Modern homelabs and self-hosted infrastructures often depend on public IP addresses and manual port forwarding rules in the router. While this works, it introduces several limitations:

• Dependency on a static public IP
• Complex firewall and NAT configurations
• Increased attack surface
• Difficult remote access management
• ISP restrictions and CGNAT limitations

Using  Cloudflare together with cloudflared, we can completely eliminate traditional port forwarding while creating a flexible and IP-agnostic architecture.

This approach is especially useful for homelabs running virtualization platforms like  Proxmox VE, NAS systems, web applications, routers, dashboards, and internal services that need secure public exposure.

Example Infrastructure

Our scenario looks like this:

In a traditional setup, every service exposed to the internet would require:

• A public IP address
• Router port forwarding
• Firewall rules
• Dynamic DNS or static IP management

With cloudflared, none of these are necessary

What Is Cloudflared?

cloudflared is a lightweight tunnel client developed by  Cloudflare Zero Trust.

Instead of opening inbound ports on your router, the tunnel creates an outbound encrypted connection from your local infrastructure to Cloudflare’s global edge network.

This means:

• No inbound ports exposed
• No need for static public IPs
• Works behind CGNAT
• Better security posture
• Easier service publishing

The tunnel acts as a secure bridge between your internal services and the public internet.

Why Eliminate Port Forwarding?

Traditional port forwarding creates direct exposure between the internet and your internal network.

Example:

Internet → Public IP → Router Port Forward → Internal Server

This model introduces risks:

• Open attack vectors
• Brute-force attempts
• Port scanning exposure
• Complicated NAT management
• Dependency on changing ISP IPs

By using Cloudflare Tunnels, the architecture becomes:

Internal Service → cloudflared → Cloudflare Edge → Internet Users

No direct inbound access exists anymore.

Benefits of an IP-Agnostic Architecture

1. No Static Public IP Required

Many residential ISPs, including Digi, provide dynamic public IP addresses.

Normally, this requires:

• Dynamic DNS
• Constant IP updates
• Router configuration changes

With Cloudflare Tunnel:

• The tunnel authenticates using your Cloudflare account
• IP changes become irrelevant
• The service remains reachable through your domain name

The infrastructure becomes completely independent from the WAN IP address.

2. No Port Forwarding

You no longer need to expose ports like:

• 80 / 443 for websites
• 22 for SSH
• 32400 for Plex
• 8006 for Proxmox
• NAS management ports

Everything is proxied securely through Cloudflare.

This significantly reduces the attack surface of the network.

3. Easy Subdomain Management

Using a domain configured in Cloudflare DNS, you can expose services using subdomains:

proxmox.example.com
nas.example.com
grafana.example.com
router.example.com
nextcloud.example.com

Each subdomain can point to a different internal service.

This creates a clean and scalable architecture.

Installing Cloudflared

cloudflared can run almost anywhere:

• Proxmox host
• Linux VM
• Docker container
• LXC container
• Raspberry Pi
• Dedicated utility VM

A common best practice is to deploy it inside a lightweight Debian or Ubuntu VM/container.

Example installation on Debian/Ubuntu:

curl -fsSL https://pkg.cloudflare.com/cloudflare-main.gpg | sudo gpg –dearmor -o /usr/share/keyrings/cloudflare-main.gpg

echo ‘deb [signed-by=/usr/share/keyrings/cloudflare-main.gpg] https://pkg.cloudflare.com/cloudflared bookworm main’ | sudo tee /etc/apt/sources.list.d/cloudflared.list

sudo apt update
sudo apt install cloudflared

Authenticate with Cloudflare:

cloudflared tunnel login

Create a tunnel:

cloudflared tunnel create homelab

Example Tunnel Configuration

Example config.yml:

tunnel: homelab
credentials-file: /root/.cloudflared/xxxxxxxx.json

ingress:

• hostname: proxmox.example.com
  service: https://192.168.1.10:8006
  originRequest:
  noTLSVerify: true
• hostname: nas.example.com
  service: http://192.168.1.20
• hostname: grafana.example.com
  service: http://192.168.1.30:3000
• hostname: router.example.com
  service: https://192.168.1.1
  originRequest:
  noTLSVerify: true
• service: http_status:404

Start the tunnel

cloudflared service install
systemctl start cloudflared

Once active, all services become accessible securely from the internet through Cloudflare.

Publishing Non-Proxmox Devices

One major advantage of this design is that the tunnel can expose anything reachable from the local network.

Examples:

• NAS appliances
• Routers
• Printers
• Cameras
• Home Assistant
• Internal dashboards
• Kubernetes clusters
• Docker services
• Legacy applications

Even devices connected directly to the switch can be published without modifying router NAT rules.

Security Advantages

Reduced Exposure

No open inbound ports means:

• Port scanners cannot discover services directly
• Bots cannot target forwarded ports
• SSH and admin panels remain hidden

Cloudflare Access Policies

Using  Cloudflare Access, you can add authentication layers:

• Google login
• GitHub login
• One-time PIN
• MFA authentication
• Email-based access control

This is extremely useful for:

• Proxmox panels
• NAS dashboards
• Router administration
• Internal applications

High Availability Possibilities

Cloudflared also supports multiple connectors.

You can deploy:

• One tunnel instance on the Proxmox host
• Another inside a VM
• Another on a secondary server

This creates redundancy if one node fails.

The router no longer acts as a public exposure point.

It simply provides outbound internet connectivity.

Using cloudflared together with Cloudflare transforms a traditional homelab into a modern, secure, and IP-agnostic infrastructure.

Key advantages include:

• No static public IP required
• No port forwarding
• Simplified remote access
• Reduced attack surface
• Easy subdomain-based service exposure
• Centralized access management
• Compatibility with virtually any internal service

For homelab environments built around Digi internet connections, Proxmox virtualization, and multiple LAN devices, Cloudflare Tunnels provide a clean and scalable alternative to traditional NAT-based exposure.

Instead of exposing your network to the internet, your infrastructure securely connects outward to Cloudflare — making the entire architecture simpler, safer, and easier to maintain.