Access Your Home Lab Without Opening Ports on Your Firewall
We recently changed our internet service provider from Vodafone to TalkTalk, and one of the things I didn't think about was accessing my home lab from outside the network. I just thought that I could open a few ports and Bob's your uncle. Turns out that TalkTalk's modem doesn't allow you to open certain ports. This wouldn't be a problem if I wasn't running Nginx Proxy Manager to route traffic, which requires ports 80 and 443—the exact two ports that TalkTalk blocks.
So after a few days of banging my head against a wall trawling through forums, I came across Cloudflare Tunnels. Tunnels are part of Cloudflare's Zero Trust Platform and allow you to send web traffic to your home lab by creating an outbound tunnel from your server to Cloudflare. They then use their infrastructure and technical wizardry to allow access to your services without opening any ports on your modem.
I thought this was so amazing that I had to share it. Below is a short tutorial on getting Cloudflare Tunnels set up using Docker.
Note: For this tutorial, I am using a temporary instance on my Oracle Cloud account. This instance has already been deleted, so the specific IP addresses and domains used here will no longer be active.
Setting Up Docker
As I'm starting from a fresh install of Ubuntu 20.04 Minimal on my Oracle Cloud Instance, this is the best place to start.
Step 1: Connect to Your Instance via SSH
If you are using a cloud instance, use your terminal to access it via SSH. Make sure to change your file path, username, and IP address to match your setup:
Bash
ssh -i /path/to/your/key.key username@your-instance-ip
Step 2: Update the System
Run the following commands to ensure your Ubuntu instance is completely up to date:
Bash
sudo apt update && sudo apt upgrade -y
Step 3: Install Docker
Before installing Docker, we need to set up the official repository. Run these commands to configure the repository and install Docker:
Bash
sudo apt install -y ca-certificates curl gnupg lsb-release
sudo mkdir -p /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu \
$(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt update
sudo apt install -y docker-ce docker-ce-cli containerd.io docker-compose-plugin
Step 4: Install Portainer
While a GUI isn't strictly required, I prefer a graphical user interface when managing containers. Because this instance is dedicated to Docker, I'm installing Portainer Business Edition (which offers up to 5 free node licenses).
First, create a persistent volume for the data and run the container:
Bash
docker volume create portainer_data
docker run -d -p 8000:8000 -p 9443:9443 --name portainer --restart=always \
-v /var/run/docker.sock:/var/run/docker.sock \
-v portainer_data:/data portainer/portainer-ee:latest
To configure Portainer initially, you will need to temporarily open port 9443 on your cloud provider's firewall dashboard.
Once open, navigate to https://Your-IP-Address-Here:9443 in your browser. Follow the prompts to set up your admin account. When asked for a license, you can click the "Don't have a license?" link to grab your free Business Edition keys via email.
On the Quick Setup screen, click Get Started to connect to your local Docker environment. Go to Environments, click the local environment instance, and select Containers to view your running applications.
Setting Up Cloudflare
Now that the server side is running, it's time to configure the tunnel itself.
Step 1: Sign Into Cloudflare
You will need a free Cloudflare account and a domain name pointing to Cloudflare's nameservers. Cloudflare provides an excellent step-by-step wizard to help you transition your DNS settings from your domain registrar.
Step 2: Create the Tunnel
- Head to the Cloudflare Zero Trust Dashboard.
- In the left-hand menu, navigate to Access and click on Tunnels.
- Click Create a tunnel and give it a name (e.g., "homelab").
- On the environment selection screen, select Docker.
- Cloudflare will generate a specific docker run command containing your unique tunnel token. Copy this entire command, paste it into your SSH terminal, and run it.
- Once the terminal shows that the container has successfully connected to the Cloudflare data centers, return to the dashboard. You will see the status change to active. Click Next.
Step 3: Route Your Services
The final step maps your domain to your internal container network:
- Public Hostname: Select your domain from the dropdown and add a subdomain if desired (e.g., portainer.yourdomain.com).
- Service:
- Type: Select HTTPS.
- URL: Enter the internal IP address of your Docker container followed by the port. (For example, 172.17.0.2:9443).
Pro Tip: If you are tunneling to a secure local web app that uses self-signed certificates (like Portainer's default HTTPS port), scroll down to Additional Application Settings, expand TLS, and enable the No TLS Verify option. This prevents the tunnel from failing due to internal certificate mismatches.
Click Save Tunnel, navigate to your newly configured subdomain web address, and your application will securely load!
The process is incredibly straightforward once you break it down. Best of all, you can securely access your home lab applications from anywhere in the world without punching dangerous holes through your local router's firewall.
Will you be using Cloudflare Tunnels in your home lab? What apps are you running? Let me know in the comments below!
Comments
No comments yet. Be the first to share your thoughts!