[HN Gopher] Setting Up Cloudflare Argo and Access on a Raspberry Pi
___________________________________________________________________
Setting Up Cloudflare Argo and Access on a Raspberry Pi
Author : erdaltoprak
Score : 62 points
Date : 2021-11-29 17:59 UTC (5 hours ago)
(HTM) web link (erdaltoprak.com)
(TXT) w3m dump (erdaltoprak.com)
| anderspitman wrote:
| Cloudflare Tunnel (the service used here) is my current
| recommendation for most people when it comes to tunneling. Nobody
| wants to pay for tunnels, and it's the best loss-leader product
| offered by a reputable company that I'm aware of. The DNS
| integration is particularly nice.
|
| My only concern is if it gets popular enough that a lot of self-
| hosters start using it for things like Plex and Jellyfin, which I
| believe is against Cloudflare's TOS, they might crack down on
| that.
|
| If you prefer a self-hosted tunneling system, I maintain a list
| here:
|
| https://github.com/anderspitman/awesome-tunneling
| systemvoltage wrote:
| I wonder if this would work to self-host on a crusty old T480
| with a broken screen? Can Argo tunnel be used sort of like a
| dyndns? Although my Google Fiber connection at home has had the
| same IP, but in order to get a static IP, I need to get a Google
| Fiber Business connection which is 2.5x times more expensive.
| mobilio wrote:
| Yes, will works.
| anderspitman wrote:
| Yep it should work great. If you have the expertise and
| inclination to set up port forwarding and dyndns, you'll get
| better performance with that, but IMO tunneling is the best
| solution for self-hosting for most people until IPv6 takes
| over.
| systemvoltage wrote:
| I do have a firewall at home and I can open up a port and
| forward that to the laptop. Just that I don't want to spend
| money on DynDNS services and was trying to find a free
| solution. Thanks for confirming!
|
| Self-hosting is so _so cool_. Nothing more satisfying that
| hosting your own website from scrappy ol equipment :-)
| arnado wrote:
| I used namecheap to register my domain, and they have an
| option for dynamic DNS without ongoing fees (besides domain
| fees, I guess). I would be surprised if other registrars
| didn't have something similar.
|
| https://www.namecheap.com/support/knowledgebase/article.asp
| x...
| andreasha wrote:
| There are free DynDNS services for example DuckDNS
| https://www.duckdns.org/
|
| Could also get a domain name and make a simple cron job and
| update your DNS. Works with many DNS registrars like
| Cloudflare.
| crtasm wrote:
| Another example: https://freedns.afraid.org/
|
| They generate you a line to drop in cron for automatic
| updates.
| jgrahamc wrote:
| A related cool thing you can do with Cloudflare and a Raspberry
| Pi: https://blog.cloudflare.com/ssh-raspberry-
| pi-400-cloudflare-... (browser-based SSH to a machine connected
| using Argo Tunnel).
| ericcholis wrote:
| Another nice alternative is Tailscale
| cyounkins wrote:
| A major difference is that with Tailscale every visitor must
| install a client. The article's solution should be fully
| browser-based.
| easton wrote:
| I use ZeroTier for this too, although Tailscale would work just
| as well. To avoid port forwarding out of my local network
| (irrational fears), I have a $5 droplet running Pomerium (a SSO
| proxy, similar to self-hosted Cloudflare Access) and it sits on
| my ZeroTier network along with the boxes at my house, proxying
| requests (once they are authenticated) through ZeroTier to the
| boxes on the private network.
|
| It works very well. Pomerium is easy-ish to configure
| (especially because it takes care of certs for you), and I can
| log into stuff on my LAN without having to boot up the ZeroTier
| client which takes a minute to connect on iOS (or from devices
| that don't have ZeroTier installed). I would've used Cloudflare
| Access + Argo Tunnel, but at the time they were still charging
| for tunneled bandwidth (like $10/GB or something outrageous),
| so this ended up cheaper.
| cyounkins wrote:
| Cool! I currently do a self-hosted version using nginx, certbot,
| and vouch-proxy [1]. Nginx checks with vouch for every HTTP
| request and redirects to Google for SSO if unauthenticated. It
| works well for humans in browsers, but not so much for robots.
| I'm sure I could configure nginx to do token-based auth, just
| haven't had the need.
|
| [1] https://github.com/vouch/vouch-proxy
| V41frQo1SccpfHI wrote:
| Whats the function of "gluetun" in this setup? Would the VPN-
| Tunnel then also run via Cloudflare Tunnel?
| erdaltoprak wrote:
| Hi,
|
| Gluetun has no link to the actual tunnel setup, but since many
| people seemed to struggle with a vpn container I just used that
| as a bonus example!
| erulabs wrote:
| So good to see so many home-hosting posts on HN lately! If you're
| using Kubernetes at home, we bundle all of this up (remote
| access, web-forwarding) as part of our service at
| https://kubesail.com
| stavros wrote:
| (This post should read "Argo tunnel" instead of just "Argo")
|
| I did the same to enable secure access to services via SSO at
| work. I used Harbormaster[1] to deploy Compose files, but it's
| otherwise the same setup.
|
| One of the big advantages this has is that the services can't be
| accessed any other way (not even from the same host, as they only
| listen inside the Docker network). That makes it hard to forget
| some port exposed because you listened to 0.0.0.0 instead of
| localhost.
|
| Cloudflare access is very easy to set up SSO with, as well. I'd
| recommend this setup if you need it, though for home usage I
| usually just set up Caddy as a reverse proxy with basic auth, as
| I'll be the only person using this and I don't want Cloudflare
| MITMing my personal stuff.
|
| [1]: https://gitlab.com/stavros/harbormaster
| graton wrote:
| Actually I think it should just say "Cloudflare Tunnel"
|
| From: https://blog.cloudflare.com/tunnel-for-everyone/
|
| As part of that change (and to reduce confusion), we're also
| renaming the product to Cloudflare Tunnel.
___________________________________________________________________
(page generated 2021-11-29 23:02 UTC)