Centralization is bad for everyone everywhere.
That bring said… I just moved my homeserver to another city… and I plugged in the power, then I plugged in the ethernet, and that was the whole shebang.
Tunnels made it very easy. No port forwarding no dns configuration no firewall fiddling no nothing.
Why do they have to make it so so easy…
I have written a small blog post about how to Bypass CGNAT, and have also mentioned why you should not use Cloudflare if you are hosting for privacy.
we should definitively have a wiki (though people should use “search” too, I wonder if a wiki would help really). This “topic” comes every month. I have posted this already, here it goes again: https://github.com/anderspitman/awesome-tunneling
The trouble with cloudflare is that there is just one. It’s one of the best registrars out there, the only free/cheap and usable DNS host (have you seen what route53 charges per zone??). That without getting into the whole tunnels and DDoS mitigation end of things, which is nearly unique at any price point.
The problem with cloudflare is that we’re missing three other cloudflares to move to if they decide to pull evil shit.
The bigger trouble is creating a CDN has a stupidly high barrier to entry. You literally need your own data centers across the world, your own server infrastructure, the man power to manage it, etc.
You could try to host it on a cloud provider but you’d go bankrupt even quicker. Unless someone were to try to build a co-op run CDN, it’s just not gonna happen without a profit motive and a large amount of capital.
That’s true. The bizarre paradox of the centralization of edge infrastructure is real.
That said, the other edge-lords (haha) could offer similar functionality, but they chose not to.
I feel like something like https://www.storj.io/ is on the path to what we would want/need?
There might be some additional requirements for a true CDN to ensure data is closer to where it’s needed and in as many regions as needed though with the right amount of bandwidth. The data gets stored all over the place, but that doesn’t mean its optimal. But they do seem to claim it’s faster on their website…
Edit: For those not wanting to click, TLDR is they use excess storage around the world and make it accessible anywhere, and safe from failures. People with excess storage can join the network if they have enough storage/bandwidth and pass some tests. Their API is S3 compatible.
there is just one
Well it’s cloudflare, not cloudsflare. Maybe overcasthosting, or sunblockservers…
It’s not the only free DNS service.
It’s only a good registrar if you don’t care about privacy and you’re ok with their selection of TLDs (selected only from registries without privacy).
The free accounts do not benefit from DDoS protection. Re-read their terms of service, they’re vague on purpose. If you were ever DDoS’ed (I don’t know who would bother btw but that’s another discussion) they’d just drop you.
You can establish the tunneling thing on your own with any VPS.
The problem with cloudflare is that we’re missing three other cloudflares to move to if they decide to pull evil shit.
You can and should diversify your services and spread them to different providers that are easy to switch. I’ve been with “all in one” providers before, they inevitably end up leveraging their convenience into all sorts of crap. But until you get burned a couple of times they look really good.
It’s not the only free DNS service.
can i get some alternatives. currently basically using cf pretty much just for dns, but would really like to switch
that looks great, thanks o/
EDIT: looks like you can only manage 1 domain before having to contact their support
As it is run by volunteers, they probably want to keep corporate (or domain hoarders) off their platform unless they pay.
Unless you are behind CGNAT; you would have had the same plug+play experience by using your own router instead of the ISP supplied one, and using DDNS.
At least, I did.
Yes, but it does expose your own IP address and thus where you live. Tunnels don’t.
True, but the downside of cloudflare is that they are a reverse proxy and can see all your https traffic unencrypted.
Yes, but if you host a public site it might be a better option, the content is public anyway, and you won’t get doxed if you publish something controversial. It’s a trade-off, between keeping traffic private or keeping your IP private. Wireguard works best for private traffic, but you can’t host a public site with that.
Wireguard works best for private traffic, but you can’t host a public site with that.
Of course you can! Nginx and wireguard on a VPS and actual services wherever you want.
Just stop supporting the biggest actor in the market.
That’s just a bandaid on capitalism’s issues. Urging people not to support the biggest actor will never work in the grand scheme of things, when said actor provides their best immediate interests.
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
Fewer Letters More Letters CF CloudFlare CGNAT Carrier-Grade NAT DNS Domain Name Service/System HTTP Hypertext Transfer Protocol, the Web HTTPS HTTP over SSL IP Internet Protocol NAT Network Address Translation SSH Secure Shell for remote terminal access SSL Secure Sockets Layer, for transparent encryption SSO Single Sign-On TCP Transmission Control Protocol, most often over IP TLS Transport Layer Security, supersedes SSL VPN Virtual Private Network VPS Virtual Private Server (opposed to shared hosting)
[Thread #830 for this sub, first seen 26th Jun 2024, 04:45] [FAQ] [Full list] [Contact] [Source code]
Why does Cloudflare get a pass on the “if it’s free, you’re the product” mantra of the self-hosting community? Honest question. They seem to provide a lot for free, so…
They have for public benefit program where they give out their paid security tiers for free? If you can get recommended into it. Build a lot of goodwill there for non-profits community.
It’s usually free tiers of paid products
That makes sense, except Google kinda does the same thing. Everything they have is technically just a “free tier” of the Google One subscription, right? I guess I’m saying that “free tier of paid product” doesn’t automatically qualify a company as trustworthy for me. Is there something else that sets Cloudflare apart?
In my opinion, the difference with Google is that Google is actively using your data and you’re giving them a lot of it. For Cloudflare, what do they have exactly? Depends on what services you use, but really all they get from me is the list of servers that connect to my domains. Google does that too if you use 8.8.8.8, or if you have any of their hardware that overrides router DNS settings like Chromecast and Google TV.
Quality of their products maybe? Cloudflare feels like they put a lot of effort into their product, Google not so much with how buggy everything is and how often they just abandon products they offer.
For me personally, it was all about balance.
15 years ago, Gmail/Inbox was a great email client, the domain was great and popular (so no need to spell it out for people) and I would “pay” by getting ads based on my emails read by a bot.
Now Gmail is a terrible email client, the best updates are ridiculous things like moving buttons around and it takes Google years to roll out. The thing loses emails, mislabels and misclassifies stuff and the rules work for a week then blow up. On top of that, google is now basically a proctologist considering how far up my ass they want to go
The balance is broken… Google now officially sucks (IMO)
Strictly speaking, they’re leveraging free users to increase the number of domains they have under their DNS service. This gives them a larger end-user reach, as it in turn makes ISPs hit their DNS servers more frequently. The increased usage better positions them to lead peering agreement discussions with ISPs. More peering agreements leads to overall cheaper bandwidth for their CDN and faster responses, which they can use as a selling point for their enterprise clients. The benefits are pretty universal, so is actually a good thing for everyone all around… that is unless you’re trying to become a competitor and get your own peering agreement setup, as it’d be quite a bit harder for you to acquire customers at the same scale/pace.
Because most self hosted things are free already. It doesn’t apply to FOSS.
I mean, I used to think Google Public DNS was great until I switched to 1.1.1.1…
If you like 1.1.1.1 the. You should try 9.9.9.9. Or better yet host unbound pihole if you’re up to the challenge. Best dns experience I’ve had.
I already use pihole, but with cloudflared as the upstream. What benefits does unbound offer besides improved security?
It’s actually better privacy since it talks directly to the root servers instead of cloudflare knowing all of your DNS traffic. Quad9 is a good alternative with better data policies
So now your ISP sees all of your queries instead of CF. (Assuming the cloudflared option is using DoH)
I’ll trust Cloudflare over Comcast/AT&T/etc. any day of the week.
Your ISP knows where you’re going anyway. They don’t need DNS for that. They see all the traffic.
If you use 9.9.9.9, you should try Mullvad DNS (with adblocking) or AdGuard Public DNS
Since we’re all throwing out DNS options, I’ll toss in NextDNS
I prefer Tailscale Funnel for these kinds of things. NetBird and ZeroTier also work just fine if you don’t want to expose your services to the public.
Tailscale is so cool too. I’ll definitely be switching if I can ever use my own domains
Actually you can… I do that with my setup. Just point your domain to the new ip assigned by tailscale to your server. Thats all. Recently they started supporting the https certificate also… Even though it’s not needed, for internal only communication.
It’s almost like the big tech companies are really good at their jobs…
DIY your own Cloudflare
Sure it’s easy to set up, but the same behaviour is what I get with my handrolled solution. I rent a cheap VPS with a fixed IP solely for forwarding all traffic through wireguard. My DNS entries all point to the VPS and my servers connect to the VPS to be reachable. It is absolutely network agnostic and does not require any port shenanigans on the local network nor does it require a fixed IP for the internet connection of my home server.
Data security wise the HTTPS terminates on my own hardware (homeserver with reverse proxy) and the wireguard connection is additionally encrypted. There are no secrets or certificates on the rented VPS beyond the bare minimum for the wireguard tunnel and my public key for SSH access.
Shuttling the packets on the VPS (inet to wireguard) is done by socat because I haven’t had the will or need to get in the weeds with nftables/iptables. I am just happy that it works reliably and am happy to loose some potential bandwidth to the kernelspace/userspace hoops.
What VPS do you use for this?
I am using the smallest tier VPS from IONOS for 1€/month. Good, reliable and trustworthy as it is a subsidiary of 1&1 telecommunications.
If you want something cheap check out RackNerd yearly deals. Last I checked they still have listings for black Friday and other old deals once you’ve made an account. I got a server for like $12 a year with 5tb monthly bandwidth. I have 3 servers total with them and haven’t had a problem for the 3 years I’ve been using them.
That would be awesome, currently it’s 500GB for their cheaper option which starts at 23/year. I didn’t find an option to increase the bandwidth before completing the order. Also it needs to be deployed in NY (which would be possibly slow for me in Europe). Finally their isos are somewhat old, the latest Ubuntu they have is 20.04 (which has an EoL next year).
All that being said, 23/year is very cheap for a VPS, and for people in the US that use less than 500GB/month that’s the best deal I’ve ever seen.
There should be more deals when you click add services.
Understand on the latency possibly being an issue. I did see they have servers in France now. Maybe you could do some ping tests.
Does this cause all traffic at the reverse proxy to appear to come from the source IP of your VPS or does it preserve the original source IP?
I’ve been working on setting up a similar setup myself and am trying to figure out specifically how to handle the forwarding on the VPS.
I also have a similar setup to maiskanzler. But I use iptables to forward the traffic over wireguard and I am able to preserve the original client IP by not snat the packets. I then have to use policy based routing to make sure that traffick goes back out through the wg tunnel.
I’m happy to share info on how to get this working.
Please tell ^^
I’m not sure what the best way to share this info is. I’d love to write up a blog but not sure how long that would take. I suppose I could just share the wireguard configs here as they include the iptable commands. Will do that tonight when I get a chance.
