Self-hosting and homelabbing can be a great way to save money on subscriptions and reduce how much you depend on big tech companies for your essential services.
But what happens when a backbone of the internet, like Cloudflare, goes down? Even self-hosters use Cloudflare for a number of vital functions.
This is how I keep my homelab accessible, even when Cloudflare is down.
Why did a Cloudflare outage affect self-hosted services?
Cloudflare provides a number of services that are popular with self-hosters and professional hosts alike.
One of the most popular of those services among self-hosters is the Cloudflare Tunnel, which is a proxy server that sits between a home lab and the outside world. Rather than directly expose your services to the outside internet, you route them through the Cloudflare Tunnel first.
In the event of some kind of attack, Cloudflare gets hit instead of your server.
Above and beyond the protection it can provide, Cloudflare Tunnels are also just exceptionally convenient compared to setting up and managing all of the equivalent services yourself. Unfortunately, when Cloudflare goes down, you’re probably out of luck unless you have a backup plan.
I always run a WireGuard Server on my local network specifically for this sort of outage, and it is exactly why all of my services kept chugging almost like usual today, while half of the internet was inaccessible.
A WireGuard server saved my homelab from the Cloudflare outage
While Cloudflare was down, I just had to switch to a fallback system: The WireGuard server running on my local network.
WireGuard is a VPN that works much like NordVPN or Mullvad, except instead of routing your traffic securely to a random server run by some company, you route your traffic to your own server. If you’re away from home, it lets you access anything on your home network as if you were connected to your own Wi-Fi network or plugged into an Ethernet cable.
If you’re not a networking whiz, it is a quick, convenient, and relatively secure way to make anything you’re self-hosting accessible from anywhere in the world. Even if you are running a Cloudflare Tunnel with DDNS and every other fancy networking solution under the sun, a WireGuard server is a great contingency plan.
Cloudflare can crash all it wants; so long as the internet is still working and my WireGuard server is running, I’ll be able to VPN into my home network and use my self-hosted services as I normally would.
Protect your own homelab with WireGuard
The absolute best part of setting up and running a WireGuard server is the simplicity. Additionally, you can run one on ultra-low power hardware. Since my WireGuard server only rarely sees heavy use, I run it on a Raspberry Pi Zero W, which means it consumes almost no electricity and cost less than $20 total.
The easiest way to run a WireGuard server on a Pi is with an open-source solution called PiVPN. PiVPN takes the already-simple WireGuard installation process and streamlines it further.
First, install a lightweight Linux distro on whatever device you’re going to use as a WireGuard server. In my case, I’m using a Raspberry Pi Zero W, so I went with the Lite version of Raspberry Pi OS. Make sure to customize the installation so it connects to your network automatically.
Once that is done, connect to your Pi over SSH or plug in a monitor and keyboard. Then, run the following command to download PiVPN.
curl -L | bash
PiVPN will walk you through the setup process and prompt you when it needs your input. There are two things to watch for: which VPN service you want to use and which port WireGuard will use. The default options should be fine, just make sure that WireGuard is the VPN service you install and that you make note of the port—you’ll need to forward it to your router later.
Once that is done, you’ll need to log in to your router and set up port forwarding for the WireGuard server. By default, it’ll use port 51820.
Last, you need to create an account to connect to using the pivpn add command, then send those profiles to the devices you want to have access to the VPN server. In my case, I just opted to use the QR code on my phone once I installed the WireGuard app.
And with that, you’re done. Regardless of what happens to Cloudflare in the future, you’ll still have access to your self-hosted services.
You can run WireGuard on an extremely low power device like a Pi Zero W or a Pi Zero 2 W if you want, but if you’re building new, I’d recommend something with a bit more power. A Raspberry Pi 4 or Pi 5 is an excellent choice since it can also simultaneously handle other important network functions, like your own DNS server, a PiHole, and whatever else you might like.
- USB ports
-
1 USB-C, 4 USB-A
- HDMI ports
-
2
CanaKit’s Raspberry Pi 5 Starter Kit includes everything a user needs to pick up and go, including a 128 microSD loaded with the Raspberry Pi OS.