HeadScale without reverse proxy under Cloudflare tunnel
VPN
hey, i'm still a noob in the homelab area and i tried to make some apps like nextcloud publicly available thorough reverse proxy and port opening with Nginx proxy manager (NPM) but i knew that this is a security risk so, i said that i will access my home network with a vpn so i was wondering if i setup headscale with cloudflare tunneling without any port forwading will that be a good move or not ?
Sort by:
Best
Open comment sort options
Comments Section
Sure you can do so. I personally do not really get the hype about Cloudflare Tunnels and Tailscale (in your case at least headscale, which is selfhosted). Furthermore, there seems to be a current bug in the latest Android mobile app of tailscale released, which effectively prevents you from using your own headscale server.
I would just spawn up wg-easy and port forward the wireguard network service. Then you can remote in whenever you like. If you have a static IP, it's done within a few seconds. Otherwise combine with a domain or/and dyndns.
BTW: Port forwarding itself is not a direct risk. It depends what services you expose. Even if you use CF tunnels, your exposed applications can still be compromised. It's not the opened port that causes issues, it's the exposed network service that may be susceptible to a vulnerability.
Hey im a noob here, would it be dangerous to expose things like plex, nextcloud or headscale?
![u/Homelanderr420 avatar](data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg" width="64" height="64"><rect fill-opacity="0"/></svg>)
ok thanks
the android client for tailscale is working with me but only when i try my local domain and not the public one, idk if that problem from me or from the android client but i can put a custom domain server to use
Bear in mind that Cloudflare is itself a reverse proxy, just in the cloud rather than self-hosted
yeah i know but at least i won't open any ports in my router
If you can open ports on your router, and you want NextCloud to be publicly available on the Internet, and you already use NPM, probably the simplest solution is to use vouch-proxy. It will ask anybody who tries to connect to NextCloud to authenticate with a supported cloud service, then only let them in if you've allowed that account.
-
You have to install vouch-proxy alongside NPM.
-
You have to add vouch-proxy to NPM as a proxy host, just like NextCloud (for example if you have https://nextcloud.yourdomain.com you also need https://vouch.yourdomain.com).
-
In the NPM config go to the NextCloud proxy host, edit it, go to the Advanced tab, and add the stuff in this example, but only from "auth_request /validate" to and including the "location @error401 {}" block. You don't need the SSL certificate stuff because NPM does that for you. From the "location / {}" block you only need the "proxy_set_header" line, not the "proxy_pass" line.
-
You may have to replace "127.0.0.1" with the local address or host name where Vouch is installed. For example if you make a docker network and call the container "vouch" it could be "vouch:9090" instead of "127.0.0.1".
-
You will have to replace "vouch.yourdomain.com" with your real domain, and also 9090 with the port you forward. If you forward 443 then you can leave it off, it's the default for https.
If it needs to be said, you MUST set NPM up with TLS certificates before you do any of this! If your NextCloud can't be accessed at a https address don't even bother setting up vouch.
I've been looking for something like this forever!!
I wasn't able to get this to work, at least not on the free tier of CF tunnel. I think I was running into the same issue as this:
You can set headscale without a reverse proxy (you will still need to open 8080 port) but you will need a dns record pointing to the IP where headscale is running (you can use duckdns). Once set, you can also run tailscale (you will need to open up port 41641) in the same machine you run headscale.
See if this can help you: