I Don't Need Port Forwarding and Don't Care About CGNAT
This was rewritten 2022-11-30
This article is for users that want all these features:
- To connect to home network from anywhere
- Can connect without any port forwarding; either by choice or internet provider can't or won't provide access
- No setup or configuration or installation on client machine
- No enrolment / registration required
- To connect to web services services in your home network
- Access control optional on any web service
- No cost for home user
This is not a project that allows for the implementation of simple, straightforward public facing access with adequate security to protect your home.
I have two networks, one is in a city, and it has a publicly accessible Ipv4 address, the other is in the country and has internet service with CGNAT so it has no addressable Ipv4 ports. On each of these I wanted to enable the following access various web services.
- Enable with no setup on client machine so I, or anyone, could access the sites
- No enrolment or registration for use of the client
- No open inbound ports on my networks, deliberate or imposed
I can do all this using free Cloudflare tunnelling services with no need for VPN or other setup on client machines.
You will need a Linux based machine that can be left running all the time. I chose to use a single Raspberry Pi 4 dedicated to being my gateway.
I am not a gamer, I do not need to support Minecraft servers or other single purpose services, just web services. Although Cloudflare supports web-based access to GUI interface (VNC) and RDP (Windows Remote Desktop Protocol) I have not tested implemented these. I have not pursued IPv6 internet protocol yet as my city ISP is not supplying it at this time.
This is not the solution for everyone, but it works for me.
Disclosure. I have no affiliation with any company mentioned herein other than being a user/customer. No money or favours change hands.
NOTE : If you do not need public access to your network using client machines with no special setup or configuration, there is no point using this technique. I recommend you just use TailScale or ZeroTier.
This needs to be implemented on a machine that runs all the time. Typically, these are Linux machines. It does not need to be a special purpose machine, this software does not need a lot of resources. My configuration runs on a raspberry Pi.
You will need these skills and services:
- A Cloudflare Teams account (free)
- Cloudflare DNS service
- Your own, owned, domain name
- Some understanding of DNS records and setting them up
- Limited command line (terminal) use on a linux machine
I will use mydomain.com as my example domain name. Although this post is using Raspberry Pi devices, nothing is special to the Pi, and the software could be implemented on any Linux machine. Cloudflare says it also supports Windows and Mac OS, but I have not tested them.
I now have the following working with no port forwarding or 3rd party VPN:
- Each access point is separate subdomain except my main website.
- All URLs use https certificate protocol management for encrypted access to web services. This is handled completely by Cloudflare, none on my network
- A public website running in my network
- Two Grafana dashboards running on separate machines.
- These are accessed with grafana1.mydomain.com and grafana2.mydomain.com.
- There is no need for public use of special port number that is handled in the Cloudflare interface
- Access to these is controlled by Cloudflare Access control so only sanctioned users can access the sites.
- A container management dashboard called portainer to view all container (docker) activity in my network.
- This has the same features as the Grafana sites, but access control is distinct for this URL.
- URL is portainer.mydomain.com
- A Network Accessed Storage (NAS) device by QNAP
The upside of all this?
- I have one small service running on a Pi device and configuration is managed using a Cloudflare provided web dashboard.
- No port forwarding setup on router.
- My router has NO open ports
- No need for a static IP address or dynamic Domain Name Service(DDNS) service providers No one needs to know where I am.
- No risk of cyber attacks (DDOS) or vandalism attacks as my public access is managed by Cloudflare.
- SSL certificates are managed by Cloudflare not on my site. I have no need for LetsEncrypt or other certificate service.
- No need for a NGINX or other reverse proxy server to sort out requests
- Anyone who is allowed to access my servers has zero setup on their systems. They do need an email address as that's what I use for Access control. The list of valid email addresses is my control list.
- There is no need for users to register, they get a time sensitive access code sent to their pre-authorized email address when they access the URL
- At my usage level all these services are provided free by Cloudflare
Possible downside?
- You need to own a domain name. These are not expensive. Cloudflare will sell you one.
- You need to set up Cloudflare as your DNS service. This is free and has various options. I will not elaborate, just check it out.
- You do need a constantly running device in your network as the interface
- This is not for a beginner, but neither is port forwarding or VPN setup
In 2022 cloudflare introduced a Web UI method for setting up tunnels. This eliminated all the hard work.
I did the following.
I established my Cloudflare account months ago, but it was straight forward. I recall at the time thinking "that's it?"
Migrating was fast. There are tutorials here to guide you through. If needed, you can use a script to implements dynamic DNS on Cloudflare using their REST API. I no longer need this service although I used it for many months before this project.
This seems redundant but, yes, there are two Cloudflare accounts. Or it seems that way to me. Teams is here. Once you're enrolled Cloudflare seems to keep track.
- Log in to Cloudflare Teams
- From the left hand side menu, click on
Access
- Then select
Tunnels
- Then click the
Create a tunnel
button
Cloudflare has good documentation
A separate setup is defining applications and assigning access control to them. Access control allows you to restrict access to authorized user, identified by their email, and control their access to specific websites. The users do not need to install any software or register for a new account.
Use of applications is only needed if you want access control. This will very by website and what you have set up in tunnels. Cloudflare has good documentation
All of this is to enable simple access to selected services on my network with zero configuration on the client machine. This does not resolve my need to access as much of my network as possible from anywhere. I do that by using software defined network software TailScale. I have also used ZeroTier but, subjectively, prefer TailScale. However, I use my laptop for this which is configured to work with TailScale. Implementing this is simple but is beyond the scope of this post.
Thanks so much! I had been searching for exactly this information regarding VNC. I had gotten SSH working. HTTP was easy enough. VNC I was just stumped.