#I have a VPS sitting and doing nothing

You need to be sure you trust the VPS and VPS provider, since it'll have access to your network

Ahh that's a good point

Wouldn't I have to port forward, and set firewall rules just to connect to the "proxy" / VPN bridge 🤷

Depends on how you set it all up

You said:

I need full lan access on the go as if I'm at the network

which would point to a bridged VPN so that you're "on" the network

Like when I setup WireGuard earlier on my OPNsense I needed to pass a ruel on my Wan that allowed incoming traffic into port 51820...

Yet people say that WireGuard just punches out, didn't I just had to port forward?

Makes sense

Yet people say that WireGuard just punches out, didn't I just had to port forward?
Depends on what you're reading when you read that

"people say" is:

1. Vague
2. subject to people not being an idiot

https://homenetworkguy.com/how-to/configure-wireguard-opnsense/?utm_content=cmp-true

This and the official opnsense road warrior guide is what I've followed.

Where in there does it talk about punching out?

Ohh that part is just something I've picked up from others, one person says it can punch out others say it can't and you gotta port forward which means cloudflare is the one and only only solution.

What's true, can WireGuard punch out similar to cloudflare tunnels?

Not as far as I know, it needs a server the client can connect to

Now, you can run that server somewhere accessible

which is what was being discussed above

Via a vps

Or anything else

Indeed, But I would need to open ports on both the main network and the bridged network.

Not sure what you mean

Any VPN can reach out unless you block it

It's just packets

You can't however run a VPN server on the main network and access it without either hole punching support, or port forwarding

Which I can't do anyways because I'm behind CGNAT

So, you need a VPN solution that supports hole punching, something like Tailscale/ZeroTier, or a VPS to run your own server

https://github.com/slackhq/nebula too

What's hole punching compared to port forwarding?

To my understanding OPNsense on the main network would be running a WireGuard client, and then the VPS would act as the server, the Host handling the port forwarding for me?

Or I would need to go with a hole punching solution, like tailscale/zerotier?

So hole punching is basically where the client on the main network establishes a connection to the servers on the other end.. kinda like a reverse VPN similar to what marty mentioned?

https://en.wikipedia.org/wiki/Hole_punching_(networking)

It's starting to make more sense

So why would one consider cloudflare over a VPN solution like tailscale or WireGuard with a bridge running on a VPS?

For when you want to expose a service or services

Want to expose a web service? Want SSH access? Those are simple things that CF tunnels work well for

Hmm could I just tunnel my whole lan over cloudflare?

Or would I have to setup a tunnel per service

https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/

One tunnel to the network, multiple services in the tunnel

So let's say I spin up a VM on my Network with a Cloudflare tunnel.

Will it automatically just route everything to Cloudflares servers?

Everything being hosted in separate VM's are bare metal on the lan

No

You have to set up the tunnels/routes

For everything

One service at a time

Well, it'd be a pretty shit design to automatically find every web service on your network and expose them to the Internet

True now that I think about it 😅

It's not like it's hard to set up though

Personally, I'd set up a proxy for all the services you want to expose. Point the tunnels at the proxy, and let the proxy handle it

I say that, because that's what I do 😉

https://blog.ceard.tech/2023/04/cloudflare-tunnels-with-auth

Now your CF tunnel host only has to reach the proxy, and the proxy is the only thing that needs to access the services

But what if I'm creating a new service (perhaps a new vm) away from the network, how would I add that service to a tunnel?

"away from the network"

what does that mean?

Do you understand what the tunnel is?

There's nothing stopping you running multiple tunnels

A tunnel is just a fancy VPN link

Remote, away from the lan

So set up another fecking tunnel?

https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/

You should read that

I bet it answers most of your questions

Yea it answers most of my questions.. Basically I have to setup an individual Cloudflare tunnel for each service/resource on my network...

No

You need to set up a tunnel for each network you want to access

I have one tunnel, for 5 services/resources

Ahh so this applies except I have to route those services

Or set up a proxy server and let that handle it

Depends on whether you want the CF tunnel host to have access to everything for a simpler setup, or to limit access and add some complexity

The proxy server being the method that limits access

Yeah

Tunnel terminates at the CF tunnel host, which then only has access to the proxy (DMZ)

Depends on whether you're doing this for work or home, and what your risk model is

I'm doing it for both so I should probably setup the proxy

A little bit of network security now reduces the risks 😄

Exactly, With the WireGuard plus Proxy/Bridge on a VPS method, what risks am I looking at other than trusting the VPS?

That's the biggest one, but you have to trust something to be able to VPN in

The other option would be Nebula VPN with a VPS to host the "lighthouse"

https://arstechnica.com/gadgets/2019/12/how-to-set-up-your-own-nebula-mesh-vpn-step-by-step/ is old, there's likely better guides now, but it's in my bookmarks

Nebula looks like a smarter option over WireGuard

That mesh feature is interesting

So your using traefik as the proxy and authentik for authentication?

When it comes to Cloudflare

Yes, and no

I'm using CF's auth as the first pass to get to the services
Then the tunnel hands the connection to Traefik
That then either uses Authentik (if the web app has no auth) or the web app's auth

Why not I setup both solutions for redundancy 🤷

Users can access specific services through cloudflare connected to a proxy, and I can connect through either WireGuard or Cloudflare for remote management.

Hey quick question, is this the guide you wrote for using traefik with cloudflare tunnels?

Yes

I just got cloudflare tunnels running, you were right, creating routes is easy

my only concern is that I would like additional authentication, is that what you've achieved with authentic (also apologize for the pings, I keep forgetting to disable it, not trying to be annoying)

Just don't use reply and the problem is solved 😉

I mean, there's only two of us in this thread

And yes, you can put auth in front of the connection (Cloudflare's auth) or you can use Authentik either as middleware or integrated with the app (where supported)

https://www.reddit.com/r/selfhosted/comments/wjh326/authentik_and_traefik_forwardauth_guide/

gotcha, I tried Cloudflare's auth, wasn't too pleased with it, at least the way I set it up.

the best I could do was have it send a code to any email, not sure if there's a white list or not

Then you didn't read my guide

https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/

And yes, there's whitelists, but SSO is so much easier

I skimmed through it, hehe

I'll read everything and see what I can do with it

Do you suggest I follow this guide to get traefik up and running? https://www.smarthomebeginner.com/traefik-docker-compose-guide-2022/