I've tried to understand cloudflare tunnels, but I just don't get it. How is a tunnel superior to DDNS and reverse proxy?

• +: cloudflare is applying their traffic security rules to your service. This cuts out like 95% of malicious traffic because they can analyze and block it on a wide scale. Similar to a very smart spam filter.

• +: cloudflare obfuscates your IP address, good if you are a target of DDOS attacks. Usually not a problem unless you're poking hackers in the eye.

• +: If you don't have a public IP, you don't really have a choice except to do this sort of tunnelling with cloudflare or a VPS service (manually).

• -: Cloudflare is intercepting all of your traffic, so if you're sailing the high seas, that may be a concern

• -: Cloudflare is essentially using you as a test subject for their commercial offerings. you're benefiting from it, but so are they

• -: Tunnelling through cloudflare teaches you nothing about securing your services. In fact you can just as easily mess up your security posture through cloudflare as you can by port forwarding. It's not a free pass to disregard security.

There are a couple of posts that highlight the benefits, so I'm going to do the opposite and list some of the downsides that I find about using Cloudflare tunnel without a real need.

First and most important, you are routing all your traffic through Cloudflare's internal network. This means they can and probably do analyze your data because there is no profit in providing a free service that consumes bandwidth while getting nothing in return. How trustworthy you find big companies is up to you.

Second, you are legally limited in what you can tunnel trough their service (unless you pay of course), as most content that selfhosters use in their setups would be considered against their Terms of Service. This includes tunneling video, pictures, music... you get the idea.

Third, the security you get through obscurity by not opening any ports... is just negligible at best in my opinion. Rerouting your traffic to a third party to avoid exposing port 443 just to stop random bots hitting your reverse proxy default blank landing page is just nuts to me, and not something I would call part of a secure setup. Now, in the case you believe/know for some reason your services can be the target of a DDOS attack, Cloudflare does provide great mitigation so keep that in mind.

And lastly, If you are not willing or capable of keeping your internet facing services up to date do yourself a favor and don't expose anything. Not through Cloudflare... not by allowing traffic to specific ports... nothing, because you will get exploited with or without Tunnels.

Anyone knows what’s the throughput / bandwidth restriction of a free tier? It seems like Cloudflare tunnels are nice for a toy projects but you cannot put anything serious like Jellyfin or heavy use NextCloud.

“Use of the Services for serving video or a disproportionate percentage of pictures, audio files, or other non-HTML content is prohibited”

Poor me with 2.5Gbps/2.5Gbps fiber link

Yes you need your own domain name. Sounds like you are fine with what you are doing but it's good you're exploring your options.

I used to only access my network using a VPN but since I now have others accessing my network Cloudflare is an attractive option because I don't need to install software on anyone else's devices. I also like how it can keep my IP "unlisted" rather then being tied to my domain name. While I keep my network locked down I like the idea of Cloudflare between my network and the outside world because we(people running homelabs) aren't always the first to find out about zero days or are we always the first to receive patches.

Keep learning and keep an open mind your needs may change over time. If you are learning with the goal of finding a job it's definitely wise to explore Cloudflare since nearly 1 in 10 requests go through them.

Relevant reading: "You may not need Cloudflare Tunnel. Linux is fine."