← statichum.studio

May 2, 2026

Self-Hostable Tunnel and Reverse-Proxy Stack That Gives Cloudflare's UX Without Putting One US Company in Every TLS Session

open source real project ••• trending

A 2,860-upvote thread on r/selfhosted called Cloudflare 'the most successful Man-in-the-Middle in history' and produced 521 comments mostly agreeing that the convenience-vs-trust trade has tilted too far. Top replies repeatedly mention CGNAT (carrier-grade NAT, which prevents direct port exposure) as the structural reason normal homelabbers default to Cloudflare Tunnel, and call out Pangolin and Tailscale Funnel as partial alternatives. The unmet product is an integrated, opinionated bundle — like 'self-hosted Cloudflare in a single docker compose' — that solves the four jobs at once: TLS termination, DDoS protection, CGNAT bypass, and a polished dashboard. The pieces (Caddy, CrowdSec, NetBird/Headscale, an off-site CGNAT-friendly relay) all exist, but a normal homelab user has to wire seven services together and keep them updated. The thread also surfaces broader unease about US CLOUD Act exposure as a category-driving force.

builder note

The right founder for this is somebody who already maintains one of the building blocks (Caddy, NetBird, Pangolin, CrowdSec). Bundle does not have to be original code — it has to be opinionated, with sane defaults that expose maybe ten knobs and hide a hundred. EU sovereignty angle is a real wedge: a version with default DNS through Quad9 (Swiss), an explicit non-US relay option, and a docs page about CLOUD Act exposure will sell itself in r/selfhosted threads next time Cloudflare has a four-hour outage.

landscape (5 existing solutions)

The technical components of a Cloudflare-replacement stack all exist as healthy open-source projects. The gap is opinionated integration — a single distribution that bundles tunnel termination, TLS, DDoS, geo-rules, and a dashboard, runs as one compose file or appliance image, and gives EU and CGNAT users a credible exit from the Cloudflare default. Whoever ships the polished v1 captures both the privacy-curious mainstream and the post-CLOUD-Act European homelab market.

Pangolin Excellent open-source CGNAT-friendly tunnel + reverse proxy. Still requires the user to spin up a VPS, configure DNS, and wire to a UI. Not the 'one docker compose up' bundle the audience wants.
Cloudflare Tunnel The thing this product replaces. Free, easy, and exactly the trust model the source thread is rejecting.
Tailscale Funnel + Headscale Funnel is excellent for SSH-style remote access, awkward for hosting a public website with a custom domain at scale. Headscale is the self-hosted control plane but adds significant operational load.
Caddy + CrowdSec + Wireguard All the building blocks for a full self-hosted stack exist as separate projects. Wiring them together correctly with TLS, DDoS protection, geo-blocking, and zero-trust auth is a multi-day project most users abandon.
ngrok / FRP / Bore Tunneling primitives only. ngrok is centralized commercial; FRP and Bore are great DIY tools but have no auth/UI/DDoS layer.

sources (4)

reddit https://old.reddit.com/r/selfhosted/comments/1scacre/cloudfl... "We've reached a point where 'privacy' means 'hidden from everyone EXCEPT Cloudflare.' It's the ultimate irony: developers are so obsessed with 'security' that they put their entire stack behind a single US-based entity that holds the private keys to half the internet." 2026-04-01
reddit https://old.reddit.com/r/selfhosted/comments/1scacre/cloudfl... "If things get too bad, I just flip the switch and move things from Cloudflare over to my Pangolin tunnels instead. Yes, I realize this makes my VPS the man in the middle now. But I've got CGNAT over here, so what am I gonna do..." 2026-04-01
reddit https://old.reddit.com/r/selfhosted/comments/1scacre/cloudfl... "Anything that is subject to the US CLOUD Act should be avoided. It's really not that hard to do this properly." 2026-04-01
reddit https://old.reddit.com/r/selfhosted/comments/1sm3t5z/tailsca... "Tailscale improves free tier, 3 free users is now 6" 2026-04-13
self-hostedprivacycgnattunnelreverse-proxycloudflare-alternativeeu-sovereignty