Introduction
This document will describe my experience with leveraging services such as Tailscale and Cloudflare Tunnels for self hosting without opening any ports.
When I was designing my self-hosted solution, I had no interest in opening any ports on my router. Although opening ports can be done safely, I usually take the cautious route. So I broke it down to two needs: VPN & Static Site Hosting. After research and deliberation I decided on Tailscale and Cloudflare Tunnels.
Tailscale
There is a great resource that goes in depth on how Tailscale functions located here.
In simple terms as I understand, Tailscale runs within your self-hosted environment and establishes a connection to your "Tailnet". This connection stays open and is only accessible via other devices within your "Tailnet". There are a variety of ways to set it up, but I went with the Subnet Router method for simplicity.
Subnet Router
A Subnet Router acts as a gateway to a specified range of IPs or CIDR that the Tailscale instance has access to. This means we can run one instance of Tailscale in our home lab and tell it we want access to our entire home lab network. For example, I have the Tailscale Operator deployed on Kubernetes which is acting on a gateway for my entire 10.0.0.0/24 home lab network. This gives me access to any service from any other device on my Tailnet. That other device being my personal laptop! Tailscale VPN Client
apiVersion: tailscale.com/v1alpha1
kind: Connector
metadata:
name: tailscale-connector
spec:
tags:
- "tag:k8s"
hostname: <HOSTNAME>
subnetRouter:
advertiseRoutes:
- "10.0.0.0/24"Cloudflare Tunnels
The idea of Cloudflare Tunnels is similar to that of Tailscale. Some third party service that establishes a connection to a deployment within your environment. You can probably start to see a trend here.
I have Cloudflare's Tunnel Helm Chart deployed within my Kubernetes cluster. This service allows you to expose any private IP or hostname to the public through Cloudflare. For example, JotThatDown is hosted with Cloudflare Tunnels!
Once you have a service created in Kubernetes for whatever deployment or service you are running, navigate to the Zero Trust console and configure it! Keep in mind, it doesn't have to be a kubernetes service either! It can be anything the cloudflare deployment has access to on your local network!
Public Hostname: jotthatdown.com
Path: *
Service: http://jotthatdown-site-srv.<NAMESPACE>.svc.cluster.local:80Conclusion
As you can see, it seems like networking configurations for self hosting are soon to be a way of the past. If you are the cautious type that is holding back because of security, these are great options!