Internal Documentation
Status
  • πŸ‘‹Welcome
    • πŸ—‚οΈWhat is this?
    • πŸ•Quick Start
    • πŸ’ΈBilling
  • πŸ—ƒοΈExternal Links
    • πŸ—„οΈPublic Documentation
    • πŸ“‹Private GitHub
    • πŸ“‹Public GitHub
    • πŸ—»NetData
    • πŸ“ŠTrello
    • πŸ•°οΈService Monitoring
  • πŸ“Policies
    • Authentication, Access and Accounts
    • Issue and Project Tracking
    • Creation and Managment of Servers or Services
    • Monitoring and Alerting
    • External Access to Systems
    • Management of Documentation
  • πŸ“‹Processes
    • ❔Deploy new Container Stack
    • Limit Bandwidth to Container
    • ❔Create new Virtual Machine
    • Disaster Recovery
    • Port Forwarding or Tunneling a Service
    • Crowdsec Modules
    • Internal IP Range Change
    • SSH Keys
    • Increase Disk on VM
    • Add Wireguard Client
    • ❔New Domain
    • DNS Management
  • πŸ—ΊοΈService Overviews
    • Websites
    • Portainer and GitOps
    • Content Creation
      • Davinci Resolve Server
    • Plex Suite
      • Tdarr
      • Maintainerr
      • Dashdot
      • Overseerr
      • Bazarr
      • Wizarr
      • Plex
      • Tautulli
      • MovieMatch
      • Prowlarr
      • Radarr
      • Sonarr
      • Lidarr
      • FlareSolverr
      • qBittorrent
      • SabNZBD
      • Huntarr
    • Pterodactyl
    • Home Automation & Physical Security
      • Google Assistant
      • Tuya Cloud
      • Home Assistant
    • Infrastructure
      • ❔Cloudflare
      • NextDNS
      • UniFi
      • Synology NAS
      • Proxmox VE
      • Vultr
      • ❔CyberPower PowerPanel & UPS
    • Maintenance & Monitoring
      • AutoHeal
      • Proxmox Backup Server
      • Duplicati
      • Google Drive Sync
      • Ansible
      • UptimeKuma
      • NetData
      • NetbootXYZ
    • Security
      • Bitwarden
      • Google OpenID Auth
      • Wazuh
      • CrowdSec
    • Remote Access
      • Cloudflare Zero Trust
      • ❔UniFi - Wireguard
      • Kasm
    • Other Adhoc Apps
      • ISponsorBlockTV
      • Homebox
      • ❔Hosted Discord Bots
      • LibreChat
      • Imgur
      • Morphos
      • Zapier
      • EpicGames Free Games
      • GitBook
      • Trello
      • StirlingPDF
      • ❔MeTube
    • ❔OpenAI
  • πŸ–₯️Physical Hardware
    • Macaroni
    • Fettuccine
    • Linguine
    • UniFi
  • ‼️Troubleshooting
    • An Introduction...
    • UptimeKuma alerts
    • Portainer
    • Pterodactyl
  • πŸ“–-- Administration --
    • πŸ“ŽGitbook Templates
      • Guide - Root Page
      • Guide - New Docker App
      • Hardware Overview
      • App Overview - Externally Hosted
      • App Overview - Container
      • Miniguide - Compose
      • App Overview - Hosted Discord Bot
Powered by GitBook
On this page
  • Required Knowledge
  • Process
  • Cloudflare Tunnel
  • Creating a 'public host'
  • Adding Authentication
  • Port Forward
  • Enable Firewall
  • Port Forward in UniFi

Was this helpful?

  1. Processes

Port Forwarding or Tunneling a Service

PreviousDisaster RecoveryNextCrowdsec Modules

Last updated 1 year ago

Was this helpful?

This guide will step you through Port Forwarding or Tunneling a service

Required Knowledge

External Access to Systems

Monitoring and Alerting

Authentication, Access and Accounts

Process

There are 2 solutions for making a service accessible externally - a CF Tunnel or Port Forwarding.

Cloudflare Tunnel

Creating a 'public host'

  1. Log into

  2. On the left, select Access > Tunnels

  3. Select the relevant tunnel and click on 'Configure'

  4. Click on the Public Hostname tab

  5. Click on 'Add Public Hostname' and input the relevant data, eg

  6. Click on Save hostname

  7. Naigate to the url and confirm it is working

Note: If the internal service is on HTTPS you may need to disable TLS verify,

Adding Authentication

Authentication is applied as an 'Application' and allows you to limit services to specific users, IP address, countries etc.

  1. On the left, select Access > Applications

  2. Click on 'Add an application' and select Self Hosted

  3. Configure the Application

    • Application Configuration block Input the name and URLs you wish to configure

    • Application Appearance block Select custom logo and provide a URL to an image, such as the logo of the app

    • Tags Apply any relevant tags, such as 'test', 'xfgn' etc

  4. Click on OK / Save / Next

  5. Under the settings tab, tick 'Enable automatic cloudflared authentication'

  6. Click on OK / Save / Next

Port Forward

Enable Firewall

As port forwarding opens the server to direct access via the internet, we require the firewall to be enabled.

Ubuntu

  1. SSH into server and input the below commands

    ufw allow ssh
    ufw enable
  2. Run the below command to get a list of active ports on the server and take note of anything that may need to be allowed through. Take note of anything with 'docker', as these will be containers running on the host (you can compare this data against Portainer)

    lsof -i -P -n | grep LISTEN
  3. Use the below command to allow ports through the firewall

    ufw allow PORT

Generic "allow list", applicable to all our servers

ufw allow 8080 #crowdsec
ufw allow ssh #allow SSH

Port Forward in UniFi

  1. Click on the settings cog in the bottom left

  2. Select Security > Port Forwarding

  3. Click on Create Entry

Please ensure the port forward rule is named using the below scheme

Forwarding to
Purpose
Firewall Rule Name

Lungo

API to allow remote devices to connect to Wazuh

Lungo - Wazuh API

Latte

Ports to make Plex available externally

Latte - Plex Ports

Espresso

Portainer Edge Agent connection to Portainer main instance

Espresso - Edge Agent

Where possible, limit the 'From' IP to the relevant client (eg VPS), though this isn't possible for most use cases (eg Plex, Pterodactyl game ports)

Log into

Create a policy using the information outlined in and hit OK / Save / Next

Ensure that the is enabled and configured

Navigate to the and select Rigatoni

πŸ“‹
Cloudflare's Zero Trust
Crowdsec Firewall bouncer
UniFi site manager
Cloudflare's Zero Trust
cool.xfgn.dev will proxy to http://coolserver:123
This application will secure cool.xfgn.dev, cooltest.xfgn.dev and test.xfgn.dev/cool (but test.xfgn.dev will not be secured)
Cloudflare Authentication