Learn how Alpha Bits achieved networking nirvana with ZeroTier, Cloudflare DNS, and Cloudflare Tunnel. Discover how to create a secure, NAT-free network that works anywhere in the world, with detailed setup instructions, real-world benefits, and lessons learned from managing a distributed HomeLab infrastructure.
Alpha Bits
Engineering Team
If hardware is the foundation of your HomeLab, networking is the nervous system that makes everything work together. After years of fighting with port forwarding, dynamic DNS, and the general nightmare of residential networking, I can confidently say we've found networking nirvana.
The secret? A combination of ZeroTier, Cloudflare DNS, and Cloudflare Tunnel that creates a seamless, secure network accessible from anywhere in the world – without touching a single router setting or opening a single port.
Today, I'll walk you through exactly how we set this up, why each component matters, and the real-world benefits that have transformed how we work with our distributed HomeLab.
Let me paint a picture of the "old days" (which, honestly, was just two years ago for us):
You want to access your home server from the office. Simple, right? Just forward port 22 for SSH, maybe 80 and 443 for web services. But wait – your ISP uses CGNAT, so you don't have a real public IP. Or maybe you do, but it changes every few days. And what about security? Opening ports to the internet feels wrong, but VPNs are complicated to set up and maintain.
Then you want to access services from your phone while traveling. More port forwarding. Different ports for different services. Dynamic DNS that sometimes works, sometimes doesn't. And don't even get me started on trying to access services when you're behind a corporate firewall that blocks everything except HTTP and HTTPS.
I spent countless hours fighting with router configurations, debugging why services were unreachable, and explaining to family members why they couldn't access the photo server when away from home.
There had to be a better way.
Our current networking setup eliminates 90% of traditional networking headaches while providing better security and reliability than anything I've managed to cobble together with traditional methods.
Here's the high-level architecture:
The result? Every device in our HomeLab can communicate securely with every other device, regardless of physical location, NAT configuration, or firewall restrictions. And select services are available on the public internet with enterprise-grade security and performance.
ZeroTier is what I wish VPNs had always been. Instead of the traditional client-server model, ZeroTier creates a peer-to-peer mesh network where every device can communicate directly with every other device.
Why ZeroTier Over Traditional VPN?
Our ZeroTier Setup:
We run a single ZeroTier network (let's call it "alphabits-lab") with all our devices:
Each device gets a static IP in the 10.147.x.x range (ZeroTier's default). These IPs never change, regardless of the device's physical location or local network configuration.
Installation is Dead Simple:
# On Ubuntu/Debian
curl -s https://install.zerotier.com | sudo bash
sudo zerotier-cli join [NETWORK_ID]
# On Raspberry Pi OS (same commands)
curl -s https://install.zerotier.com | sudo bash
sudo zerotier-cli join [NETWORK_ID]That's it. Seriously. The device appears in your ZeroTier Central dashboard, you authorize it, and it's part of your network. No configuration files, no certificates, no headaches.
A Personal Story: Last month, I was troubleshooting a client's IoT deployment from a coffee shop in downtown Ho Chi Minh City. I SSH'd into our lab Pi, accessed the Node-RED interface, and debugged their sensor data pipeline – all through ZeroTier. The connection was faster and more reliable than the coffee shop's WiFi. That's when I knew we'd made the right choice.
We use Cloudflare as our DNS provider for several reasons beyond just domain resolution:
Performance and Reliability:
Advanced Features:
Our DNS Strategy:
We maintain both internal and external DNS records:
For example:
pi-main.lab.alphabits.team → 10.147.17.101 (ZeroTier IP)blog.alphabits.team → Cloudflare Tunneldev-api.alphabits.team → 10.147.17.103 (development server)Here's where the magic really happens. Cloudflare Tunnel (formerly Argo Tunnel) allows you to expose services to the internet without opening a single port on your router.
How It Works:
cloudflared daemon on your serverOur Tunnel Setup:
We run multiple tunnels for different purposes:
Installation and Configuration:
# Install cloudflared
wget https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-arm64.deb
sudo dpkg -i cloudflared-linux-arm64.deb
# Authenticate with Cloudflare
cloudflared tunnel login
# Create a tunnel
cloudflared tunnel create alphabits-main
# Configure the tunnel
# ~/.cloudflared/config.yml
tunnel: alphabits-main
credentials-file: /home/pi/.cloudflared/[UUID].json
ingress:
- hostname: blog.alphabits.team
service: http://localhost:3000
- hostname: api.alphabits.team
service: http://localhost:8080
- service: http_status:404The beauty of this setup is that our services are accessible from anywhere on the internet, but the actual servers are completely hidden behind Cloudflare's infrastructure. No one can directly attack our home IP address because it's never exposed.
1. Work From Anywhere
Whether I'm at the office, traveling, or working from a client site, I have full access to our entire lab infrastructure. SSH, web interfaces, databases, monitoring tools – everything works exactly the same regardless of my location.
2. Client Demonstrations
Need to show a client their IoT dashboard during a meeting? No problem. The demo environment is accessible via a clean URL with SSL certificate, looking completely professional. No "please ignore the port number" or "this might be slow because it's running on my home connection."
3. Simplified Development
Our development workflow is seamless across devices. I can start coding on my laptop, continue on a Pi 400, and test on the main server – all using the same URLs and configurations. No environment-specific settings or connection strings.
4. Enhanced Security
Paradoxically, our network is more secure now than when everything was "locked down" behind NAT. ZeroTier provides end-to-end encryption, Cloudflare handles DDoS protection and SSL termination, and we have detailed logs of all access attempts.
5. Family-Friendly
My family can access our photo server, media collection, and home automation from anywhere without me having to troubleshoot networking issues. The URLs are simple, the connections are reliable, and everything "just works."
1. Plan Your IP Ranges
ZeroTier assigns random IPs by default, but you can (and should) assign static IPs to your servers. We use a simple scheme:
2. Use DNS Names, Not IPs
Even though ZeroTier IPs are static, always use DNS names in your configurations. This makes it easier to move services between devices and provides better documentation.
3. Monitor Your Tunnels
Cloudflare provides excellent analytics for tunnel traffic. Set up alerts for unusual activity or connection failures. We've caught several issues early thanks to these notifications.
4. Test Failover Scenarios
What happens if your main Pi goes down? What if your internet connection fails? Test these scenarios and have backup plans. ZeroTier's mesh architecture helps, but you still need to think about service redundancy.
5. Document Everything
Keep a network diagram showing which services run where, what DNS names point to what, and how traffic flows. This documentation becomes invaluable when troubleshooting or onboarding new team members.
One of the best parts about this setup is the cost:
Total networking cost: $12/year
Compare this to business VPN solutions, static IP addresses from ISPs, or enterprise networking gear, and the savings are substantial.
With our networking foundation solid, we can focus on the fun stuff: applications and services. In our next post, we'll dive into CasaOS – the beautiful, functional Docker management interface that makes deploying and managing services a joy rather than a chore.
We'll cover installation, configuration, and why CasaOS has become our go-to solution for container orchestration in the HomeLab environment.
Have questions about ZeroTier configuration, Cloudflare setup, or specific networking scenarios? Drop us a line – networking can be tricky, and I'm happy to share more detailed configurations or troubleshooting tips.
Next up: "CasaOS: The Beautiful Face of Docker Management"