When running Cloudflare tunnels, opening a port on your router, or having a VPS+Wireguard, it's important to think about security and covering your butt. I run everything in a DMZ subnet that has firewall/ACL rules on both the DMZ and my other networks to restrict any access. I put bandwidth caps on individual VMs/containers. I also use Wireguard to reroute all outbound Internet requests from the DMZ so that my home lab doesn't use my home IP address at all.
Maybe I'm paranoid, but the last thing I need is to forget about some web project I was experimenting with in my lab and suddenly the Internet connection I pay for is being used by some bad actor to participate in ddos or to resell access to my trusted residential IP for scamming purposes.
No doubt all this stuff is a violation of residential TOS agreements.
Personally I currently just use DDNS for stuff hosted on consumer connections (AKA home lab). And docker nginx-proxy to multiplex various self-hosted web apps (either in a home lab or on a VPS).
Why not Docker? Since routes are kernel-level and shared between containers, using Docker here typically complicates things rather than making them simpler. Unless you already know about most of the "network magic" Docker does by default, in best case you'll waste a lot of time figuring all of that out and in worst-case you'll apparently have it working but actually vulnerable in some subtle way. And at the point where you're running with "--net=host --user=root --privileged", you're not gaining much from containers for these specific use-cases.
Yes, you _can_ do stuff like this with just containers with CNI/custom networking but VMs are typically cleaner and easier unless you're strongly personally motivated to learn about the underpinnings of container networking.
> And docker nginx-proxy to multiplex various self-hosted web apps (either in a home lab or on a VPS).
That's probably fine, and you might be able to do something similar without even touching that part (aside from closing off the public entrypoint when/if you get the tunneling working). You'd set up the WG+routing either on the same box or on a dedicated tunnel/proxy endpoint, as well as on the remote side. You can either add an additional L7 LB (like nginx) at the entrypoint or redirect traffic straight to your existing nginx. The former is probably the safer and easier, but less efficient approach.
If you really are trying to run a server behind a CGNAT, then I guess you have no other options, but I'd consider this kind of thing to be a last resort.
Another really useful service is being able to protect everything behind a SSO like Github, allowing at least the most basic form of intrusion prevention that would secure your homelab from the majority of attacks.
Here in Italy our public Communications Regulatory Authority (AGCOM) has sentenced that ISPs cannot mandate a specific router type and MUST provide technical details so that any subscriber can be able to use a modem/router of choice. This was after quite a bit of lobbying by the "Free Modem Alliance (https://www.freemodemalliance.it/)
So I guess that at the end of the day i guess it's mostly a matter of political activism.
I love this, and run my own WRT3200ACM with OpenWRT
I am very interested in Tailscale SSH as an alternative to CloudflareTunnel + SSH. If anyone has experiences with Tailscale SSH, please share (https://tailscale.com/tailscale-ssh)
Which is also point to point for the traffic.
