As most of you don't know, I'm off to college soon (within a couple of months), and I'm planning on taking my server with me. Unfortunately, I doubt the tech department at the university would appreciate or allow me to poke holes in their firewall to forward 443 and 80 to my server. So how on earth am I planning on keeping my server up during this time?


Before you ask, I am not just running this website on my server. There are many other services I am running (web-based IRC bouncer TheLounge, FreshRSS, and Keycloak, just to name a few) that won't be receptive to be run on Github Pages or whatever.

I'm sure some people are also thinking "just move everything to Amazon!" Yeah, no. That's expensive. I'm about to graduate from a broke high-schooler to be a broke college student. I could reduce costs and run a minimal VM that acts as a WireGuard VPN server and proxy TCP using fancy firewall rules or whatnot, but that would also cost money.

So, I'm stuck having to look at the free tiers of everything. This severely limits my options.

The Requirements

What I choose has to fit the following criteria:

  • Reasonably secure
  • I don't have to port forward
  • Visitors do not have to install a client to view my website
  • Free (hardest part)

After some DDG-ing, I found this wonderful Github repository with a list of services that would theoretically solve the problem I am facing.

anderspitman's requirements seem to be on the same page as mine:

  • Allows me to register a domain name and automatically points the records at the server running the tunnels.
  • Automatically sets up and manages HTTPS certificates (apex and subdomains) for the domain.
  • Provides a client tool that tunnels HTTP/TCP connections through the server without requiring root on the client.
  • Provides a simple GUI interface to allow me to map X domain/subdomain to Y port on Z client, and proxy all connections to that domain.

The repository contains a long list. Let's go through each one and figure out if it'll work.

Too Much SaaS

I want to avoid anything that requires me to port forward anything, so that rules out practically everything in the first "self-hosted" section.

I found one service that was promising, offered a free tier, and had support for raw TCP: Loophole. Issue is, I could not for the life of me figure out how to register. The sign-in page (done through Auth0) did not have a "sign up" button as the YouTube videos have shown.

That leaves me with Cloudflare. Unfortunately.

Wait, why don't you like Cloudflare?

I had used Cloudflare briefly before. My issue arose when I realized that they remove your SSL certificate, then use their own. Cloudflare is a big MITM service. I guess it makes sense for what they are trying to do (caching, DDoS protection, etc) but I don't care much for those services. I just wanna use Cloudflare Tunnel without having to expose everything my clients are doing.

Also, I'm a big fan of privacy and security, so having Cloudflare act as an essentially opaque layer to what is going on with my formerly-encrypted traffic makes me just a little uncomfortable, especially since I'm also hosing services for myself I would not like anyone sniffing my passwords for.

Finally, I don't like the centralization of the internet. Routing everything through Cloudflare, using Amazon AWS, all of it (in my opinion at least) harms the internet by consolidating power in the hands of just a few large monoliths.

So… you're not gonna use Cloudflare then?

I mean, what other option do I have? This website works pretty well using Cloudflare tunnel. After giving my credit card info to Cloudflare (I'm on the free tier, so let's hope they don't upgrade me and drain my already-drained account) ironing out a few bugs with the configuration and manually setting up DNS (since it seems like wildcard DNS is an enterprise feature), my website is proxied through Cloudflare now. Yayyyyy.

This whole article was a rant about how I can't get anything good for free. It makes sense that I can't, since it's very easy to abuse it. Oh well. It's not like I have any other options. If I do, please let me know and I will be eternally grateful.

I guess I also have to update my privacy policy to reflect that Cloudflare may vacuum up whatever they see or do. I have set whatever logging and tracking in the Cloudflare dashboard to zero, but I might have missed a few places because the dashboard is terribly slow (I'm on fast fibre internet on a fast machine) and is a struggle to navigate because it takes a few seconds for everything to load. Then, when I switch back to the old dashboard, it resets to the new "experience" every time I log out and log in again. Like why do you do this.

I guess I also wanna say that I'm sorry Cloudflare. I realize that I'm not the target market. I am literally not giving Cloudflare any money. There is no reason they should support an esoteric and bizarre configuration that I do. But what they do, they do pretty well. So, thanks, I guess, for letting me (and probably lots of other people) run their websites and services from a NUC under their dorm's bunk bed.

But I still don't like you.

Thanks for listening to my non-typo-checked rant

Previous Post Next Post