Moving from Cloudflare to Traefik

January 25, 2026

During my server reliabiltiy post one of the things I set out to do as a “next step” on my setup was to drop cloudflare as a tunnel and do some proper reverse proxy to enable me to use other protocols and ports cloudflare did not support such as game tcp server.

My first step was looking for possible solutions on the market, some sort of ready made service I could pay a couple of dollars and just have to customize it but nothing really fit my needs so I took some time to read on the current situation when it comes to reverse proxying myself and ended up discovering a wireguard + traefik solution was much easier than what I had imagined with the bulk of the work around config files, not only that, having it as a docker I could use much like my zero trust cloudflare docker was a common solution you can find tutorials on online.

The full stack is VPS -> Wireguard -> Traefik -> LetsEncrypt -> Home Lab, but I sort of kind of didn’t really give up on cloudflare completely, I’m still passing through it since I have my DNS configured through them and since they were already taking care of SSL encryptions I just took the letsEncrypt part out of the tutorials and left it as it was through cloudflare.

Anyway, here’s a quick overview of how it looks. The VPS I bought has a static IPv4, which I’m using to connect to and I have cloudflare DNS point to it. That’s simple, whenever I access my domain, the user queries cloudflare and get’s my VPS address. The next step would be to have my VPS forward all messages to my home address, but the problem is, my home IP changes from time to time since my ISP has me on a dynamic IP, but my VPS has a static IP and I can use a VPN between my home lab and the VPS, having my home lab connect to the VPS’s static IP and therefore on connection the VPS figures out my homelab IP and masks it with a VPN IP and since we have a secure connection now I can just update the VPS’s forwarding using iptables. Recapping real quick, Outside connection asks cloudflare for IP, VPS’s static IP is returned and access is made to the VPS, which in turn now has configured rerouting through wireguard to my homelab, our journey is close to an end but not quite there yet.

When a request gets to my home server it doesn’t really know what to do with it, as it can’t translate subdomain “blog” from IP “1.2.3.4”(DNS mosskoi.com) to anything really, so this is where our reverse proxy and load balancer comes it, traefik has a configuration file that given the correct docker parameter can access any docker within it’s network, adding docker to the network and updating this configuration file to point to each docker leads us to the desireable conclusion of the message being re-routed from our traefik docker to a service running within another docker.

Connection requests DNS server for IP -> Cloudflare replies with VPS IP -> Connection now has VPS IP Connection requests VPS IP server for subdomain “blog” -> VPS receives request and forwards it -> message is forwarded through wireguard -> message arrives at home lab -> traefik takes a look at request subdomain “blog” and based on it’s configuration re-routes to another docker -> blog docker takes care of request and replies.

Representation

Oof, that’s looks like quite the journey, for video-streaming, website-reading and message-exchanging application it shouldn’t really matter but I also wanted to host a couple of game servers which might be heavily impacted, here’s the comparasion for a simple mednafen server, VPS route consists of the previously described path while DIRECT is opening a port directly on my modem and having the connection performed no extra jumps between client and server: The results are of a 66% increase to response time, from 30ms on DIRECT route to 50ms routing thorugh VPS. The route itself is a worst case scenario where the conneciton has to detour to a couple of states over before coming back with the VPS, even if the increse is enourmous percentage wise we’re still in playable territory which makes me happy.

If you’re interested can find this wireguard + traefik project on my git.

← Previous: Christmas LEDs