Skip to content

Instantly share code, notes, and snippets.

@CharlesGodwin
Last active April 29, 2024 12:49
Show Gist options
  • Save CharlesGodwin/5dfd1948235d0aa2b03c17c457d1d883 to your computer and use it in GitHub Desktop.
Save CharlesGodwin/5dfd1948235d0aa2b03c17c457d1d883 to your computer and use it in GitHub Desktop.
I Don't Need Port Forwarding and Don't Care About CGNAT

I Don't Need Port Forwarding and Don't Care About CGNAT

This was rewritten 2022-11-30

This article is for users that want all these features:

  • To connect to home network from anywhere
  • Can connect without any port forwarding; either by choice or internet provider can't or won't provide access
  • No setup or configuration or installation on client machine
  • No enrolment / registration required
  • To connect to web services services in your home network
  • Access control optional on any web service
  • No cost for home user

This is not a project that allows for the implementation of simple, straightforward public facing access with adequate security to protect your home.

Introduction

I have two networks, one is in a city, and it has a publicly accessible Ipv4 address, the other is in the country and has internet service with CGNAT so it has no addressable Ipv4 ports. On each of these I wanted to enable the following access various web services.

  • Enable with no setup on client machine so I, or anyone, could access the sites
  • No enrolment or registration for use of the client
  • No open inbound ports on my networks, deliberate or imposed

I can do all this using free Cloudflare tunnelling services with no need for VPN or other setup on client machines.

You will need a Linux based machine that can be left running all the time. I chose to use a single Raspberry Pi 4 dedicated to being my gateway.

I am not a gamer, I do not need to support Minecraft servers or other single purpose services, just web services. Although Cloudflare supports web-based access to GUI interface (VNC) and RDP (Windows Remote Desktop Protocol) I have not tested implemented these. I have not pursued IPv6 internet protocol yet as my city ISP is not supplying it at this time.

This is not the solution for everyone, but it works for me.

Disclosure. I have no affiliation with any company mentioned herein other than being a user/customer. No money or favours change hands.

NOTE : If you do not need public access to your network using client machines with no special setup or configuration, there is no point using this technique. I recommend you just use TailScale or ZeroTier.

Requirements

This needs to be implemented on a machine that runs all the time. Typically, these are Linux machines. It does not need to be a special purpose machine, this software does not need a lot of resources. My configuration runs on a raspberry Pi.

You will need these skills and services:

  • A Cloudflare Teams account (free)
  • Cloudflare DNS service
  • Your own, owned, domain name
  • Some understanding of DNS records and setting them up
  • Limited command line (terminal) use on a linux machine

Result

I will use mydomain.com as my example domain name. Although this post is using Raspberry Pi devices, nothing is special to the Pi, and the software could be implemented on any Linux machine. Cloudflare says it also supports Windows and Mac OS, but I have not tested them.

I now have the following working with no port forwarding or 3rd party VPN:

  • Each access point is separate subdomain except my main website.
  • All URLs use https certificate protocol management for encrypted access to web services. This is handled completely by Cloudflare, none on my network
  • A public website running in my network
  • Two Grafana dashboards running on separate machines.
    • These are accessed with grafana1.mydomain.com and grafana2.mydomain.com.
    • There is no need for public use of special port number that is handled in the Cloudflare interface
    • Access to these is controlled by Cloudflare Access control so only sanctioned users can access the sites.
  • A container management dashboard called portainer to view all container (docker) activity in my network.
    • This has the same features as the Grafana sites, but access control is distinct for this URL.
    • URL is portainer.mydomain.com
    • A Network Accessed Storage (NAS) device by QNAP

The upside of all this?

  • I have one small service running on a Pi device and configuration is managed using a Cloudflare provided web dashboard.
  • No port forwarding setup on router.
  • My router has NO open ports
  • No need for a static IP address or dynamic Domain Name Service(DDNS) service providers No one needs to know where I am.
  • No risk of cyber attacks (DDOS) or vandalism attacks as my public access is managed by Cloudflare.
  • SSL certificates are managed by Cloudflare not on my site. I have no need for LetsEncrypt or other certificate service.
  • No need for a NGINX or other reverse proxy server to sort out requests
  • Anyone who is allowed to access my servers has zero setup on their systems. They do need an email address as that's what I use for Access control. The list of valid email addresses is my control list.
  • There is no need for users to register, they get a time sensitive access code sent to their pre-authorized email address when they access the URL
  • At my usage level all these services are provided free by Cloudflare

Possible downside?

  • You need to own a domain name. These are not expensive. Cloudflare will sell you one.
  • You need to set up Cloudflare as your DNS service. This is free and has various options. I will not elaborate, just check it out.
  • You do need a constantly running device in your network as the interface
  • This is not for a beginner, but neither is port forwarding or VPN setup

How Did I do it

In 2022 cloudflare introduced a Web UI method for setting up tunnels. This eliminated all the hard work.

I did the following.

Setup my Cloudflare account

I established my Cloudflare account months ago, but it was straight forward. I recall at the time thinking "that's it?"

Migrated my DNS to Cloudflare

Migrating was fast. There are tutorials here to guide you through. If needed, you can use a script to implements dynamic DNS on Cloudflare using their REST API. I no longer need this service although I used it for many months before this project.

Set up a Cloudflare for Teams account

This seems redundant but, yes, there are two Cloudflare accounts. Or it seems that way to me. Teams is here. Once you're enrolled Cloudflare seems to keep track.

Set up my tunnel using the web UI

  • Log in to Cloudflare Teams
  • From the left hand side menu, click on Access
  • Then select Tunnels
  • Then click the Create a tunnel button

Cloudflare has good documentation

Defined my applications and access control (subdomains)

A separate setup is defining applications and assigning access control to them. Access control allows you to restrict access to authorized user, identified by their email, and control their access to specific websites. The users do not need to install any software or register for a new account.

Use of applications is only needed if you want access control. This will very by website and what you have set up in tunnels. Cloudflare has good documentation

Footnote

All of this is to enable simple access to selected services on my network with zero configuration on the client machine. This does not resolve my need to access as much of my network as possible from anywhere. I do that by using software defined network software TailScale. I have also used ZeroTier but, subjectively, prefer TailScale. However, I use my laptop for this which is configured to work with TailScale. Implementing this is simple but is beyond the scope of this post.

@CharlesGodwin
Copy link
Author

Thanks for the kind words. I'm glad I helped at least one person.

@pcislocked
Copy link

pcislocked commented Aug 13, 2022

Thanks for this writeup. I will definitely refer to some of those when I'm moving my basic backend stuff from the Istanbul colocation back to my house. Hopefully mere 8 megabits per second of VDSL upload will suffice. I am not likely to get any large DDoS attacks anyways.

Edit: If anyone has similar remote access needs but doesn't own a domain, or doesn't need it exposed to the whole web, try Tailscale.

@kingace2056
Copy link

Can anyone tell me why I'm getting ' 403 forbidden ' and on next line 'cloudflare nginx'

@karanhudia
Copy link

Wow! I wish this was my top search result when I was searching for "Accessing local server through ddns on NAT"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment