I've opted to do this myself by buying a VPS for ~$5/month with Digital Ocean. It runs a Wireguard server and nginx, and then my home lab router connects via Wireguard. Nginx acts as a reverse proxy to serve content from my home lab. I have (relatively speaking) complete control over the entire path.<p>When running Cloudflare tunnels, opening a port on your router, or having a VPS+Wireguard, it's important to think about security and covering your butt. I run everything in a DMZ subnet that has firewall/ACL rules on both the DMZ and my other networks to restrict any access. I put bandwidth caps on individual VMs/containers. I also use Wireguard to reroute all outbound Internet requests from the DMZ so that my home lab doesn't use my home IP address at all.<p>Maybe I'm paranoid, but the last thing I need is to forget about some web project I was experimenting with in my lab and suddenly the Internet connection I pay for is being used by some bad actor to participate in ddos or to resell access to my trusted residential IP for scamming purposes.
Call me crazy, but I don't think "tunnel all your traffic through a third party corporation's service" is the correct solution to "my IP changes sometimes." Maybe just set up DDNS instead?<p>If you really are trying to run a server behind a CGNAT, then I guess you have no other options, but I'd consider this kind of thing to be a last resort.
Unfortunately, you can't use this to tunnel multiple subdomains, unless you tunnel an entire domain. That's because Cloudflare won't let you issue third-level wildcard certificates, so you can't proxy *.lab.mydomain.com. Maybe I should just get my homelab a domain and be done with it, but right now running everything over Tailscale seems like a better solution.
I once had a project where I had more than one person trying to play an emulated game online through a custom Dolphin Emulator build on the same LAN segment. Due to the nature of how the client was trying to use ports, port forwarding was not helping due to overlap (clients wanted the exact same ports open and could not be distributed). I eventually gave up trying to do port forwarding and instead had each person get a VM with an extra IP assigned to it in a local data center. Linux supports different network configs per application and I managed to use TincVPN as an Ethernet bridge between the VM's Ethernet and each local machine, where I assigned the 2nd IP from the VM to the end of the tunnel and created a custom routing table only for Dolphin to be started with that used the VMs routing configuration. Effectively, it looked like they were playing their games from inside the data center.
Cloudflare tunnels is a nightmare to work with. I had the famous experience of "it worked fine at my home, I don't know why it's not working in the lab" and couldn't ever resolve the problem, running on Ubuntu. As of March 2024, Cloudflare tunnels was very, very unrefined (on Ubuntu). QUIC doesn't work and you have to read through forums to find how to change protocol to http2. The logs are insufficient to pinpoint issues. Remote administration workflow seems broken. I should also mention that I used my own domain, not the free one, and used Cloudflare for dns.<p>I am very interested in Tailscale SSH as an alternative to CloudflareTunnel + SSH. If anyone has experiences with Tailscale SSH, please share (<a href="https://tailscale.com/tailscale-ssh" rel="nofollow">https://tailscale.com/tailscale-ssh</a>)
This is also pretty easy with nothing but SSH, setting up a tunnel through any server to which you have SSH access (including extremely cheap/free ones.)