Skip to content

How I set up my home lab with Cloudflare

2025-03-02

Overview

This guide walks through setting up my home lab using the domain creeknet.uk, managing DNS, security, remote access, reverse proxy, and VPN to ensure secure and private access to my services. This exists both as a record for myself and a guide for others looking to set up a similar home lab.

1. Cloudflare Setup

1.1 Register Domain & Set Up DNS

  1. Log into Cloudflare and add creeknet.uk. The .uk domains are amongst the cheapest, at around $5 per year.
  2. Go to DNS > Add A Records for all publicly accessible services: These records allow external access to specific services.
    ⚠️ Cloudflare Proxy (Orange Cloud ☁️) should be OFF (DNS Only) for services that require non-HTTP ports (e.g., Plex, VPN).
Subdomain Record Type Points To Proxy Status Purpose
ai.creeknet.uk A My Public IP DNS Only ☁️ (Gray) AI Server
home.creeknet.uk A My Public IP DNS Only ☁️ (Gray) Home Assistant
nas.creeknet.uk A My Public IP DNS Only ☁️ (Gray) NAS Access
plex.creeknet.uk A My Public IP DNS Only ☁️ (Gray) Remote Plex Access
rustdesk.creeknet.uk A My Public IP DNS Only ☁️ (Gray) Remote Desktop (RustDesk)
vpn.creeknet.uk A My Public IP DNS Only ☁️ (Gray) WireGuard VPN

1.2 Enable Cloudflare Zero Trust for Web Services

I did consider that for any web-facing applications that do not have their own authentication I could use Cloudflare Zero Trust to enforce authentication. To do so I would:

  1. Go to Zero Trust → Access → Applications.
  2. Add an application.
  3. Configure Access Policy (Require login via OTP).

2. Setting Up Local DNS (Split DNS)

To ensure local services work even if the internet is down, configure Pi-hole (10.0.0.6):

  • Add Local DNS Records:

  • Web-services should direct to Nginx:

    • ai.creeknet.uk → 10.0.0.23
    • home.creeknet.uk → 10.0.0.23
    • nas.creeknet.uk → 10.0.0.23
    • plex.creeknet.uk → 10.0.0.23

  • Non-web services should direct to the actual servers:

    • rustdesk.creeknet.uk → 10.0.0.23 (dockerised on the same server as nginx)
    • vpn.creeknet.uk → 10.0.0.5 (redundant if the internet is down but included for completeness)

  • Router DNS Settings:

  • Primary DNS: 10.0.0.6 (Pi-hole)

  • Secondary DNS: 1.1.1.1 (Cloudflare)

3. Reverse Proxy with NGINX Proxy Manager

3.1 Deploy NGINX Proxy Manager (Docker) on ProxRouter

version: "3"
services:
  npm:
    image: "jc21/nginx-proxy-manager:latest"
    container_name: npm
    restart: unless-stopped
    ports:
      - "80:80"
      - "443:443"
      - "81:81" # Admin UI
    volumes:
      - ./data:/data
      - ./letsencrypt:/etc/letsencrypt

3.2 Configure Proxy Hosts

  • ai.creeknet.uk → http://10.0.0.20:8080 (Open Web UI)

  • Provide SSL certificate through Let’s Encrypt

  • Enable Websockets Support

  • Force SSL

  • home.creeknet.uk → http://10.0.0.13:8123 (Home Assistant)

  • Provide SSL certificate through Let’s Encrypt

  • Enable Websockets Support
  • Force SSL

  • Advanced custom nginx config:

    proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Connection "upgrade";
proxy_redirect off;

  • nas.creeknet.uk → https://10.0.0.9:1001 (Asustor NAS)

  • Provide SSL certificate through Let’s Encrypt

  • plex.creeknet.uk → http://10.0.0.11:32400 (Plex Media Server)

  • Provide SSL certificate through Let’s Encrypt