I’m using CloudFlare to hide my home IP and to reduce traffic from clankers. However, I’m using the free tier, so how am I the product? What am I sacrificing? Is there another way to do the above without selling my digital soul?
I’m using CloudFlare to hide my home IP and to reduce traffic from clankers. However, I’m using the free tier, so how am I the product? What am I sacrificing? Is there another way to do the above without selling my digital soul?
I have never used it, so take this with a grain of salt, but last I read, with the free tier, you could not secure traffic between yourself and Cloudflare with your own certs which implies they can decrypt and read that traffic. What, if anything, they do with that capability I do not know. I just do not trust my hosted assets to be secured with certs/keys I do not control.
There are other things CF can do (bot detection, DDoS protection, etc), but if you just want to avoid exposing your home IP, a cheap VPS running Nginx can work the same way as a CF tunnel. Setup Wireguard on the VPS and have your backend servers in Nginx connect to your home assets via that. If the VPS is the “server” side of the WG tunnel, you don’t have to open any local ports in your router at all. I’ve been doing that, originally with OpenVPN, since before CF tunnels were ever offered as a service.
Edit: You don’t even need WG, really. If you setup a persistent SSH tunnel and forward / bind a port to your VPS, you can tunnel the traffic over that.
I don’t get this whole expose my IP. It’s not a secret and people.are scanning it neither you have a port open or not. The whole IPv4 range is constantly being scanned.
I have the same setup but using frp which stands for fast reverse proxy.
The term VPN is pure marketing bs. What is called VPN today used to be called Proxy Server.
I’ve also heard good things about using Pangolin for the same setup.
VPN and proxy server refer to different things. There’s lots of marketing BS around VPNs but that doesn’t make the term itself BS, they’re different and it’s relevant when you’re talking about networking.
I think thats up to debate.
Wikipedia says:
So my argument is, if it is not used for private communication between multiple clients, it’s not really a VPN.
Lets say, we both connect to the same Proton VPN server - our computers would not see each other and would not be able to connect to each other via that service. It has effectively the same function as a proxy - making your public internet traffic appear to come from the IP of the proxy server instead of your home IP.
Whereas if you set one up yourself with openVPN for example, we could make it so that we both get a VPN internal IP that we could use to directly connect and idk, play minecraft or something. Instead of connecting through the public internet, we would connect through a virtual network that is private for the two of us.
“It has effectively the same function as a proxy” isn’t the same thing as “it’s not actually a VPN”.
One could argue you’re not really using the tech to its fullest advantage, but the underlying tech is still a VPN. It’s just a VPN that’s being used as a proxy. You’re still using the same VPN protocols that could be used in production for conventional site-to-site or host-to-network VPN configurations.
Regardless, you’re the one who brought up commercial VPNs; when using OpenVPN to create a tunnel between a VPS and home server(s), it seems like it’s being used exactly to “create private communication between multiple clients”. Even by your definition that should be a VPN, right?
You’re correct.
Most people only search for “VPN” because thats the term that got marketed for decades.
But the problem can be solved by using a proxy as well.
The intent of my comment was just to point to a second term - “proxy” - that can be used to find more valid, alternative solutions to the problem of making your homelab hosted services publicly available. And I think you agree with me, that proxy is the term closer to the usecase, even though we both correctly state that a VPN can be used as a proxy.
To make a bad analogy (it’s the first thing that came to mind): It’s like people buying a wok, even though they really just need a pan. And so they only search for wok, because every company says wok all the time, even though they will never use the wok as a wok, but just as a normal pan.
… in my case, I have a homelab, a VPS and a user of a service that runs on my homelab. The VPS is just a proxy for the homelab. The user (client) talks to the homelab (server), through the VPS (proxy) so not, not really a VPN, even if I’d set up openVPN between VPS and homelab. They are not two clients.
Fundamentally, a host-to-host VPN is still a VPN. It creates an encapsulated L2/L3 link between two points over another network. The number of hosts on either end doesn’t change that. Each end still has its own own interface address, subnet, etcetera. You could use the exact same VPN config for both a host-to-host and host-to-site VPN simply by making one of the hosts a router.
I see your point about advocating for other methods where appropriate (although personally I prefer VPNs) but I think that gatekeeping the word “VPN” is silly.
If you have one of those cars that can be used as a boat. And you only ever use it in water and never on land, it doesn’t really make sense to me to exclusively call it a car. Even though it factually is one, it acts as a boat. At least call it carboat.
If I have a VPN, but it’s sole purpose is to take all the traffic that knocks on it’s network-adapter and shove it down a dev/tun and vice verca, why can we not say (with the goal of clear communication and precise descriptions) that it effectively acts as a proxy ?
You’re arguing two different points here. “A VPN can act as a proxy” and “A VPN that only acts as a proxy is no longer a VPN”. I agree with the former and disagree with the latter.
A “real” host-to-network VPN could be used as a proxy by just setting your default route through it, just like a simple host-to-host VPN could be NOT a proxy by only allowing internal IPs over the link. Would the latter example stop being a VPN if you add a default route going from one host to the other?
Good luck I’m behind nine proxies!
Perhaps if you are only talking about the consumer level stuff advertised on TV. Otherwise I can assure you that “Virtual Private Networks” are a real thing that have absolutely nothing to do with Proxy Servers.
On down the comment chain you mention "…our computers would not see each other and would not be able to connect to each other via that service. " as some kind of test of whether a thing is a VPN or Proxy Service but what you’re missing is that this is a completely common and advisable configuration for companies. In fact Zero Trust essentially demands configurations like this. When Bob from Marketing fires up his VPN to the Corporate Office he doesn’t need access to every server and desktop there nor does his laptop need to be able to access the laptops of other VPN users. They get access to what they need and nothing more.
Hell the ability to access the internet via the tunnel, called Split Tunneling, is also controllable.
It’s that ability to control where the tunnel terminates that allows consumer VPNs, like Proton, to be used the way they are.
So while private individuals absolutely do use VPNs as an ersatz replacement for Proxy Servers they are nowhere near the whole use case for VPNs.
you can do the same split tunneling via proxy servers
I agree. That also means that for certain usecases they are equivalent. It’s sometimes worth checking all options to find the best one for that specific case.
I used to use HAProxy but switched to Nginx so I could add the modsecurity module and run WAF services. I still use HAProxy for some things, though.
Oh I forgot to say: I have crowdsec on the VPS in front of frp and traefik on the server at my home, where I add all the modules I want.
frp just pipes all the packets through transparently.
But yeah, same thing, should work the same and there are dozens of ways to set that all up.
I’ve been looking into crowdsec for ages now and still haven’t gotten around to even a test deployment. One of these days, lol, and I’ll get around to it.
It’s pretty neat and I feel like there is a clear value exchange for both parties in the free tier, so less shady than cloudflare.
Don’t see an issue yet even though they are crowdsourcing their list generation. At least they are giving you something for it or you can take it. But if you do you get smaller lists.
I’m using my own LetsEncrypt certs for TLS with cloudflare free. I too wonder how I’m the product in this scenario.
I always assumed it was a loss leader play: the more selfhost type people are using cloudflare at home, the more likely they are to recommend and implement it at work, on a paid tier.
Cloudflare has a ton of services in their “free” tier and there’s a lot of confusion in here because people toss around “Cloudflare” without specifying which service they are actually talking about.
If you are using Cloudflared (notice the d) with your own LE Cert then you are probably fine.
Are you using their proxy or just DNS ?
If you have the little orange cloud (proxy) on your DNS entry, go to your public facing webpage and examine the cert. Chances are it’s not what you think it is.
it is exactly what I think it is. you can use your own certs
Typically on their free accounts they use your cert for communication between them and you, and use cert they issue for communication between them and everyone else.
User -> CF cert -> CF -> your cert -> your server.
That’s why I suggested examining the cert on your external facing page.
Regardless, one way or the other, they need to be able to decrypt your data in order to apply their services (WAF, etc).
Unless, again, you’re just using DNS (grey cloud).
In my experience even a site with low legitimate traffic will eventually buckle under the torrent of bots and scrapers if it’s up long enough to get indexed by search engines, so the longer my stuff is out there the more I anticipate I will need DDoS protection.
I’ve got bot detection setup in Nginx on my VPS which used to return 444 (Nginx for "close the connection and waste no more resources processing it), but I recently started piping that traffic to Nepenthes to return gibberish data for them to train on.
I documented a rough guide in the comment here. Of relevance to you are the two
.conffiles at the bottom. In thedeny-disallowed.conf, change the line forreturn 301 ...toreturn 444I also utilize firewall and fail2ban in the VPS to block bad actors, overly-aggressive scrapers, password brute forces, etc and the link between the VPS and my homelab equipment never sees that traffic.
In the case of a DDoS, I’ve done the following:
Granted, I’m not running anything mission-critical, just some services for friends and family, so I can deal with a little downtime.
I have something similar with fail2ban + hidden buttons. If the requester goes and clicks on the hidden buttons on the main site, it gets into a rabbit hole. After 3 requests, it gets banned for a bit. Usually stops the worst offenders. OpenAI and some of the scrapers are the worst.
Google/bing, I do actually see them hit robots.txt then jump off, which is what they should be going.
Oooooh. That’s smart. I mostly host apps, but in theory, I should be able to dynamically modify the response body and tack on some HTML for a hidden button and do that.
I used to disallow everything in robots.txt but the worst crawlers just ignored it. Now my robots.txt says all are welcome and every bot gets shunted to the tarpit 😈
Nice! Thats another way to do it. 😀
I know others use Arabis(?) I think thats what it called. The anime girl one that does a calc on top. Ive never had good luck with it. I think bot are using something to get around and it messes with my requests. Might also be my own fiddling.
You probably mean Anubis.
Woops yes!
I’ve run a publicly accessible low-legitimate-traffic website that has been indexed by Google and others from my home network for >20 years without anything buckling so far. I don’t even have a great connection (30mbps upstream).
Maybe I’m just lucky?
Consider what a DDOS attack looks like to Cloudflare, then consider what your home server can actually handle.
There’s likely a very large gap between those two points.
For me, my server will start to suffer long before traffic reaches the level of a modern DDOS attack.