For years my homelab looked like everyone else's: a router with a handful of forwarded ports, a dynamic-DNS hostname, and a nagging feeling every time I read the day's CVE feed. One exposed service is one too many when the blast radius is your whole network. So I deleted every port-forward rule and put everything behind a Cloudflare Tunnel. My firewall's inbound rules are now boring, and boring is exactly what I want.
The core idea: no inbound ports
A tunnel flips the direction of the connection. Instead of the internet reaching in to your box, a lightweight daemon on your box reaches out to Cloudflare and holds that connection open. Traffic for grafana.example.com arrives at Cloudflare's edge and is handed back down the tunnel you already opened. Your origin never listens on a public port — from the outside, there is nothing to scan.
The most secure port is the one that was never open. Zero inbound rules means zero inbound attack surface at the network layer.
What it looks like in practice
The daemon (cloudflared) runs as a container next to my services. A single config maps hostnames to internal addresses:
ingress:
- hostname: grafana.example.com
service: http://grafana:3000
- hostname: wazuh.example.com
service: https://wazuh:443
- service: http_status:404
In front of that I layer Cloudflare Access so the dashboards require an identity — a Google login and a device check — before the request is even proxied to the origin. That is the "zero-trust" part: authentication happens at the edge, not somewhere deep inside my LAN after an attacker is already talking to the service.
What got better, and what to watch
- No more VPN for casual access. I still keep WireGuard for admin-plane work, but day-to-day dashboards just need a browser.
- Certificates are handled for me. TLS terminates at the edge; I stopped babysitting renewals.
- The origin can move. When I migrated hosts, public URLs never changed — only the tunnel's internal target did.
The trade-off is real and worth naming: you are trusting Cloudflare with your traffic's front door, and anything latency-sensitive pays a small edge hop. For a homelab and most small businesses, that trade is easily worth it. For regulated data, read the DPA first.
Start with one non-critical service, prove the Access policy works, then move the rest. The day you delete your last port-forward rule is a good day.
