All writing
Networking

The Hybrid-Cloud Backbone: Zero Trust Networking with Cloudflare & Tailscale

How did I host my home lab on Cloudflare via Zero Trust

Networking5 min read
The Hybrid-Cloud Backbone: Zero Trust Networking with Cloudflare & Tailscale

Building a powerful HomeLab is only half the battle. The real challenge—and the part that separates a "hobbyist" from a "Systems Engineer"—is the networking layer. I needed a way to host my portfolio (me.bookmountain.work) and my development APIs for the public, while maintaining a secure "backdoor" for myself to manage the infrastructure from anywhere. Traditionally, this meant opening ports on a home router, which is essentially inviting the entire internet to knock on your front door. Instead, I architected a Zero Trust environment that treats my living room like a secure edge-node in a global network.

1. The Public Ingress: Cloudflare Tunnels (Zero-Open Ports) Most developers start with a dynamic DNS and a port-forwarding rule for port 80/443. I opted for a more professional, "invisible" approach. I run a cloudflared daemon within my primary Proxmox VM (vm100). This creates an outbound-only, encrypted tunnel to Cloudflare’s edge. Because the connection is outbound, my router’s firewall remains completely closed to the public internet. No one can "scan" my home IP to find open services. Infrastructure as Code: The Ingress Map I manage my public services through a centralized config.yml. This allows me to map subdomains directly to the internal Docker ports of my microservices. This is the exact configuration driving my public domain:

# /etc/cloudflared/config.yml
tunnel: 07c09f06-eb9e-4ff1-af6f-e67de11a37f9
credentials-file: /home/book/.cloudflared/07c09f06-eb9e-4ff1-af6f-e67de11a37f9.json

ingress:
  - hostname: me.bookmountain.work
    service: http://192.168.4.106:3000    # Portfolio Frontend
  - hostname: ai-agent.bookmountain.work
    service: http://192.168.4.106:3082    # AI Agent Interface
  - hostname: jellyfin.bookmountain.work
    service: http://192.168.4.106:8096    # Media Streamer
  - hostname: torrent.bookmountain.work
    service: http://192.168.4.106:8081    # qBittorrent WebUI
  - service: http_status:404

This setup demonstrates a Security-First Mindset. If I need to take a service offline or move it to a different port, I update a single YAML file. The public never sees the internal complexity; they only see a fast, SSL-encrypted endpoint.

2. The Private Mesh: Tailscale & The Raspberry Pi Bridge While Cloudflare handles the public traffic, Tailscale is my private administrative backbone. I’ve implemented a Subnet Router strategy using a dedicated Raspberry Pi (pi-server). The Architecture of Convenience:

  • Subnet Routing: The Pi acts as a gateway between my global "Tailnet" and my physical home LAN (192.168.4.0/24). Even if I’m at a library or a café, I can SSH into my ThinkPad node at 192.168.4.106 as if I were plugged into my home switch.
  • Mesh Connectivity: My laptop (bookslegionpro) and the Pi maintain a peer-to-peer WireGuard connection. This bypasses CGNAT and complex firewall issues without any configuration overhead.

Privacy via Pi-hole: The Raspberry Pi isn't just a router; it’s also my DNS guardian. I run Pi-hole on it to block ads and trackers at the DNS level. By setting the Pi as the "Global Nameserver" in my Tailscale settings, every device I own—even my phone on 5G—gets ad-free browsing and local hostname resolution via the encrypted tunnel.

3. Engineering Trade-offs & Career Impact Why go through the effort of setting up a Raspberry Pi bridge when I could just install Tailscale on every VM?

  1. Resource Optimization: By using the Pi as a centralized gateway, I reduce the "sidecar" overhead on my main Proxmox node.

  2. Redundancy: The Pi is a low-power, dedicated device. If I need to reboot my main ThinkPad server for maintenance, I don't lose access to my home network management tools.

  3. Hybrid Cloud Fluency: In a professional environment, engineers rarely work on a single server. We work across VPCs, subnets, and cloud providers. This setup is a direct parallel to how corporate SD-WANs (Software-Defined Wide Area Networks) operate.

Summary By combining Cloudflare Tunnels for public ingress and Tailscale for private management, I’ve created a lab that is both globally accessible and locally invisible. It’s a production-grade networking stack running on consumer hardware—proving that good architecture isn't about the size of your budget, but the logic of your design.