[napkin]

If you have $3-5/month to spare on a VPS, a similar but self hosted solution can be achieved- Tunnel/VPN and reverse proxy- using Wireguard and Caddy.

Caddy in particular is extremely easy to configure, with the bonus that HTTPS/Lets Encrypt has never been free'er. Wireguard configuration is also gloriously minimal but admittedly, potentially tricky to get right the first time.

It's just good to consider alternatives to Cloudfare's network dominance, if you can afford it.

[gtsteve]

I recently used the same Cloudflare Tunnel project to put an internal hosted service behind Cloudflare access.

I chose this over Wireguard because it integrates with our SSO system and users don't have to configure a firewall client. In fact, most users don't know we even did anything special to secure the service.

Secondly, I can set up wireguard, but then I would be responsible for maintenance, keeping the instance up and patched etc. You may save money by using Wireguard, but you pay for it in time, which is the only thing you cannot buy.

[LibertyBeta]

Do you have any guides on the same level as simplicity as this one? It seems while we always bring up wireguard, its a big topic with few good places to get hand hold on.

[Spivak]

I can't share the code since it's internal but here's the broad strokes.

* Start with a "gateway" managing your WireGuard "PKI". Basically a group of Wireguard servers with an API that have synced configs.

    /proxies - Your frontend servers.
    /endpoints - Your backend servers.
    /gateways - WireGuard servers that your frontend and backend can reach.

* Gateway authenticates your proxies and endpoints and they both hit a /config endpoint to pull something that can be shoved into wg-quick. AllowedIPs restricts what the proxy is allowed to reach.

* Proxies handle user-auth like any web service and then act as a reverse proxy to the endpoints using the Wireguard internal address.

Nothing at all fancy except that in a normal deployment your frontend and backend would be live in the same datacenter and so you don't need any WireGuard BS.

This provides a model where our devs can hit a public endpoint that reverse proxies to their laptops.

[sascha_sl]

The real beauty of cloudflared is that you can just throw it into a sidecar for your k8s pod / docker-compose container set and configure the entire thing in one place.

[sickill]

That's a good point, sounds convenient.

[LoveGracePeace]

Similar, I use a cheap AWS Lightsail VPS $3.50 (Lightsail has DDOS protection)-> Wireguard -> Apache Reverse Proxy mod -> my local services.

[aborsy]

Why not having clients and local services meet on a Wireguard concentrator on VPs? Thus no need for Apache reverse proxy.

Problem is, 3.5$/month has only 500MB RAM which is very little to run Apache + other services.

[LoveGracePeace]

There's lots of ways to work it. I prefer retaining control over the service plane for ultimate flexibility and so I can easily switch public access point (the VPS) if needed. This also reduces the need for more powerful cloud hardware, more cloud costs, etc. On Apache, I've run Apache for decades for static web, reverse proxy, etc., I have no plans to change that.

[podge]

Yep, I've done this with nginx and SSH tunnels, it works well.

[amiga-workbench]

I've just done the same thing at work. I've got a little Dell Optiplex running bookstack here, and a AWS Graviton2 box running a wireguard server and reverse proxying web traffic over it.

[sickill]

Upvoted you for your username :)

[xfer]

ipv4 costs will keep increasing, so if you want cheap vpses ipv6 will be the only option and this will allow you to use cloudflare network to serve the v4 users.