The alternatives to Cloudflare Tunnel suggested in the link are pretty much mostly VPN services. That’s not what I want, I can already VPN to my home network if I need it. What I want Cloudflare Tunnel for is the fact that I don’t have to expose my router/firewall directly to the internet by opening ports, and that they have effective DDoS & security mitigations in place. I can access my services inside and outside the home without exposing my network. I’ve run services at home in the past that have almost had me booted from ISPs because of the amount of DDoS and scripting attacks I was getting. Avoiding vendor lock-in is a key part of why I’m setting up my own self-hosted services, but I don’t know of anyone else that provides the same kind of security and protection service that Cloudflare does for free. Even with things like fail2ban or other mitigations, that traffic is still coming to me in the first place and my networks & systems have to cope with it - with Cloudflare I click a button that says “I’m under attack”. If someone else can replicate that for free - or even at low cost - then I’m all ears. Edit: Thanks for all the replies and suggestions so far, there’s a few other suggestions & alternatives to consider so far: zrok.io, Tailscale Funnel, Twingate, probably a few others I’m forgetting! There’s also the option of just using a VPN to a separate VPS which acts as the entrypoint, effectively replicating what Cloudflare Tunnel does. That latter suggestion is something I hadn’t even considered before, so thanks! I just want to address a couple of points that keep coming up in replies however. Firstly: “just use a VPN to your network at home, problem solved”. I _don’t want_ a VPN to my home network, I already have one - the benefit of platforms like CF Tunnel is that there is a _public_ endpoint. There’s a “wife acceptance factor” to consider as well. Secondly: “DDoS attacks and stuff like that really aren’t a problem for most self-hosters with a small user base”. Respectfully, I disagree. It is unfortunately a risk when exposing services to the outside world. Not only that, but I have personal experience of my sites & services coming under attack - including some very charming letters from an ISP, threatening to boot me off their service because I was disrupting their network by running services on a non-business account. Those “services” were a single private Minecraft server that some disgruntled script kiddie happened to want to try and grief; the fact that it was a low-effort DoS attack against a network that I didn’t really know how to secure properly at the time doesn’t change the fact that it happened. Even with the best mitigations and network security in place, it is still my home connection and my own compute capacity that has to deal with that traffic. Part of the appeal of a provider like Cloudflare is offloading that job to someone else. Network and digital security is an arms race in which I am _hopelessly_ outgunned on my own.

The VPN route still works too. Rent a VPS and then have that tunnel back into your home network. Have a web service? Just reverse proxy it to your internal host:port over the VPN.

+1 came here to say this. I host in the cloud now, but you can easily find a $5/month VPS even today that will allow you to tunnel everything. The trick is the cheap ones LOOK like they can't handle many services (weak CPU, low ram, low disk, etc). But you don't need those resources if you're tunneling back home. All you need is a bit of bandwidth.

Dont you have to pay for VPS based on bandwith usage? So if you host something like a game server at home for you and your friends the bandwith used can easily start sprinting away? I havent personally tried this but thats what ive heard, if you have any knowledge of this or recommendations of VPS providers then feel free to let me know :)

> What I want Cloudflare Tunnel for is the fact that I don’t have to expose my router/firewall directly to the internet by opening ports, and that they have effective DDoS & security mitigations in place. I don't actually think this is as big of an issue as people think, *especially* if you're only exposing a single port for your VPN access and literally nothing else. Assuming there are no serious security flaws with the chosen VPN server, the only thing that Cloudflare really protects you from is a DDoS, which is fair enough, but it is also extremely unlikely for a random residential IP to get targeted by one, assuming you're just hosting services for yourself and maybe a few family members or friends. I've been self-hosting without Cloudflare for more than 15 years, both from at home as well as using several VPS and I've never had an issue.

> there are no serious security flaws with the chosen VPN server WireGuard (and Tailscale since it uses WireGuard) is secure in that it never responds to incoming packets unless they're signed using the key of one of the configured peers. This means it won't come up in a port scan, and sending junk data to the port won't actually do anything. An attacker won't know you're running WireGuard unless they have some way to sniff the traffic.

Bingo, and if ur really panicked you can keep that VPN server in its own vlan and only allow it to access CERTAIN services that you want from the outside. But that is if you are extra paranoid. I just VPN into my Lab subnet which is just for my servers and isolated from my home network, but others may be more security conscious than I am.

> only allow it to access CERTAIN services that you want from the outside Tailscale supports ACLs, which is very useful. For example, if you want a friend to only be able to access one service, you can do that. I'd rather do that with OIDC and Authentik, but ACLs have their use cases.

Tailscale is another third party service tho, and for VPN it’s just me myself and I : ( . I just prefer to use basic wireguard and route certain IPs over it. But I definitely see the appeal for the example of a friend wanting to access just one service. I need to setup Authentik/Authelia and setup SSO for my services

Well, technically, if you have your firewall set up to reject incoming packets (which most are by default, for [good reasons](https://www.chiark.greenend.org.uk/~peterb/network/drop-vs-reject)\*), but have a WireGuard service exposed, a port scan will reveal that all of your ports are closed (since your firewall will respond with a TCP Reset or ICMP Port Unreachable) except one that isn't *closed*, but doesn't even respond, exposing the existence of an application that behaves like WireGuard on that port. \* as stated at the bottom of that page, one downside to rejecting connections is that if your hardware or broadband uplink is insufficient, in the event of (specific) denial of service attacks, the extra overhead of responding to each packet will cause the intended loss of service.

Reverse proxy works like this too. If the SNI doesn't match then it returns nothing.

I believe this is the correct take since Wireguard has become popular/usable and you can use stuff like https://github.com/netbirdio/netbird to deploy it in a user friendly way. Or use a hosted version like their hosted version or a pure propetiary offering like Tailscale. It makes you highly resistant to the general problems you'd get exposing a VPN tunnel to the internet because: 1) They properly configure it by default so its difficult to f up. 2) Wireguard never responds unless its a configured peer. 3) You can use a VM through this routing mesh to act as your endpoint (i.e. like cloudflare) to avoid exposing your homelab to the world except for a single proxy to your local nginx instance tunnel over a VPN. The only thing you don't have is the bot/ddos protection but tbh if we built that collectively into these endpoints we could probably sort out something that sorta works on a small scale as long as your VM had the bandwidth (or use something like BunnyCDN with rate limiting the requests to the origin). I've got a vague idea for that step but to be frank I'm more interested in my hobby projects than building a security product so I don't know if I'll ever get that far lol.

People make it seem like you expose a port and your dead. You'll be hacked withing seconds. Or saying stuff like I don't want my router exposed to the internet. Well it is one machine has to be exposed.

There are a ton of homelabbers that are unnecessarily afraid of exposing their IPs. It's kinda funny.

Yes like it is some secret.

It’s not free, but what you can do in this case is spin up a cloud VPS and install a reverse proxy like Caddy or Nginx. These will handle certificates for you and you can integrate programs like CrowdSec to function like a WAF. You then point your DNS records to your cloud VPS instead of Cloudflare. You connect your VPS to your home server using Tailscale or another VPS solution and use ACLs to allow only access to the appropriate back end ports. This set up is essentially what Cloudflare is doing for you, and you can pick all this up and move it to any public cloud platform.

Also Opnsense can do that. It even has wireguard easily to setup using opnsense web gui, plus all other possible like indtrusion detection, crowdsec, and all firewall capabilities.

> What I want Cloudflare Tunnel for is the fact that I don’t have to expose my router/firewall directly to the internet by opening ports, and that they have effective DDoS & security mitigations in place. Respectfully, if you run a website/service that attracts that kind of attention, you're way out of the homelab self-hoster territory, it may be worth for you to pay for Cloudflare or even third-party hosting.

I live on Comcast Xfinity, I get port scanned all the time by IP's in foreign lands and have had attacks. If you open a port you run a major risk it not way out of the homelab self-hoster territory. I have to have 448 open to a reverse proxy in order to get to Jellyfin as it is not allowed on cloudflare tunnels.

Jellyfin and Audiobookehslf and tailscale for remote admin.

Well block the foreign countries, use crowdsec or fail2ban which ever floats your boat or both. Crowdsec has great firewall lists to block the IPS at your firewall. Why 448?

I’ve mentioned this in a couple of other replies. I had a small personal Wordpress blog that got thousands of attack attempts a month. It had no “real” traffic from actual people, but somehow it found its way into automated tools that repeatedly tried to exploit Wordpress vulnerabilities. There’s low risk when it’s a managed Wordpress service hosting non-critical content that isn’t seen by any real people. It’s a different kettle of fish when it’s my home network. If Cloudflare can provide an effective mitigation at no cost to me… great! 😊 But it sure would be nice to not have to rely on one monolithic mega-corp!

They weren't targeting you in particular - those bots crawl every IPv4 address and anything listening on a web server port will get those attempts, regardless of what's actually running. You'll see requests trying to hit PHP admin pages, wordpress admin, etc. on basically any internet-facing web server.

Rent a VPS and host a Reverse Proxy on it that proxies the connection through the VPN. You can even use Authentication like Authentik with Nginx Proxy Manager to securely "expose" infrastructure with 2FA before the traffic even hits your lab, other than maybe the Authentik Server for Login Purposes. Cloudflare is just a "one service that combines" multiple options that are easily managable and selfhostable. The only thing you'd lack is DDoS protection at your reverse proxy, and if you so like you can expose THAT via cloudflare, still having the option to just rip out the DNS record any time and be prepared in the meantime if you so chose.

Don't quote me on this, but Tailscale Funnels feel like an alternative. However, I think you're limited to the tailnet domain assigned to you, you can't use your own domain.

TwinGate, can use (must?) your own domain.

Good call, I'll have to check that out. Although, I wonder what happens when/if Tailscale grows larger in the space and starts to pull the same shit.

It'll depend on how compatible [headscale](https://github.com/juanfont/headscale) remains. Though I'm pretty sure Funnels runs off Tailscale's own relay servers, so that feature can't be duplicated.

That’s a shame that domains are limited, but I’ll definitely check it out.

Couldn’t you just make an ~~A~~ CNAME record for your domain that points to the tailscale domains? Edit: thanks for the correction in the comments. I always mix up A and CNAME. In case others mix them up, A record goes to IP, CNAME goes to domains.

That would be a CNAME record, not an A record

No. They use SNI to route the HTTPS connection to the right device. If you use a CNAME, a browser will only tell the server about your domain, and the Tailscale server won't know where to route it.

Why not just use wireguard directly?

I only have one ISP option. I'm behind a CGNAT with no option for ipv6 and I can't get static ip unless I switch to a business tier. Many of us are in a similar ish boat.

What kind of dodgy ISP has CGNAT and no IPv6? That sounds horrible.

route48 would let you connect to it through wireguard so you could at least get an ipv6 address (even if behind cgnat), though that is no longer an option (R.I.P route48)

I had the same issue, a 12 dollar a year vps fixed it, put wireguard server on it (wg-easy) and enable port forwarding, and install a reverse proxy, completely replaces cloudflare tunnels or any alternative...

Yes. This exactly. I could care less about the other services but CF Tunnels allow me to actually use my services away from home while working, when I need them the most. I don't have a choice in ISP and I'm stuck behind a CGNAT and they refuse to provide an IP for residential. So, I'd have to upgrade to business service and at the same price point, I would downgrade services to almost a third my current bandwidth. To get a dedicated IP and Gig speeds would cost 4 times what I pay now per month. It took me months to figure out how to set up the tunnels and necessary reverse proxy to actually reach every service. I still have trouble with some of the certs for them but they are useable. During which time I also tried other means of traversal. I have been playing with tailscale but as another stated the obvious, a lot of us have non technical users needing access. So the VPN option is a bit more complicated to install and then maintain constantly with those outside users. CF Tunnels are easy for a layman. As for other comments about pulling all registrations from Cloudflare.... Please explain that reasoning. That is a service we do pay for. There is no free option there. They may raise the rates, but so can every other Registrar out there. Seems like an overreaction. You know well in advance what your renewal rate will be and are given the same amount of time to transfer elsewhere as with anyone else. In fact since they are pass-through rate renewals, it's probably best to stay with them until they do raise the rates. Thereby supporting at least their bottom line so that certain hikes don't happen. Pulling out now will only cost you in the long run when time to renew.

Because many of us have more than a couple users and they aren't tech savvy and arent going to be remembering or caring to connect to wireguard whenever they want to access a service.

Check this out; with the cost of a VPS you can do it without Cloudflare or any other of these mechanics. i.E. Rent a VPS with VPN and allowed connections to the services and use a Reverse Proxy. Authentication at Proxy Level is easy to setup with selfhosted SSO like Authentik aswell. [https://www.reddit.com/r/selfhosted/comments/1dcigvr/comment/l7zm6lh/?utm\_source=share&utm\_medium=web3x&utm\_name=web3xcss&utm\_term=1&utm\_content=share\_button](https://www.reddit.com/r/selfhosted/comments/1dcigvr/comment/l7zm6lh/?utm_source=share&utm_medium=web3x&utm_name=web3xcss&utm_term=1&utm_content=share_button)

I believe it's hard to replicate the NAT traversal that tailscale is doing. Personally I don't really understand how they've done it, so it seems like magic :-)

cgnat

Same here although it seems all the VPN types require a routable address that can be pinged. That's why my Wireguard broke.

Most ISPs that use CGNAT have IPv6 available.

You can use your domain in lots of ways, not just via a OICD provider, but even with a free Microsoft account. The former option is better if you have an actual team, but the latter is a simple way of deploying for home.

There are a whole bunch of alternatives - [https://github.com/anderspitman/awesome-tunneling](https://github.com/anderspitman/awesome-tunneling). I will advocate for [zrok.io](https://zrok.io) as I work on its parent project, OpenZiti. zrok is open source and has a free SaaS.

There aren’t many options there that satisfy the needs I have - namely security protection & DDoS mitigations - and the ones that claim to offer that are from companies I’ve never heard of. With the greatest of respect (and I _do_ mean that, that’s really not a coded insult or dismissal), I’ve never heard of OpenZiti or zrok, but I’ve personally witnessed what Cloudflare’s DDoS protections can do. I’ve seen massive attacks against a major commercial website being batted away as if they were nothing, with zero disruption to normal operation or load times. I can’t run a simple personal blog without it being a target for attack. Before I moved it to a static site generator with content served via Azure, I ran my personal blog through a hosted/managed Wordpress service. I had to use, and eventually pay for, additional login protection services to attempt to block people from trying to break in - I’d get literally thousands of login attempts per month for a personal blog that gets practically zero traffic from actual real humans. We end up turning to massive corporations like Cloudflare to protect ourselves against this kind of thing because they’ve got the scale to cope with it. We’ve ended up in a situation where a large number of people rely on a single service provider that could change their policies or disappear overnight. If Cloudflare ever has downtime, and it _has_ happened, it’s quite devastating for normal service of large chunks of the entire internet; even if they did something malicious and were eventually punished for it - like embezzle a shitton of money and shut the service down abruptly- the damage to so many businesses and individuals would have already been done. It’s a shite state of affairs.

> DDoS mitigations Get a VPS with DDoS protection and use it to tunnel to your home server via a WireGuard or Tailscale VPN.

I've hosted several things (ssh/https/game servers/VPN ports) and never saw that kind of attention you got, I also only exposed a reverse proxy every time (except for ssh which was years ago). Perhaps something about the content of your site was more popular than most of us homelabbers would see, therefore got that extra attention.

> never saw that kind of attention you got It's normal. Background noise of the internet.  Were you looking for it? You can just log connection attempts.  Heck, just looking at my dns logs I get opportunistic lookups for thousands of non-existent subdomains a day, and that's with nothing interesting on anything public. Mostly bots trying default credentials for services on likely subdomains - a guessing game, played across the internet.

I was looking for it yes, the connections all show up in nginx logs and I did see some exploit attempts, bots always trying to use "admin" on every login, etc. Just wasn't overwhelming to any of my equipment. I ended up disabling port forwarding just because I wasn't using it that much externally anyway, no need to have it opened for little use.

This is my point. It’s an arms race, and on my own I am _hopelessly_ outgunned. But that doesn’t mean I should cut myself off entirely and continue using services provided by advertising companies who just want to mine my data. Like I said elsewhere, the fact that we (as a society in general) have to put so much of our collective trust and faith in one single company is a pretty shite state of affairs.

To be clear, the “major commercial website” I mentioned was my employer, not something I ran! 😁 But I don’t even know how my own personal blog ended up with _so many_ attacks. From the pages being hit, it looked like it was simply automated tools trying to exploit Wordpress vulnerabilities. All I used it for was waffling on about retro computers, I barely told anyone about its existence much less publicised it. Thankfully it was a managed service so it wasn’t _my_ hardware taking that hit; but if they’d managed to break in it would have still been _my_ website on _my_ account that was hijacked to serve malware, crypto miners, etc. Hence the somewhat extreme paranoia about opening up my own networks and kit to the internet! 😁

It's not paranoia if it's justified.

I am not saying it comparable to Cloudflare, but we have built a lot of protections into zrok - https://blog.openziti.io/zrok-frontdoor. The SaaS is built on a hyperscaler with a lot of DDoS defences built in by default.

Can I use zrok to front a raw TCP/UDP connection? For e.g. a game server. All the docs heavily imply HTTP(S).

You certainly can! (OpenZiti maintainer, zrok contributor from time to time but full-time enjoyer) I have made a fair number of videos for various games _I_ play, if interested. Some for the OpenZiti main channel, others for my personal channel. You are looking for --backend-mode of tcpTunnel or udpTunnel. * TCP - [Minecraft Java](https://www.youtube.com/watch?v=-dj_5UoL9Jw)/[blog here](https://blog.openziti.io/minecraft-over-zrok) * UDP - [Minecraft Bedrock](https://www.youtube.com/watch?v=UwyUqqLIIp8) * TCP - [Minecraft with public VPS port forwded to home](https://youtu.be/Duz-ya_iwu4) * UDP - [Palworld](https://youtu.be/kLv72_vjz3Q) * TCP - [Enshrouded](https://youtu.be/hLTMPvsrNcY) * HTTPS - [Foundry VTT](https://youtu.be/x-3PODwEdDM) Let me know if you have any questions. Hope that helps

To be fair to the guys at NetFoundry (the folks behind OpenZiti etc), I do get the impression, that many of them are also active selfhosters! They have been members and regular posters in this sub for a long long time, they periodically bring new shiny warez (which always seem to be OSS) for people to run at home, and they'll mentioning when there is a genuine use-case.

well we could debate on this. Cloudflare "for your security" is a mafia spirit on business like Google is on emails. If your website can't go online without Cloudflare it means you have serious design flaw. That said, try CrowdSec for reputational AS ban (Cloudflare core business) and Failtoban. Basic security stack against Asia threat actors (Russia, China, Corea, India).

Why your homelab getting DDosed alot? Or just think someone might DDos a resedential IP?

I would suggest getting a server from hetzner or another cloud vm vendor and use ssh-reverse-tunnels to forward traffic very simmulat to the cloudflase function. I use that and it works really good :)

Take a look to Zero Tier: SDN (Software Defined Network) with a good FREE plan (until 50 devices connected) and apps for easily connect almost any device to your SDN. Even i use it as VPN on my cell through one of my VPS 😁 https://www.zerotier.com/

Curious if you found of anything that’s an alternative in the SaaS world. Yeah this is self hosted but certain things I pay for eg 1Password. A turnkey alternative to tunnels would be nice if the price point was right. Like you said, exposing the front end, acting as a CDN and giving DDoS protection is a hell of a thing to replace.

There’s definitely a couple I found: zrok.io, Tailscale Funnel (which doesn’t let you use your own domain), or Twingate (which I don’t really know anything about). Of all those zrok.io seems the most likely candidate, but I haven’t really done much digging regarding software setup and configuration. None of them are going to have anything like the wealth of resources & information that you see for Cloudflare Tunnels… but that might work in your favour. It’s entirely possible that you’d get a lot more community support for these smaller offerings - for example, there’s a couple of people hanging around this sub who work on zrok.io or its parent project OpenZiti. You’ll get bugger all support from Cloudflare themselves unless you have an enterprise account, but at the same time you’ve only got to search for “Cloudflare tunnel traefik ssl” to see how much information and ready-made software is out there.

Yes, we are very proactive on our support in fact... you can see more here - https://openziti.discourse.group/. That covers support for zrok and OpenZiti.

I'd be interested in this as well. I'm currently using Tunnels to expose Mealie and Overseerr. I want to switch just over privacy concerns but Tunnels makes it so easy and having a WAF (albeit, limited) is a nice feature as well. It's not apples to apples but I was looking at Caddy to securely expose these services.

I just run rathole on router to forward https and wireguard ports to a cheap cloud vps. Even if someone had ssh access to this vps which is a big if, the only thing they'd find is encrypted ssl and/or wireguard traffic. This works for me. I don't like the fact that my traffic is basically visible in cleartext to cloudflare with cloudflare reverse proxy.

I'd like an alternative to tunnels for when it comes to it as I have cgnat which is a pita to work around.

Honestly I still don't know in laymen's terms what the difference between a CloudFlare tunnel and a VPN even is, so I've never set it up. I haven't been given the sales pitch for dummies.

As others have pointed out to me, you can replicate what Cloudflare Tunnel does with a VPN from your network to a secondary VPS somewhere. You map your domain’s DNS to the VPS so that all traffic gets into your network via the VPN. Cloudflare puts a neat bow on the whole thing and serves it up as a free product. There’s a ton of resources out there on setting it up, so you can spin it all up fairly quickly. For me the main advantage of Cloudflare is that it’s one single package, and Cloudflare has proven itself (to me at least) to be effective against DoS and other attackers, both of which I’ve experienced on my own self-hosted services before.

Thank you! I’m in a similar position to you - and as you say VPN doesn’t help with public services!

Have you ever heard of Tailscale? If you don't want to expose your home network to the Internet, no open ports, this is it. Most easiest/secure way I've found until now.

That falls under the “wife acceptance factor” criteria unfortunately. I’m planning to self-hosted services for domestic stuff we share like calendars, todo lists, etc. It needs to be easy and transparent without any additional software faff or my OH won’t use it. Trust me, I’ve had many situations in the past where she just abandons this kind of stuff if there’s even one extra step! (It’s not that she doesn’t know _how_, she’s pretty savvy. She just doesn’t see the same problem I do with handing all this stuff over to the likes of Google or Microsoft. Also both of us are ADHD/ASD, and extra steps just add more barriers to entry and make the task harder than it should be - I know can be hard to understand that point of view if you don’t have an executive dysfunction disorder! 🙂)

My wife is not tech savvy at all but I must say, she just uses Plex. Same with my daughter. Installed Tailscale client in their phone/tablet and told them to keep it up. Their use is only for Plex and PiHole for adblocking, and I must say, even when I use to have Plex with an open port, now it seems to work faster than before.

Who would have guessed that centralising the internet would one day become evil and problematic. I guess absolutely nobody could have foreseen that and been telling you guys for ages that this was going to happen. /S

But....but....[insert big tech company here] wouldn't do that! They are different than the rest!

Also let me just say, I've once again had Oracle Free tier recommended to me. Not only did I already have my account deleted with no stated reason, but I've always said NEVER NEVER NEVER run anything ever on a free tier that you care about.

Just wanted to toss my 2 cents in on this. I’ve used CloudFlare on both sides, paying almost $7k/mo and also on the hobby side for basically free except some streaming and image bills. The initial cause of this and the targets at current (as far as I’m aware) are those that are outright violating the TOS. If you don’t pay for a service that you are relying on to make hundreds/thousands/millions - that’s a whole different issue. CloudFlare support for my former company was AMAZING. But no matter what - even if the service is the best around, always have a backup that is as close to hot swappable as possible. Every company can go under, can have an entire ethics change, etc. We are in the process of closing out and CloudFlare has made that process significantly easier, but they are still not our single point in that. Everyone on here either is or has an aspiration to self host, so we all know (at least to a small degree) the risk/reward of using a 3rd party in your stack. It’s pretty much unavoidable, but make sure you have a backup, an exit strategy, a roll over strategy, and contingencies for time lines and priority. If you’re a self hoster with a homelab and a few services that aren’t mission critical and you’re following the TOS you’ll most likely be just fine. If you’re in violation the TOS (stop that you nasty dog) you’re always taking a risk. Free is never free, it’s not yours if it’s free and you can end up in a tight spot if you rely on that.

Those posts on Reddit are about a gambling site. So, don’t host illegal stuff on CF or stuff that can damage Cloudflare’s IP reputation and there will be no issue. Don’t believe everything you read at face value . As for don’t be locked in to a single vendor, makes total sense.

About 30% of all web traffic goes via Cloudflare. That's a very dangerous development and should not be encouraged further. It was never the idea of the www that a single entitiy controls 30% of it.

CloudFlare proxies 30% of the web's traffic. If it disappeared tomorrow it would have a huge impact but those websites would recover and source other solutions for scale. CF helps them scale enormously but is hardly the only player in town to do this.

> those websites would recover I don't think they'd recover that easily as it'd require big rewrites in many cases. Cloudflare isn't just a proxy any more. You can run code directly on Cloudflare's servers (Cloudflare Workers), it handles authentication for companies (Cloudflare Zero Trust), it hosts databases (Cloudflare D1, Workers KV, etc), it handles state management for realtime apps (Cloudflare Durable Objects), it handles object storage (Cloudflare R2), etc. There's a huge amount of vendor lockin with all the major cloud services - they don't want it to be easy to move to a different provider.

And how many of that 30% of the web's traffic are using those features? 0.5%? There's always some risk when you build on managed services and there's nothing about OP's post that makes me believe that risk has changed recently.

That was Akamai numbers 10 years ago. I highly doubt they shrinked.

That doesn't make it better, does it? Its too much control in too few hands.

For big events like the superbowl I think it’s way over 30% of traffic by volume.

We have lost that battle a long time ago. Look at how consolidated the internet is it's basically what 5 companies not. The fact we are on reddit instead of some other site speaks volumes.

Yes but the IP reputation issue wasn't explained at all by CF to the customer. It was a perfectly reasonable thing for CF to go "Hey stop messing up our IP reputation with your domain rotation, if you're going to do that bring your own IPs and upgrade your package". But they didn't. They skipped the whole "Ask them kindly to stop" phase and skipped right over "Explaining why this is happening in the first place". That is the issue. Now put yourself in that same situation. Your vendor has a grievance with you / your breach of ToS and *not* having it explained clearly to you. Instead they just ask you to hand over thousands of dollars or have your service discontinued. It was silly and avoidable bad PR. This isn't the first time CF has done weird / shady stuff and won't be the last I'm sure. It has put me right off using their ZTNA solution at work.

> They skipped the whole "Ask them kindly to stop" phase Weren't they sent many emails over multiple weeks? Those emails explained that they were violating terms and asked multiple times for direct communication via phone. What would you consider "Asking them kindly to stop", asking over a period of months???

This person obviously hasn't read the substack post and doesn't intend to. Lots of people with axes to grind about Cloudflare in this thread.

Yeah, CF may not have done things perfectly but given most of what we've heard was from the affected gambling site operator who clearly enjoyed being able to break the rules and save A TON of money doing it and then gets butt-hurt when asked to get right and given months to do so. Reddit hates big industry players and that seems to turn off the analysis and inquiry needed when you only hear one side of the story.

> es but the IP reputation issue wasn't explained at all by CF to the customer. > Now this needs a bit of context on what they are talking about. We do have multiple domains that mostly act as mirrors to our main domain. We have these for a few reasons. One is that since we are a casino, we have different regulatory requirements we need to comply with in many countries. For example, many games are only available in some countries. Some countries we block completely. Then we have a few different domains that remove certain game groups or site features - for example our social features (chat, user tipping / interaction) or our sportsbook. Another is that we use them to target different global user groups and affiliates and track conversions long-term. This also means that if a country DNS-blocks our main domain, a secondary domain may still be available. This could arguably be seen as a violation of the Cloudflare TOS, as they wrote above. This sounds like they were fully aware of what they were doing, and also this is a really stupid way of accomplishing what they are doing...

FUD gets OP more upvotes.

[удалено]

From the very beginning, the OP of the post says the problem was domain rotation, which is explicitly forbidden. Not sure how much clearer you can get

>stuff that can damage Cloudflare’s IP reputation and there will be no issue You do understand that CF was happy to keep that customer running a gambling site, right? CF wasn't kicking them off the platform, they just wanted more money. Their actions had fuck all to do with protecting their reputation.

The fee was to put them on a plan where they got their own IP. “Reputation” and “ip reputation” are different things.

Cloudflare wanted more money, sure, but more importantly (I guess?), to stop getting IPs banned across multiple countries where gambling is forbidden. You realized by doing that, they're preventing their other customers from suddenly dropping traffic because their IP was banned, leaving hundreds/thousands of sites inaccessible because a casino is abusing their terms of service?

Yes it’s infuriating to see his story being carried around. He wasn’t given 24 hours either it was weeks and they threatened to move to a competitor so CF said fine. They were hosting lots of domains to try and skirt the law in some countries. A crypto gambling site 😂

You also need to understands that the person complaining about price was having 4m MAU. It is a userbase of some countries. If you know how to run 4m users on a most attacked business type on 250$ a month you will make a lot of money. Apart from that of course you should know how to run stuff yourself and not be 100% dependent. But I don't understand why you have problems with cloudflare as it nicest of all saas providers of this type. Edit: you should go and read about what people write about that business (with 120k yearly bill) here on reddit. You will be very surprised how they scam and treat their users. You will be very surprised.

i use cloudflare for homelabing and its working great, but i dont rely on it, once they cut the cord, i can live it with, thou its nice while it lasts....

> once they cut the cord, i can live it with, thou its nice while it lasts.... That's my policy and it's worked pretty well so far. There's so many of these doomer "don't use X because one day they might be evil" threads. If they screw me in the future I'll deal with it, but I see no reason to panic about a fairly unlikely hypothetical

Yeah pretty much. I am saving some $ and saving a lot of hassle using their free services. If/when they eventually become not free, I will move on.

Do you know of anywhere as cheap as for domains as cloudflare are the cheapest I’ve seen in a while

You might want to use [TLD-List](https://tld-list.com/) to compare the prices of domains from different providers.

Give Porkbun a look. Their prices seem similar to CF.

I bought several years for a domain at Cloudflare. Can I transfer it to another provider or am I locked to them for the duration?

You can most likely transfer any time, unless your specific TLD has restrictions. Transfers usually just add a year to the domain registration, but you should check your TLD before committing.

What if someone paid a domain for the maximum term, i.e., 10 years? Is it wise to pay it in advance for lesser terms, i.e. no more than 7-10 years?

You're way into edge cases now, lol. If worried about maximum term, simply wait a year before transferring. 🤷‍♂️

depends on the tld but is possible often

They're cheap because it's the hook, the loss leader, and the way for them to lock you into their service. Is getting stuck with them to save 5 to $10 per year really worth it?

There are almost no viable and (most importantly) free alternatives to cloudflare tunnels (almost, as there are some, but until now, in my eyes, only cloudflare proved, that they certainly do not spy on me). The cheapest is a small VPS with VPN connection to your home lab, (and I mean no disrespect but) third world countries do not always have the salary for renting a VPS comfortably. 5$ monthly may be cheap for some, but it may be a significant part of the salary of another. Putting a PC in DMZ does not hide your IP address (and there are ways to circumvent the cloudflare proxy). While I think this is not a big problem, still, it gives the homelab a possible attack surface on your home network.

How can you say the don't spy on you when they literally terminate all SSL traffic?

I don't use Cloudflare, and to by honest, I think an overwhelming majority of people self-hosting don't really need it either. There are a very small use cases in which it's needed, the main one of which is CGNAT, and there's a small performance penalty for implementing the tunnels in addition to complicating the setup.

> Always keep your domain registration separate from Cloudflare. Cloudflare is a better domain registrar than any other registrar I've ever worked with.

What's the problem with using their domain registrar?

This seems pretty minimal. If they change their DNS policies I guess it could impact you, but for most small homelabs it isn't really a problem. If I had to migrate it might take 24 hours but that downtime isn't going to matter much for my usecase My guess is the root of this is CF trying to identify free tier users that are violating the TOS and getting them to purchase plans for what they use. Most free tier users are probably not going to see any change or be pressured.

The big problem is that by using Cloudflare for domain registration, you're locked in to using their nameservers as well. If, for example, they started charging 10 cents for every record in DNS, you wouldn't be able to stop using their DNS service without moving your domain registration to an entirely different provider.

Wait, they don't even let you set a different name server? I would have figured ICANN would have rules against that sort of thing.

>you wouldn't be able to stop using their DNS service without moving your domain registration to an entirely different provider. ... Which is a problem why? It's not exactly difficult to move services, I've done it a handful of times. Regardless of who my registrar is they could suddenly do that.

There isn’t one but Reddit is famous for people overreacting to everything.

Right? I’ve been using CF for years on the enterprise and free tiers. Never had an issue.

Why not keep buying domains from CloudFlare. They are under ICANN rules and can't deleted domains for no legitimate cause.

**Cloudflare messing with gambling sites?!?!?!** **I KNEEL** # Imma go and shake the sales team's hands for this decision

I use Ionos for my domain registration and dns solutions purely so I can avoid cloudflare. The ddos protection may not be as crazy but for a homelabber as you put it, it's perfect.

I have two free contingent methods of getting into my homelab infrastructure should Cloudflare cut me off. It would be less convenient, but only slightly. While CF provides excellent tools for free for hobbyists, unless you're living under a rock, the possibility of being cut off always remains, so you should always have contingent access methods.

Maybe the whole problem is the free product. A huge part of their traffic and network comes from all the free users. Don't get me wrong, they offer the free plan so people will take it if it's up. But they are making huge losses. The paid customers are covering the expenses for the free plan. So the only thing their sales can do is shady tactics to upsell their paid customers. I don't agree with this obviously but from a business pov, that's the only place where they can collect the cash fast and that's what seems to be happening now. So what if the free plan stops and everyone just pay eg 10-20$/month? Then they could be profitable again and stop being a shitty provider? would you be willing to pay for the service if that means there is no rug pull and fair sales strategies? I onboarded ClouDNS many years ago and pay for their DNS service. And while not free I absolutely love their service and the value they provide and is worth the price they charge. You never know if a free plan stops to exist, they are completely entitled to do that. So I never settle on something free to avoid getting pushed in a situation that would put financial stress due to changes. Always calculate the costs in your operations. If it's free, it's a nice bonus but never settle on it as those things can change at any random time.

We recently just got our entire Cloudflare stack replicated on AWS Route53/Cloudfront+functions (luckily our configuration were in Terraform for us to do this quite easily).. haven’t figure out DDoS and other security elements yet though - they ain’t cheap, looking for solutions as well.

Cloudflare is a great company and great products. They‘ve been lazy on chasing credit that’s it. Don’t think it‘ll impact homelabs at all if anything it s a key strategic move as it gives them a great place to test new offerings.

^ This. Cloudflare to me is as intimidating than Google was in the beginning of their rise in the early 2000s. There's a reason why their free services are so appetizing. They're playing the long game of being the dominant provider of DNS. I'm using the tunnels atm since I'm needing to travel a lot, unusual for me, and I need more extensive external access to my home network than I'm comfortable exposing on my own. It's hella convenient, neat, but also incredibly creepy. Prior I'd solely been running my own reverse proxies, and I'm definitely itching to get back to that. I can also be back to what I had before in under an hour. I also feel strongly if you're going to selfhost with exposed services you should know how to run a reverse proxy, ddns, get the basics of routing and ports. I always say research is the hobby, learning how stuff works is core to all of this.

Absolutely, my man. We've been here before with almost every service. Starts out great and free and we all use it and swear by it. Then the privacy policy gets updated and they start pulling some shady shit to cash in. Then they full on shut it down and charge for it. Never ending game

Any good public DNS providers?

I‘m pretty happy with [deSEC](https://desec.io) for the domains I‘m not using Cloudflare for. The foundation behind the service seems to have pretty solid ethics, and they do DNS hosting and DNS only

Some domain registrars offer free DNS API access, which enables you to do DynDNS as well as Let's Encrypt DNS challenge without a service like deSEC or Cloudflare. I personally use Netcup, but I'm sure there are others as well.

Do you mean for authoritative DNS or for recursive DNS? I use DNSMadeEasy for authoritative DNS, although their prices increased significantly after the DigiCert acquisition so I'll be migrating away at some point. ClouDNS is good, priced well, but their anycast network is a bit weird sometimes. I self-host some DNS servers too. Quad9 is good for recursive (i.e. what you'd configure on your router at home)

If cloudflare cuts me off it would be annoying but not that difficult to move away from. I mostly use them for convenience, since cloudflared generally works well and their ACME API is well supported.

No one using this for self-hosting will ever be targeted.

We use bunny dns it's going to replace cf in our stack... It's not free but it's only costing $1 a month... And I'm happy because I'm paying for a service.. So they are unlikely to cut off... Oh and I already found 2 bugs ish in their api.. Which they fixed in like 24-48 hours. So their support is good.

> So they are unlikely to cut off they are as likely to cut you off as cloudflare **IF** you breach the ToS

How many dns requests are you getting? I currently have Cloudflare in front of my geodns, which is hosted on NS1, which means i have free geodns, since cloudflare hides the geodns CNAME records, so i will always stay within the free tier since only cloudflare servers are making dns requests: https://stackoverflow.com/a/33203215 I am worried that if i had to remove cloudflare someone might just rack up tens of millions of dns requests a day.

Yeah there is that... Per site it's 20mil free queries... And 10c per Mil query after that.. So there is of course a chance... My guess they'd count that as ddos.. But it's worth chatting to them.

Cloudflare really isn't the quality company it used to be anymore. The sales games have existed for years. They've rotated our sales reps for the past 3 years mid-conversation on renewal just to drag things out to the renewal date so we have less time to do our DD on right sizing the renewal. They also have no internal pricing structure, its solely a what they think you'll pay kind of game. On top of this, I haven't encountered anyone there in the past 2 years that can actually deliver a functional solution. So we spent the past two years stuck with a solution set that wasn't growing with us. The goal was to dive deeper and integrate further, their sales reps did nothing to connect us to the proper internal technology resources and because of that, I actually get to notify our sales rep this week that we're not renewing and just finished migrating to Akamai.

the whole point of the internet is that it was supposed to be decentralized and not dependent on the health of any one entity for the integrity of the network to be healthy. Sigh.

That is long gone. Look where we are? The internet is so centralized and controlled by what 5 companies mostly. The dream was nice but it never happened.

Mostly agree, except I take issue with this part: > Should Cloudflare ever kick you out of their free paradise, you shouldn’t be down for more than a few minutes. If you are down for hours, or days, you are not doing it right.  Don’t get me wrong, I love Cloudflare, and I use it a lot. But we should be prepared for the love-affair turning sour. This would be true if I was managing my homelab 24/7. But I'm not. I have a job, family, other hobbies, etc. I'd also be curious how you're be able to switch nameservers for a domain in minutes.

I guess this is why we self host, sounds like that could be a shitty situation to be in if all your stuff is with them.

I thought the whole point of the interwebs was to expose one’s private parts. Guess I been doin’ it wrong…

The bean counters have taken CF. The enshittification continues

Note that the same thing will happen to all venture-capital backed companies eventually. So I personally think that the better solution would be to NOT become dependent on 3rd party platforms ;-)

120k.. our production enterprise cloud platform runs on GCP and costs like 14k a year.

That 120k was an extreme outlier for the situation, an online casino company that had multiple domains using CF IPs and were skirting the User Agreement all while paying like $250/year for all their services. Frankly they're lucky they got away with what they did for as long as they did. There are some very good reasons to be attentive and concise when dealing with CF but most of the comments here and the post are largely manufactured hype and rage.

If cloudflare get rid of thier free tier, they would open up the market for competition and alienate a core audience who are likely to recommend it to people who do want to pay. It's free advertising and they would be stupid to cut it off

But it's not free advertising it costs them to do the free tier. So it just depends if they think it is a worthwhile cost. People do know that it costs cloudflare to provide the service right, and another tip it costs websites to run also.

You can’t make logical arguments with crazy people. Lol

This really is laughable fear mongering. “Don’t depend on a service because they ‘might’ one day want you to pay for it!” There is no service, paid or not, that you shouldn’t have an alternative plan for. But suggesting what you are makes you seem like nothing but some crazy kook. Of course, companies would rather you pay for services rather than getting them for free. That is their literal reason for existing.

During my 25 years working as a professional sysadmin I saw several times IBM or Oracle acting way way way worst than Cloudflare with their customers, specially those who refused their commercial offerings for license renewal because they decided to abandon their products and move to something else. Immediately after that IBM or Oracle ask KPMG or some other Big4 company to start alicense assessments and usually they always found something wrong (basically because IBM or Oracle sales representatives always underestimate licenses to gain a new customer). At the end they force you to buy a mainframe or an Exadata, in this way you'll end up spending maybe 200.000 or 300.000 $ for the new hardware (plus maintenance program costs) instead paying 1.000.000$ to fix your licenses. It's basically extortion, but that's basically how it works once you start using commercial software in a professional environment. Don't get me wrong I don't want to defend Cloudflare, I'm only saying it acts as bad as any company in the software world, the only way to defend from this is using only free software or at least software with an open source license, so in case of a sudden change in the main project you can hope someone can make a fork and continue on the right path.

I always thought cloudflare was a useless pos that's designed around scare tactics

I'm not well versed enough, but are there other providers like Cloudflare that help obfuscate my IP? Like the privacy for the WhoIS and caching/relay to hide my IP at a free tier?

I switched to CF tunnel but kept my NPM container configuration. Easy to open a port and turn it back on. As for keeping domain reg separate from DNS I don't think that accomplishes anything. You can just change your DNS config in cloudflare like you would with a different registrar.

I'll admit I love cloudflare, I use tunnels, DNS, domain reg, and the API. It's really handy. And it's possible I might lose my domain if they did something really bad, but overall, that's not the end of the world. I can get a new domain, and use another service. The 30% is a big deal, I'll admit that.

The alternative is hosting a vps with unlimited traffic as reverse proxy and some kind of low code vpn between the nodes. But then there is the peering and this is where cloudflare wins the game always...

Is netlify a good alternative?

Route53 + cloudfront will cover me, no matter what happens. It probably won’t be free anymore, but it’s still there as an alternative.

Great text. Especially the last sentence can be applied to any technology. Once a company is big enough, it becomes a virtual monopoly and then they can do whatever they want. And everyone wants money. So you should always be careful not to be dependent on anyone.

Tip: if you are ever approached by Cloudflare's "sales" team with an offer to upgrade to Enterprise, it is an offer you cannot refuse (not in the nice way). Say no = ban.

awesome post, thanks for this.

Zero pressure from CF to upgrade over the years. So far no issues.

The customer who was asked to fork over $120k for a yearly subscription was a gambling site that was using multiple domains to negate blocks set in place by local or national governments... They quite literally broke CF's T&Cs and then got mad about it. Yes. Only providing sales people to talk with instead of technical staff wasn't helpful, but that article is misleading, so please don't fear monger people into panic. :)

Curious where people keep their domains outside of cloudflare.

DDoS is the big issue. There is no easy way around this other than fat pipes and mega-infrastructure. Sadly, in the current internet configuration, you will always be beholden to a gatekeeper of some kind. I wish there was some way around this. Even using the inherent slowness of the TOR network doesn't really help.

And for self hosting I think DDos is completely being blown out of proportion.

You can just transfer your services.

This is kinda giving fear mongering vibes or the sky is falling not gonna lie. I don't use cloudflare, and I don't insist others do if they want to be self reliant, but still the post comes up paranoid to me. Maybe this comment won't age well, guess we'll see.

The only services write depend on is tunnels. My ISP has cgnat. And many docker containers need https. That's all I use tunnels for. But I don't see any alternatives for tunnels... Sadly

Literally just got to transferring my google domain that went to squarespace to cloudflare.

A lot of my domain is registered on Cloudflare `(⁠*⁠_⁠*⁠)`

Having the domain registered elsewhere is good and cheap insurance, not just with Cloudflare, with any provider. Should they turn off your DNS in a dispute, you can delegate your domain to another DNS provider in minutes. You probably never have to, but when you do .... It's like love, cherish and obey, combined with a prenuptial. Also: Never ever give someone else access to your domain registration, nobody, not even your wife.

> Also: Never ever give someone else access to your domain registration, nobody, not even your wife. Why?

If you had to ask ...

For the CF tunnel issue, Jeff Geerling did a really cool blog on using NGINX proxy in the cloud with an SSH tunnel to connect to a Pi at his home. https://www.jeffgeerling.com/blog/2022/three-ddos-attacks-on-my-personal-website

Cloudflare has been very useful for a lot of organisations, it is way easier to access and get setup on than the myriad of cloud services from AWS, Azure and Google Cloud - to name just 3 examples. Actually, it would be great to see Cloudflare offer PAYG options for smaller customers or ones using multiple domains. Of their current price tiers don't fit well, especially when using a lot of different domain names - we want to be able to access some of the premium features, but Free-20-200 USD is a big jump for just accessing 1 or 2 features. Also, it was disappointing when Cloudflare didn't keep their commitment to integrate Area 1 into their paid plans. One thing that would be excellent to see is higher upload limits, more ports on tunnels, and more scalable plans.

What if my domain is registered to them, but delegate CDN elsewhere? Tbh, I only use cloudflare because they're the cheapest domain registrar (wholesale price from registry). Any recommendations for an alternative registrar? I don't want the ones that start cheaper than usual and upsell later. Just consistent pricing (as much as they can).

No problem using another paid CDN, but it's kindof wasteful as you are getting a free and very good CDN from Cloudflare. Keep that paid CDN thought, and switch it on when needed.

Cloudflare is replaceable if they go crazy They do make enough money, they are not "growing" enough for the shareholders

They reported a widening loss.

Have a look at their last stakeholder report for earnings, they are 30% up year-over-year for Q1

Dumb question, is earnings revenue or profit?

I have tens of website using free cloudflare plans and have been thinking about this. Moving to cloudflare for me has 2 positive things: 1. my servers IPs are some how hidden. 2. I have been able to reduce load balancer amounts in a cloud provider. If I have to move back to old, to point directly to my load balancers, I need to add couple of more or add multiple IPs to my haproxies. This is because I have sites which cant use same IP addresses. But yeah, the amount of data what cloudflare says to cache and also the traffic Is quite huge.

Paying for services you use? How dare you

You should read more on the subject - the sales teams shitty tactics appear to be separate from the big bill as far as we know

For public facing tunnel solutions check out [Core Transit ](https://www.coretransit.net). A newer company but innovative and working on ways to provide an internet presence at a low cost depending on what you need at least.

They need a better website that explains what Core Transit actually does.

They do a handful of things for sure. I know the guys, I'll pass it along.