You may not need Cloudflare Tunnel. Linux is fine.

Cloudflare Tunnel is a cool little product Cloudflare offers to essentially give your computer a public IP address. Getting a packet from point A to point B is Linux's bread and butter. Why not just use it?

what is a tunnel and why use one?

In this context, a tunnel allows you to expose a computer from your home to the internet easily and securely. It also might come with some performance benefits.

Most folks love when someone comes to their house when invited, but I'd say very few enjoy an intruder. This is exactly the experience of the internet for the majority: you can request information and get a response, but usually not the other way around.

This is a bummer of a way to only experience the internet. In reality, you can have a website just like unicefusa.org or wikipedia.org. You can create a beautiful garden on the World Wide Web and people can swing by to enjoy that garden whenever. It's a very empowering and magical concept.

The easiest way to set up your garden is to use somewhere already public instead of your own yard. That's what a lot of people do by using a VPS like Digital Ocean. The thing is, you have your own huge, wonderful yard. Why not plant your garden there? Plus, the community garden is a shared place. It doesn't really feel like yours.

However, just because you want to let people experience your garden does not mean you want to allow folks to roam around everywhere at your place.

One way to get back some privacy is to build a fence around your garden. People have been firewalling their networks via NAT forever [1]. Making an impenetrable fence around your garden is pretty easy, but configuring the fence on what to let in or out is the hard part.

Another issue is telling people where your garden is. Ah, you could use a DNS server to broadcast your IP address! You'll have to keep the phone book up to date with your current address... wait, did I just say your current home address?! You're not crazy about having your address just being broadcasted out there in the yellow pages (even though you know it's really public knowledge). You might get an angry mob outside. You'd have to build a pretty good fence around your garden to feel comfortable. You remember the days of trying to set up port forwarding to download that Radiohead CD and it's no different this time. The manual is confusing. There are typos everywhere. You're really not sure you set it up right.

There's another clever solution to all of that: blindfold your garden visitors and have a driver drive a reasonable number of people back-and-forth to your fully imprisoned garden in an armored vehicle. Or instead of an armored car you could encapsulate the internet packets and then encrypt those encapsulated packets.

An unexpected benefit of this seemingly radical approach is allowing most visitors to get to your garden as quickly as possible. The public community garden was right off the highway; everyone knew how to get there. Now that they had to go to your home, however, sometimes they'd take really silly routes. Your new driver knows how to get to your house super fast. [2]

Our approach here differs from Cloudflare's setup in a few ways, but the overall concept is identical. I'll outline those differences and their pros and cons in the conclusion.

how do I set it up?

Get yourself a cheap VPS near you and make sure you get two IPv4 addresses. We'll use one to SSH into the VPS and the other to use as your home computer's public address ($PUBLIC_IPv4).

I went with Hetzner because they're awesome, they're like <300 miles away, and each VPS instance is allotted a generous 20TB of traffic that I'll never in a million years use. Most importantly, they seem to have excellent peering.

We'll assume you've already set up the Wireguard interfaces on both devices. The public IPv4 address should not yet be set up (i.e. associated with an interface) on the VPS.

On your VPS

Ensure this Wireguard interface will allow these IPv4 addresses:
- ${PUBLIC_IP}/32
- ${HOME_WIREGUARD_IPv4}/32
Allow this device to forward packets it gets that are destined to someone else's IPv4. You'll need to do this each time you boot. It can be made permanent, but how to do that varies from distro to distro. This allows your home computer to reply to messages it receives.

$ sudo sysctl -w net.ipv4.ip_forward=1

Anything sent to your home server's Wireguard IPv4 address should travel via the Wireguard interface "device". Standard stuff.

$ ip route \
     add $HOME_WIREGUARD_IPv4 \
     dev $WIREGUARD_INTERFACE_NAME \
     scope link

Anything sent to your public IPv4 address should travel via the Wireguard interface "device". Act as if the home Wireguard IPv4 is a router even though the public IPv4 looks completely different.

$ ip route \
     add $PUBLIC_IPv4 \
     via $HOME_WIREGUARD_IPv4 \
     dev $WIREGUARD_INTERFACE_NAME \
     onlink

Pretend to other routers connected to your real world ethernet interface that you're the owner of the public IPv4 address.

$ ip neighbour \
     add proxy $PUBLIC_IPv4 \
     dev $ETHERNET_INTERFACE_NAME

On your home computer

Ensure this Wireguard interface will allow all IPv4 addresses (0.0.0.0/0).
Assign the public IPv4 address to your Wireguard interface in addition to the normal Wireguard IPv4 address you had before. This allows you to listen on only that IP and only recieve messsages to that IP over Wireguard.

$ ip address add \
     dev $WIREGUARD_INTERFACE_NAME \
     "${PUBLIC_IPv4}/32"

Anything sent to your VPS's Wireguard IPv4 address should travel via the Wireguard interface "device". Standard stuff.

$ ip route \
     add $VPS_WIREGUARD_IPv4 \
     dev $WIREGUARD_INTERFACE_NAME \
     scope link

Make a new world of rules and call it: "Table 200". Anything that subscribes to that world's rules will, by default, be sent to the VPS via Wireguard as if it were a router.

$ ip route \
     add default \
     via $VPS_WIREGUARD_IPv4 \
     table 200

Make anything sent from the public IPv4 address subscribe to the world of "Table 200" rules.

$ ip rule \
     add from $PUBLIC_IPv4 \
     lookup 200

You may want to use the wg-quick PostUp and PostDown configurations for these. For PostDown, replace add with del and do it in reverse.

conclusion

Does it work? Well, if you're reading this on kiwiziti.com then the answer is yes. If you're reading it on the archive.org backup, then maybe not so much.

A server next to a TV playing a scene in '2001: A Space Odyssey' where apes are interacting with an alien monolith — My "rack" (lower right: laptop and NAS).
The TV is playing a video of us trying to figure out the internet.

I bet it will work OK. Maybe even better than OK. I really think that CDNs are a premature optimization for like 99% of people. We have some really insanely powerful machines just idling at home. Residential fiber is increasingly available. Nginx is a nearly optimal finite state machine. The in-kernel Wireguard implementation is more than fast enough.

Will it work better than Cloudflare Tunnel? Decidedly not. Coming back to our analogy at the beginning:

Cloudflare's driver drives a Ford GT.
They drive it on their own private roads and valet the garden visitors right next to their own home.
Cloudflare's driver is also a bouncer. They'll deny rides to creeps.
They offer their services for free: mileage, car, driving hours, and all. For... a while?

By contrast:

Our driver drives a 5 speed manual transmission 2005 Subaru Forester with no sunroof and manual window motors.
We use public roads and visitors have to first drive down the interstate before they get transported by us.
Our driver is kinda dumb. They just take everyone over to the garden, even ping packets.
Our driver costs a few bucks a month.

I'm not trying to insult our solution too much. I actually like it! We can find a mechanic in a stones' throw if the car breaks. The car is basic, sure, but it doesn't even run a userspace daemon to manage and it's stateless. And are the interstates really that much slower than Cloudflare's private roads?

I guess the decision point for me comes down to the driver. I'm pretty sure Cloudflare's driver is trying to take over the world and I think diversity is one of the most important things. Also, our driver is predictable. The contract is known and an amazing price. If I pay Hetzner, they'll get the job done. Cloudflare is less certain. Their driver seems amazing and does amazing things. I may even have a bit of a crush on the driver. But will Cloudflare back out and leave me high and dry if I suddenly get a lot of traffic? What if my website makes it big?! Talk about premature optimization...

Really, though, using a pre-built solution like Cloudflare Tunnel that checks all the boxes sounds like a decision I'd make at work. But I'm at home. And a little step closer to touching that big wire we're all talking to each other over.

notes

[1]: An interesting chicken or the egg type of question to ponder. Which came first: the frugality of IP addresses or the asymmetry of private internet consumers and public internet producers? If the internet started out with IPv6 and NAT was never needed, how would the internet look today?

[2]: This is purely conjecture. I bet residential internet providers route to other residential customers with a lower priority. Whereas I'd bet they have awesome peering agreements to get them to public hosting providers nicely.