Basics Tunneling


Basically I understand very little about tunnelling, I have dealt with it but it has caused me some headaches.
My initial situation is as follows:
I am new to the world of self-hosting and have rented a VPS for this purpose.

For security reasons, I would like to keep the ports closed as much as possible, so I noticed Cloudflare Zero Trust with its tunnel.
What I really disliked is that Cloudflare terminates the TLS encryption instead of passing it through and thus can read all content, especially since not all services are end-to-end encrypted.

After that, I came across Tailscale, which has been offering tailscale funnels for not too long, which simply pass the encryption through between the server and the user. So I thought I would just use a mixture of Tailscale and Cloudflare.
In addition, I then thought of adding a dashboard and SSO to all services where this is possible to make it easier for everyone to use.

After intensive research, my plan was set, until I came across the Awesome tunnel list a few hours ago, where about 50 different tunnels are listed and described.
There I read about SSH tunnels that I didn’t know and it seemed to me that there are other software that allow the same function as Tailscale and Cloudflare.
Then again there are tunnels that seem to require a bastion host to tunnel to. Which tunnel now works how, I can not say for sure. But I would be very happy about a little light at the end of the tunnel. :wink:

Basically (I think, please correct me) I can distinguish these types:

  • Wireguard or VPN network between devices and servers over the Internet.
  • tunnel between the own server and a service provider, which allows a connection over the internet and thus acts quasi like a foreign bastion host
  • direct access from the Internet to the own server with open ports
  • own bastion host

Furthermore, in my plans there would be these options for access control:

  • access is controlled by the set DNS servers and device data, tokens, cookies or headers
  • access is controlled by an ID provider or credentials
  • Access only for users via a spanned private network over the Internet

Have I left anything out in my both lists?

What other providers or open source projects are there besides Cloudflare and Tailscale? Which of them are like Tailscale and do not terminate the encryption? Are there providers that do not tunnel the data through their own servers like Cloudflare or Tailscale, but rather just establish contact over the Internet between server and user without requiring an open port?

What are the providers or projects for SSO other than Zitadel, Pomerium, Keycloak and Authentik? Which ones would you recommend? I read that Authelia is only in beta as far as this feature is concerned.

How do I make cloudflared get access to the host system, e.g. Cockpit, from within the Docker container? The other way around works without any problems. It seemed to me that I could not add cloudflared, which is included as a tunnel in Docker, to the host network function of Docker at the same time.

Kind regards and thanks in advance for your help!

Hello again, why cant i edit my post? i just wanted to update that i found a solution for the last question with trial and error.

Hey @baltazar, sorry this didn’t get a response sooner. Been a busy summer so far! Not sure why you can’t edit your post. Maybe because it’s a new account, or because the original post was flagged for being written too fast (I’m guessing you pasted it in).

Glad you found a solution. If you’re open to sharing what you learned, others may find it useful in the future. If there are specific questions you still have, I’d be happy to answer.