matt's ramblings

You may not need Cloudflare Tunnel. Linux is fine.

Cloudflare Tunnel is a cool little product Cloudflare offers to essentially give your computer a public IP address. Getting a packet from point A to point B is Linux's bread and butter. Why not just use it?

what is a tunnel and why use one?

In this context, a tunnel allows you to expose a computer from your home to the internet easily and securely. It also might come with some performance benefits.

Most folks love when someone comes to their house when invited, but I'd say very few enjoy an intruder. This is exactly the experience of the internet for the majority: you can request information and get a response, but usually not the other way around.

This is a bummer of a way to only experience the internet. In reality, you can have a website just like unicefusa.org or wikipedia.org. You can create a beautiful garden on the World Wide Web and people can swing by to enjoy that garden whenever. It's a very empowering and magical concept.

The easiest way to set up your garden is to use somewhere already public instead of your own yard. That's what a lot of people do by using a VPS like Digital Ocean. The thing is, you have your own huge, wonderful yard. Why not plant your garden there? Plus, the community garden is a shared place. It doesn't really feel like yours.

However, just because you want to let people experience your garden does not mean you want to allow folks to roam around everywhere at your place.

One way to get back some privacy is to build a fence around your garden. People have been firewalling their networks via NAT forever [1]. Making an impenetrable fence around your garden is pretty easy, but configuring the fence on what to let in or out is the hard part.

Another issue is telling people where your garden is. Ah, you could use a DNS server to broadcast your IP address! You'll have to keep the phone book up to date with your current address... wait, did I just say your current home address?! You're not crazy about having your address just being broadcasted out there in the yellow pages (even though you know it's really public knowledge). You might get an angry mob outside. You'd have to build a pretty good fence around your garden to feel comfortable. You remember the days of trying to set up port forwarding to download that Radiohead CD and it's no different this time. The manual is confusing. There are typos everywhere. You're really not sure you set it up right.

There's another clever solution to all of that: blindfold your garden visitors and have a driver drive a reasonable number of people back-and-forth to your fully imprisoned garden in an armored vehicle. Or instead of an armored car you could encapsulate the internet packets and then encrypt those encapsulated packets.

An unexpected benefit of this seemingly radical approach is allowing most visitors to get to your garden as quickly as possible. The public community garden was right off the highway; everyone knew how to get there. Now that they had to go to your home, however, sometimes they'd take really silly routes. Your new driver knows how to get to your house super fast. [2]

Our approach here differs from Cloudflare's setup in a few ways, but the overall concept is identical. I'll outline those differences and their pros and cons in the conclusion.

Get yourself a cheap VPS near you and make sure you get two IPv4 addresses. We'll use one to SSH into the VPS and the other to use as your home computer's public address ($PUBLIC_IPv4).

I went with Hetzner because they're awesome, they're like <300 miles away, and each VPS instance is allotted a generous 20TB of traffic that I'll never in a million years use. Most importantly, they seem to have excellent peering.

We'll assume you've already set up the Wireguard interfaces on both devices. The public IPv4 address should not yet be set up (i.e. associated with an interface) on the VPS.

On your VPS:

        
# Allow this device to forward packets it gets that are destined to
# someone else's IPv4. You'll need to do this each time you boot. It can
# be made permanent, but how to do that varies from distro to distro.
# This allows your home computer to reply to messages it receives.
$ sudo sysctl -w net.ipv4.ip_forward=1
# Anything sent to your home server's Wireguard IPv4 address should travel
# via the Wireguard interface "device". Standard stuff.
$ ip route add $HOME_WIREGUARD_IPv4 dev $WIREGUARD_INTERFACE_NAME scope link
# Anything sent to your public IPv4 address should travel via the
# Wireguard interface "device". Act as if the home Wireguard IPv4 is a
# router even though the public IPv4 looks completely different.
$ ip route add $PUBLIC_IPv4 via $HOME_WIREGUARD_IPv4 dev $WIREGUARD_INTERFACE_NAME onlink
# Pretend to other routers connected to your real world ethernet interface
# that you're the owner of the public IPv4 address.
$ ip neighbour add proxy $PUBLIC_IPv4 dev $ETHERNET_INTERFACE_NAME

On your home computer:

        
# Anything sent to your VPS's Wireguard IPv4 address should travel
# via the Wireguard interface "device". Standard stuff.
$ ip route add $VPS_WIREGUARD_IPv4 dev $WIREGUARD_INTERFACE_NAME scope link
# Make a new world of rules and call it: "Table 200". Anything that subscribes
# to that world's rules will, by default, be sent to the VPS as if it were a
# router.
$ ip route add default via $VPS_WIREGUARD_IPv4 table 200
# Make anything sent from the public IP address subscribe to the world of
# "Table 200" rules.
$ ip rule add from $PUBLIC_IPv4 lookup 200

You may want to use the wg-quick PostUp and PostDown configurations for these. For PostDown, replace add with del and do it in reverse.

conclusion

Does it work? Well, if you're reading this on kiwiziti.com then the answer is yes. If you're reading it on the archive.org backup, then maybe not so much.

My "rack" (lower right: laptop and NAS).
The TV is playing a video of us trying to figure out the internet.

I bet it will work OK. Maybe even better than OK. I really think that CDNs are a premature optimization for like 99% of people. We have some really insanely powerful machines just idling at home. Residential fiber is increasingly available. Nginx is a nearly optimal finite state machine. The in-kernel Wireguard implementation is more than fast enough.

Will it work better than Cloudflare Tunnel? Decidedly not. Coming back to our analogy at the beginning:

• Cloudflare's driver drives a Ford GT.
• They drive it on their own private roads and valet the garden visitors right next to their own home.
• Cloudflare's driver is also a bouncer. They'll deny rides to creeps.
• They offer their services for free: mileage, car, driving hours, and all. For... a while?

By contrast:

• Our driver drives a 5 speed manual transmission 2005 Subaru Forester with no sunroof and manual window motors.
• We use public roads and visitors have to first drive down the interstate before they get transported by us.
• Our driver is kinda dumb. They just take everyone over to the garden, even ping packets.
• Our driver costs a few bucks a month.

I'm not trying to insult our solution too much. I actually like it! We can find a mechanic in a stones' throw if the car breaks. The car is basic, sure, but it doesn't even run a userspace daemon to manage. And are the interstates really that much slower than Cloudflare's private roads?

I guess the decision point for me comes down to the driver. I'm pretty sure Cloudflare's driver is trying to take over the world and I think diversity is one of the most important things. Also, our driver is predictable. The contract is known and an amazing price. If I pay Hetzner, they'll get the job done. Cloudflare is less certain. Their driver seems amazing and does amazing things. I may even have a bit of a crush on the driver. But will Cloudflare back out and leave me high and dry if I suddenly get a lot of traffic? What if my website makes it big?! Talk about premature optimization...

Really, though, using a pre-built solution like Cloudflare Tunnel that checks all the boxes sounds like a decision I'd make at work. But I'm at home. And a little step closer to touching that big wire we're all talking to each other over.