I’m using CloudFlare to hide my home IP and to reduce traffic from clankers. However, I’m using the free tier, so how am I the product? What am I sacrificing? Is there another way to do the above without selling my digital soul?
The simple answer is twofold
-
Their attack surface is massive. By getting all this data from millions of devices they are fantastic at detecting and finding solutions for zero day attacks. This is a big selling point for enterprise who care about zero day a whole lot
-
Free tier also used by IT tinkerers means when the question is asked “what X should we use? What have you used before?” CloudFlare is heads and shoulders above the rest. This is why Microsoft allowed a lot of world to pirate their OS.
-
I am no expert, so grains of salt and such. But my assumption is that it’s a marketing expense. They get a lot of people familiar with cloud flare services and some of them later need a professional level solution. So people use what they are already familiar with. This is the same reason why tech companies provide hardware/software to schools for cheap/free.
This is basically “the first hit is free”
It costs cloudflare basically nothing to host free customers ( if you start to push real traffic you will get an instant call from sales). By being a free customer you are basically a guinea pig for all new features as they are rolled out globally.
How much traffic before the sales team comes knocking?
They have an upper limit. https://developers.cloudflare.com/workers/platform/limits/
A couple of my products went WAAAY above that and you essentially have to get a quick standard plan. If you have this problem, congrats, you are probably doing something really well or really bad!
They are not as bad as say AWS / Azures offerings when it comes to billing. Arguably, theres a reason they are still around when there are other tools that do similar things. Used to be, it was the most solid part of the infa. Nowadays…its for some reason going down quite often. And not just the world-wide issues taht everyone else is seeing. We have a product that CANNOT go down and cloudflare has been responsible for a couple of big issues, which is really unfortunate. Its still the best “work” service for what they do, but I dont have any of my personal infa connected.
In what way am I the product when using CloudFlare’s free tier?
I realize the name of the game is to protect as much of your data as possible, however, unless you have your own ISP/backbone, you are, at some point, the product. I utilize the evil Cloudflare Tunnels/Zero Trust. For last month, I used 375.28 GiB. I don’t run the 'arr stack tho. I do, however, stream my own audio collection via Navidrome. I have had zero issues with the evil Cloudflare Tunnels/Zero Trust, except for a brief pause while Cloudflare had some issues last month. Other than that, smooth sailing. I also have tailscale as an overlay on the server and on the stand alone pfsense firewall, which has a very robust set of rules and heavy filtering going on.
Is there another way
There are always other ways. Pangolin, et al. It just depends on you, and what you want to put in to get out of it all. If you are going this route, investigate a WAF like Crowdsec, or similar, and you might want to look at pfsense or opnsense.
@early_riser they can see all of your data going over it. They terminate the connection at their end. So data collection if nothing else. And yah what are they going to collect is the same thing people said about Google.
d
data is king and the more they have the more they can go through it and see patterns.I’m an expert at nothing, however, the following is how I understand the relationship between your origin server and Cloudflare Tunnels/Zero Trust services. I stand by to be schooled:
- Traffic between your origin server and Cloudflare’s edge is always encrypted (with outbound only connections via cloudflared daemon). That protects against eaves dropping on the wire between your origin server and Cloudflare.
- Traffic between end users/clients and Cloudflare’s edge is encrypted (via HTTPS/TLS).
- However, Cloidflare acts as a proxy, similar to a reverse proxy. For standard HTTP/HTTPS services. Cloudflare terminates TLS decrypts at their edge to apply features like WAF, DDoS protection, caching, or Zero Trust policies. They then reencrypt and forward the traffic to your origin server. This means Cloudflare can see the plaintext content of your traffic in transit through their network.
- If you expose non-HTTP protocols that are end 2 end encrypted by design (e.g., SSH, RDP, or VPN protocols like WG/OVPN), and you tunnel them thru Cloudflare Tunnel without Cloudflare terminating the encryption, the application slayer data remains encrypted end 2 end. Cloudflare only sees encrypted blobs which they can’t decrypt without the keys.
- Utilizing Tailscale on the origin server creates a mesh VPN using WG. It encryps all traffic directly between devices. P2P when possible, or encrypted relays. Your data is encrypted on the source device and only decrypted on the destination device. Neither Tailscale’s coordination servers nor Cloudflare can decrypt it.
If this is inaccurate, please do EILI5. I’m always down to learn.
I have never used it, so take this with a grain of salt, but last I read, with the free tier, you could not secure traffic between yourself and Cloudflare with your own certs which implies they can decrypt and read that traffic. What, if anything, they do with that capability I do not know. I just do not trust my hosted assets to be secured with certs/keys I do not control.
There are other things CF can do (bot detection, DDoS protection, etc), but if you just want to avoid exposing your home IP, a cheap VPS running Nginx can work the same way as a CF tunnel. Setup Wireguard on the VPS and have your backend servers in Nginx connect to your home assets via that. If the VPS is the “server” side of the WG tunnel, you don’t have to open any local ports in your router at all. I’ve been doing that, originally with OpenVPN, since before CF tunnels were ever offered as a service.
Edit: You don’t even need WG, really. If you setup a persistent SSH tunnel and forward / bind a port to your VPS, you can tunnel the traffic over that.
I don’t get this whole expose my IP. It’s not a secret and people.are scanning it neither you have a port open or not. The whole IPv4 range is constantly being scanned.
I have the same setup but using frp which stands for fast reverse proxy.
The term VPN is pure marketing bs. What is called VPN today used to be called Proxy Server.
I’ve also heard good things about using Pangolin for the same setup.
Good luck I’m behind nine proxies!
VPN and proxy server refer to different things. There’s lots of marketing BS around VPNs but that doesn’t make the term itself BS, they’re different and it’s relevant when you’re talking about networking.
I think thats up to debate.
Wikipedia says:
A virtual private network (VPN) is an overlay network that uses network virtualization to extend a private network across a public network, such as the Internet, via the use of encryption and tunneling protocols. In a VPN, a tunneling protocol is used to transfer network messages from one network host to another. Host-to-network VPNs are commonly used by organisations to allow off-site users secure access to an office network over the Internet. Site-to-site VPNs connect two networks, such as an office network and a datacenter.
So my argument is, if it is not used for private communication between multiple clients, it’s not really a VPN.
Lets say, we both connect to the same Proton VPN server - our computers would not see each other and would not be able to connect to each other via that service. It has effectively the same function as a proxy - making your public internet traffic appear to come from the IP of the proxy server instead of your home IP.
Whereas if you set one up yourself with openVPN for example, we could make it so that we both get a VPN internal IP that we could use to directly connect and idk, play minecraft or something. Instead of connecting through the public internet, we would connect through a virtual network that is private for the two of us.
“It has effectively the same function as a proxy” isn’t the same thing as “it’s not actually a VPN”.
One could argue you’re not really using the tech to its fullest advantage, but the underlying tech is still a VPN. It’s just a VPN that’s being used as a proxy. You’re still using the same VPN protocols that could be used in production for conventional site-to-site or host-to-network VPN configurations.
Regardless, you’re the one who brought up commercial VPNs; when using OpenVPN to create a tunnel between a VPS and home server(s), it seems like it’s being used exactly to “create private communication between multiple clients”. Even by your definition that should be a VPN, right?
You’re correct.
Most people only search for “VPN” because thats the term that got marketed for decades.
But the problem can be solved by using a proxy as well.
The intent of my comment was just to point to a second term - “proxy” - that can be used to find more valid, alternative solutions to the problem of making your homelab hosted services publicly available. And I think you agree with me, that proxy is the term closer to the usecase, even though we both correctly state that a VPN can be used as a proxy.
To make a bad analogy (it’s the first thing that came to mind): It’s like people buying a wok, even though they really just need a pan. And so they only search for wok, because every company says wok all the time, even though they will never use the wok as a wok, but just as a normal pan.
Even by your definition that should be a VPN, right?
… in my case, I have a homelab, a VPS and a user of a service that runs on my homelab. The VPS is just a proxy for the homelab. The user (client) talks to the homelab (server), through the VPS (proxy) so not, not really a VPN, even if I’d set up openVPN between VPS and homelab. They are not two clients.
Fundamentally, a host-to-host VPN is still a VPN. It creates an encapsulated L2/L3 link between two points over another network. The number of hosts on either end doesn’t change that. Each end still has its own own interface address, subnet, etcetera. You could use the exact same VPN config for both a host-to-host and host-to-site VPN simply by making one of the hosts a router.
I see your point about advocating for other methods where appropriate (although personally I prefer VPNs) but I think that gatekeeping the word “VPN” is silly.
If you have one of those cars that can be used as a boat. And you only ever use it in water and never on land, it doesn’t really make sense to me to exclusively call it a car. Even though it factually is one, it acts as a boat. At least call it carboat.
If I have a VPN, but it’s sole purpose is to take all the traffic that knocks on it’s network-adapter and shove it down a dev/tun and vice verca, why can we not say (with the goal of clear communication and precise descriptions) that it effectively acts as a proxy ?
The term VPN is pure marketing bs. What is called VPN today used to be called Proxy Server.
Perhaps if you are only talking about the consumer level stuff advertised on TV. Otherwise I can assure you that “Virtual Private Networks” are a real thing that have absolutely nothing to do with Proxy Servers.
On down the comment chain you mention "…our computers would not see each other and would not be able to connect to each other via that service. " as some kind of test of whether a thing is a VPN or Proxy Service but what you’re missing is that this is a completely common and advisable configuration for companies. In fact Zero Trust essentially demands configurations like this. When Bob from Marketing fires up his VPN to the Corporate Office he doesn’t need access to every server and desktop there nor does his laptop need to be able to access the laptops of other VPN users. They get access to what they need and nothing more.
Hell the ability to access the internet via the tunnel, called Split Tunneling, is also controllable.
It’s that ability to control where the tunnel terminates that allows consumer VPNs, like Proton, to be used the way they are.
So while private individuals absolutely do use VPNs as an ersatz replacement for Proxy Servers they are nowhere near the whole use case for VPNs.
Hell the ability to access the internet via the tunnel, called Split Tunneling, is also controllable.
It’s that ability to control where the tunnel terminates that allows consumer VPNs, like Proton, to be used the way they are.
you can do the same split tunneling via proxy servers
while private individuals absolutely do use VPNs as an ersatz replacement for Proxy Servers they are nowhere near the whole use case for VPN
I agree. That also means that for certain usecases they are equivalent. It’s sometimes worth checking all options to find the best one for that specific case.
I used to use HAProxy but switched to Nginx so I could add the modsecurity module and run WAF services. I still use HAProxy for some things, though.
Oh I forgot to say: I have crowdsec on the VPS in front of frp and traefik on the server at my home, where I add all the modules I want.
frp just pipes all the packets through transparently.
But yeah, same thing, should work the same and there are dozens of ways to set that all up.
I’ve been looking into crowdsec for ages now and still haven’t gotten around to even a test deployment. One of these days, lol, and I’ll get around to it.
It’s pretty neat and I feel like there is a clear value exchange for both parties in the free tier, so less shady than cloudflare.
Don’t see an issue yet even though they are crowdsourcing their list generation. At least they are giving you something for it or you can take it. But if you do you get smaller lists.
I’m using my own LetsEncrypt certs for TLS with cloudflare free. I too wonder how I’m the product in this scenario.
I always assumed it was a loss leader play: the more selfhost type people are using cloudflare at home, the more likely they are to recommend and implement it at work, on a paid tier.
Cloudflare has a ton of services in their “free” tier and there’s a lot of confusion in here because people toss around “Cloudflare” without specifying which service they are actually talking about.
If you are using Cloudflared (notice the d) with your own LE Cert then you are probably fine.
Are you using their proxy or just DNS ?
If you have the little orange cloud (proxy) on your DNS entry, go to your public facing webpage and examine the cert. Chances are it’s not what you think it is.
In my experience even a site with low legitimate traffic will eventually buckle under the torrent of bots and scrapers if it’s up long enough to get indexed by search engines, so the longer my stuff is out there the more I anticipate I will need DDoS protection.
I’ve got bot detection setup in Nginx on my VPS which used to return 444 (Nginx for "close the connection and waste no more resources processing it), but I recently started piping that traffic to Nepenthes to return gibberish data for them to train on.
I documented a rough guide in the comment here. Of relevance to you are the two
.conffiles at the bottom. In thedeny-disallowed.conf, change the line forreturn 301 ...toreturn 444I also utilize firewall and fail2ban in the VPS to block bad actors, overly-aggressive scrapers, password brute forces, etc and the link between the VPS and my homelab equipment never sees that traffic.
In the case of a DDoS, I’ve done the following:
- Enable aggressive rate limits in Nginx (it may be slow for everyone but it’s still up)
- Just stop either Wireguard or Nginx on the VPS until the storm blows over. (Crude but useful to avoid any bandwidth overages if you’re charged for inbound traffic).
Granted, I’m not running anything mission-critical, just some services for friends and family, so I can deal with a little downtime.
I have something similar with fail2ban + hidden buttons. If the requester goes and clicks on the hidden buttons on the main site, it gets into a rabbit hole. After 3 requests, it gets banned for a bit. Usually stops the worst offenders. OpenAI and some of the scrapers are the worst.
Google/bing, I do actually see them hit robots.txt then jump off, which is what they should be going.
Oooooh. That’s smart. I mostly host apps, but in theory, I should be able to dynamically modify the response body and tack on some HTML for a hidden button and do that.
I used to disallow everything in robots.txt but the worst crawlers just ignored it. Now my robots.txt says all are welcome and every bot gets shunted to the tarpit 😈
Nice! Thats another way to do it. 😀
I know others use Arabis(?) I think thats what it called. The anime girl one that does a calc on top. Ive never had good luck with it. I think bot are using something to get around and it messes with my requests. Might also be my own fiddling.
I know others use Arabis(?) I think thats what it called.
You probably mean Anubis.
Woops yes!
I’ve run a publicly accessible low-legitimate-traffic website that has been indexed off my home network for >20 years without anything buckling so far. I don’t even have a great connection (30mbps upstream).
Maybe I’m just lucky?
Consider what a DDOS attack looks like to Cloudflare, then consider what your home server can actually handle.
There’s likely a very large gap between those two points.
For me, my server will start to suffer long before traffic reaches the level of a modern DDOS attack.
You’re using a service that is proxying your data. They can read all of it.
If you don’t care, then good for you. You’re still the product as being a user because whatever you happen to be serving may eventually become interesting to them.
If not, no harm done. It costs pennies to host a 24/7 load balanced reverse proxy. You just can’t do it yourself.
