01 - External access - Cloudflare

Secure remote access to your homelab

Introduction

Getting started

Follow this video and the next instructions:

Get a Domain name

Create a Cloudflare account

Setup the Domain name in Cloudflare

Creating tunnels to our applications

Zero Trust Dashboard

TODO

Add some screenshots of the nameserver creation procedure in Zero Trust Dashboard

Deploying cloudflared as docker container

Adapt the proposed docker compose file in this link to launch it as a standalone container.

Cloudflare recommends to create only a tunnel for each network, so we’ll deploy it on a container within our private network:

docker-compose.yml

version: '3.2'
name: cloudflared
services:
  tunnel:
    #container_name: cloudflared-tunnel
    image: cloudflare/cloudflared
    # This sysctl param change doesn't seem to work on Apache OSes
    sysctls:
      net.core.rmem_max: 2500000
    restart: unless-stopped
    command: tunnel --metrics 0.0.0.0:3333 run
    environment:
      # Add your cloudflare token inside a secured '.env' file
      - TUNNEL_TOKEN=${CLOUDFLARE_TOKEN}
    # Add autoheal feature to ensure it's restarted on failure
    labels:
      - autoheal=true
    # TODO: Official cloudflared image doesn't have neither curl nor wget nor dig
    # so we can't launch the healthcheck! We either create a new image that installs
    # any of the required commands or try to get the health status from another container
    # or from outside, exposing the port
    #healthcheck:
    #  test: ["CMD", "curl", "-f", "http://0.0.0.0:3333/ready"]
    #  interval: 10s
    #  timeout: 3s
    #  retries: 3
    #  start_period: 30s

  # Autoheal is a workaround to restart any container which healthcheck fails
  #autoheal:
  #  image: willfarrell/autoheal:1.2.0
  #  volumes:
  #    - "/var/run/docker.sock:/var/run/docker.sock"
  #  environment:
  #    AUTOHEAL_CONTAINER_LABEL: autoheal

Add the CLOUDFLARE_TOKEN value inside a secure .env file in the same dir as the docker-compose.yml file:

CLOUDFLARE_TOKEN=token-provided-by-cloudflare

Warning with system limits!

If you see a message like this one when launching docker compose logs tunnel:

failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB)

Check the following link for a deep explanation: LINK

What we must do is create an init container and change some system params, similar to what we are doing with SonarQube.

Also, we could try configuring the sysctl parameters using the docker compose file.

On some OS it doesn’t seem to work, such as Alpine, but if Cloudflare shows that the tunnel is connected, then this shouldn’t be a problem.