One of the first problems you'll run into when self-hosting apps is how to access them from outside your network. Cloudflare Tunnel is one of the quickest ways to roll out remote access, and you can link it to authentication management, so each service has its own login. It's a method I've used extensively, either through the Cloudflare dashboard or via DockFlare, but I realized that it comes with some pretty big limitations, and since part of my self-hosting ethos is to remove as many artificial limitations as I can, I went looking for alternatives.
The latest experiment was with NodePass, but I found I got tired of the management options and went back to an old favorite. That's Pangolin, a self-hosted reverse proxy management stack that's the closest approximation of Cloudflare Tunnels without the limitations.
You haven't heard of this self-hosted Cloudflare Tunnel alternative
I've only scratched the surface of what this tool can do
Cloudflare Tunnels were great (until they weren't)
I quickly hit a wall with limitations
I can't argue that Cloudflare Tunnel hasn't made it easier than ever to handle complex networking for self-hosted services. All you need is a Cloudflare account and a domain name, and you can share access to services with a simple URL. No ports need to be opened, and no complicated VPN setup is necessary for the person you're sharing with, though you are limited to individual web apps. You gain DDoS protection and IP obfuscation, so only the Cloudflare IP is visible, and you can add SSO or other identity management to further limit who can use your Tunnels.
However, after using it for a while, I ran into some restrictions that were dealbreakers. The most annoying thing is that you have a 100 MB limit per item sent via Tunnels, which I didn't realize until I tried to access larger files in Immich. There's also a bunch of ToS around not using Cloudflare Tunnel for video streaming, like from Jellyfin, which works, but you always run the risk of losing your account if Cloudflare decides to do something about it, and I have my domains managed by Cloudflare and would rather not lose the ease of use.
I don't like that Cloudflare terminates TLS for data on its network
One thing about Cloudflare that puts me off using its services for anything past DNS is that it acts as a termination point for TLS. That's right, instead of your data being end-to-end encrypted, Cloudflare Tunnel gets a TLS certificate for you, then strips it while it's inside its network, and optionally adds it back.
Now, I understand this from an operational standpoint, because you can't cache what you can't read, and the caching and DDoS protection features of tunnels and Cloudflare's protected DNS entries need to be set up this way. It doesn't mean I have to like it, or to use it, and I'd much rather have my own service set up to ensure that if anything goes wrong with encryption, it's my issue and I have no one else to blame.
Should you use Tailscale, Pangolin, ZeroTier, or NetBird to remotely access your home lab?
Which remote access tool is best for your home lab?
Pangolin lets me make my own tunnels
And it doesn't come with arbitrary restrictions
I've used a ton of remote access tools, and there's no "one size fits all" option. Some are easier to set up when you're using containers, while others handle tunneling past your firewall differently or connect your computers in other ways. That makes the decision of which to use dependent on your needs and on how much effort you want to put into maintaining it.
The reason I keep coming back to Pangolin is that it's easy to use. The dashboard is great, and being able to hand out my custom domain name instead of random Tailscale or Cloudflare Tunnel IPs makes it easier for my less technical family members to use. They don't need to know what's going on behind the scenes, just that they go to the URL, log in with their Google SSO, and can use Immich, or Jellyfin, or the other tools I have self-hosted for their use.
The only real limitation is the bandwidth on the VPS I'm using for Pangolin hosting, but I get about 8TB per month, and I haven't come anywhere near that yet. I'll gladly pay a few bucks a month for that VPS to sidestep CGNAT and other annoyances, and having the public login to my services on a hosted provider also keeps my home IP safe.
Pangolin
And I can individually secure each service
Secure remote access is one thing, but I still prefer having access control for those services. You never know whether your URLs will get shared, and after all the effort of setting things up, why wouldn't you want per-app logins? Pangolin lets me do this two ways: either by granting access to services based on the user account, or by linking with my identity manager (currently Authentik) so I can password-protect each service individually.
4 reasons Authentik is the best secure sign-in solution for your self-hosted services
Authentik is the perfect unified identity management tool for every home labber
Cloudflare Tunnel made remote access easy, but I prefer to self-host my own tunnels
I'm not here to say you shouldn't use Cloudflare, but you should know the limitations and potential security issues if you do. The limitations alone are enough for me to roll my own tunnel alternative, which is currently Pangolin again, as I know what I'm doing with it, and it's easy to set up without headaches.