The tunnel that you use between your server and the VPS can work behind CGNAT because it’s outgoing, and it doesn’t necessarily need to be encrypted because it will only carry TLS connections anyway. Will be easier on the VPS CPU this way, too.
Auli@lemmy.ca 9 months ago
According to tailscale they do not decrypt just relay.
zzzz@lemmy.world 9 months ago
Also, you can host your own server: headscale.net
ck_@discuss.tchncs.de 9 months ago
That’s not correct, tailscale does not intercept the traffic, TLS is terminated on the node. Tailscale mandates HTTPS / TLS with ts.net certificates so it can route traffic to the correct node in your tailnet.
lemmyvore@feddit.nl 9 months ago
There’s still going to be a gap where traffic is unencrypted and under their software’s control. The gap takes place on your node rather then one of their servers but it still exists. You can’t avoid the TLS gap when you switch domain names mid-connection.
Whether having the gap on their node rather than on Tailscale’s server is more acceptable is up to OP to decide; but they have to understand that the gap exists. The solution I proposed doesn’t have a TLS gap.
garibaldi@startrek.website 9 months ago
Rather than a cheap VPS, what about hosting a reverse proxy on fly.io, something like this? github.com/AnimMouse/frp-flyapp
hempster@lemm.ee 9 months ago
Should I install a reverse proxy on the VPS and link services on the local server, or should I install it directly on the local server?
lemmyvore@feddit.nl 9 months ago
Services and reverse proxy on your server. Tunnel host on the VPS.