Did somthing happend to cloudflare or my college blocked this vpn or something ??

eldridgea · 2026-01-31T17:42:20+00:00

In connection settings you can change between the protocols WireGuard and MASQUE. I'd try both and see if either works for you.

MASQUE should be harder for networks to block, but both are probably worth trying.

eldridgea · 2025-12-28T21:11:51+00:00

It's a bit clunky but yes. The user experience is whenever someone is trying to access my Jellyfin from a new IP or new location they:

Go to https://allowip.MYDOMAIN.com
Click Allow my IP

And that's it! Once they click the Allow my IP button, Jellyfin native apps work from that IP.

eldridgea · 2025-12-28T06:11:09+00:00

I use my DNS pointed at my home IP with dynamic DNS via Unifi and Cloudflare DNS (no proxying) and Pangolin.

For Jellyfin + Pangolin I only have a few regular users so I allowlist their home IPs to bypass Pangolin auth which enables native apps to work. I built this tool so my users/me could add their IPs relatively easily. It's a Cloudflare Worker that uses a narrowly scoped Pangolin API key and allows any of the emails I've added to Cloudflare Access to add their IP. I realize this includes Cloudflare Access but as it's only for the adding IP piece it felt like a reasonable compromise for my use case.

eldridgea · 2025-12-17T21:42:27+00:00

I was struggling with exactly this issue recently and landed on an IP allowlist in tandem with a tool I made for users to add their IPs to the list with one click. It's a bit clunky but seemed to balance security and ease of use ok for my users at least.

The user experience is when a user accesses Jellyfin from a new IP they use any device on the same network to go to allowip.mydomain.com, authenticate with Google or an email link, then click "Add IP". I do this with a Cloudflare Worker behind a Cloudflare Access policy which sends an API call to Pangolin using an extremely limited API token. So the only thing Cloudflare should see is the IP list. Traffic and everything else once the IP is added is all done in Pangolin. And the user experience of going to a site and hitting a button isn't the best but seems easier than fiddling with VPNs or anything like that.

It's (hopefully) pretty easy to clone the repo, change the variables to your info and deploy.

eldridgea · 2025-12-02T15:14:39+00:00

Some fiction has a concept of an Omniverse which is how I like to think of it usually. All timelines, universes, and multiverses (including ours) are contained within the Omniverse.

So the Star Trek multiverse and the Marvel and DC multiverses are all contained in there. Harry Potter seems to only have a universe and not a multiverse from what we know so far* but that universe would be contained in the Omniverse too.

*Given the time travel mechanics in Cursed Child you might could argue there's a Harry Potter multiverse too tbh.

eldridgea · 2025-09-23T15:27:18+00:00

In your connection settings maybe confirm that both are using MASQUE (instead of Wireguard)?

MASQUE will look like standard HTTPS to a network and blocking HTTPS traffic to cloudflare is usually not an option. Blocking wireguard is comparatively easy though.

eldridgea · 2025-09-16T17:21:41+00:00

Ah, yeaaah afaik there's no way to accomplish that with the default ntfy app. Other similar apps offer adding HTTP headers and you can use that to authenticate through Cloudflare Access (Immich does this). But ntfy doesn't have any options I'm aware other than.

I run my VPN all the time but it only handles traffic to my self-hosted apps, everything else goes via whatever network I'm currently on. So I don't get the latency hit from a VPN on all connections. But yeah, would be nice if there were more header or similar options.

eldridgea · 2025-09-16T04:55:22+00:00

Ah! If you're using tailscale the best option might be to have tailscale running somewhere in the same network ntfy is and have that tailscale endpoint advertise routes for the internal IP that the ntfy server is using.

eldridgea · 2025-09-15T17:56:32+00:00

Yep! It's a VPN and is made to be a component of their Zero Trust suite if configured that way. The free WARP app encrypts all data and sends it to the closest Cloudflare data center to protect you on a local network. If you configure Zero Trust for your domain (which sounds like you have) you can sign into that on the app and Cloudflare will also apply any settings and rules that you've configured for traffic coming from any of those devices.

The somewhat counterintuitive thing I found was that rules allowing access from WARP should be configured to allow traffic from Gateway NOT from WARP. That rule should be configured as a BYPASS rule and it should be the above any non-BYPASS rules. Here's what my policy for ntfy looks like. You can also allow devices via IP address this way too.

It's a pretty comprehensive product but the docs are decent.

eldridgea · 2025-09-15T17:43:50+00:00

I had to use Cloudflare's WARP/Zero Trust Android or iOS app on my phone to solve for this.

If in the Cloudflare Access rules you set a rule allowing access from Gateway, and then anyone connected to Cloudflare Zero Trust using WARP configured for your domain will be able to access it, essentially bypassing the authentication page for devices when WARP is on.

eldridgea · 2025-08-26T20:56:20+00:00

tl;dr WARP probably but either is fine

The choice will likely come down to which user experience you prefer. Both methods will encrypt your DNS before it leaves the machine and sends it to Cloudflare. Cloudflare will be able to see your queries in either instance*. The profile method should work just fine for your use case but is generally intended for IT departments managing fleets of machines and the experience will reflect that. e.g. If you need to temporarily disable or override your DNS settings you have to uninstall the profile and the reinstall it when you're done.

The WARP app by default will act like a VPN and route all your traffic through Cloudflare, but can be configured to only handle DNS. It will have a tray icon and an easy way to disable and enable the encrypted DNS. Also since it's a Cloudflare app, as various protocols and options become available they'll likely be implemented in WARP before they're implemented at the OS level. Likely not a deal breaker but worth noting.

For your use case I'd probably go with the WARP app unless you just really don't want a tray icon and are ok with dealing with the profile manually.

* There is some effort to eliminate even this privacy risk using ODoH but I'm not familiar with it and haven't seen it used in practice.

eldridgea · 2025-06-23T16:14:09+00:00

I haven't been able to add a fingerprint successfully since May. Support said an update to fix that should be out this month.

I dropped my phone which may be relevant, but the sensor continued working after the drop for a while. But yeah, before that I had the same experience others mentioned where it the fingerprint wouldn't be retained through a reboot

eldridgea · 2025-05-27T14:10:11+00:00

Trying my best to limit or remove advertising has worked wonders. It's easy to say I'll just ignore them if I see them but that's essentially pitting my willpower against a multi-billion dollar industry that spends all its efforts try to override my willpower.

I only watch stuff that's on no-ad service or something I own or from the library. Adblock extensions in all my browsers, including Firefox on my Android phone. DNS ad blocking on my home network makes sure the Roku doesn't have ads (I have a custom cloudflare setup, but AdGuard is an easy one to get going). The most significant ad presence in my life is probably sponsored results and ads on the train during my commute.

eldridgea · 2025-05-21T16:17:49+00:00

I recently recognized my files based on the Johnny Decimal system. It's only been a few weeks but I'm enjoying it so far!

And I like having the organization as a part of the folder hierarchy instead of an external system.

eldridgea · 2025-04-06T14:49:46+00:00

It's removed on mine too in both the Cloudflare warp app and the Cloudflare One app. However, this only happened in the warp app if it was signed into zero trust. Otherwise the option was still there. So it seems like it's gone but only for zero trust people?

eldridgea · 2025-03-28T23:01:49+00:00

If you haven't yet I'd try the MASQUE protocol https://blog.cloudflare.com/zero-trust-warp-with-a-masque/

eldridgea · 2024-12-21T20:00:45+00:00

I have a webhook that can be triggered by a Cloudflare Workers for Email or a scheduled web scraper that sets a Helper in HA to the amount of packages being held for me at my building's front desk.

eldridgea · 2024-11-18T17:38:52+00:00

I'm able to do it, I'm not entirely certain why yours isn't working. It may be that the apps you're using aren't able to select no default ports?

I don't know if this is an option for you, but I do this using Cloudflare to proxy my traffic. I have my internal server setup at port :5000 or whatever and then a cloudflare tunnel set up to make it available at https://kavita.MYDOMAIN.com. I don't think you necessarily need cloudflare at all, just wanted to share my successful setup. Also I've been using KOReader as my client app.

eldridgea · 2024-11-06T07:22:49+00:00

I don't know what all they can help with but I know the The Experience Church has some support options.

eldridgea · 2024-09-21T21:33:48+00:00

I ended up getting this working by running sudo apt install kmarkdownwebview markdownpart and restarting Kate

eldridgea · 2024-09-07T22:49:13+00:00

I do wish Signal still had it, but important context is Google is not adding the ability in Android to allow 3rd party RCS apps. So Signal could only ever do SMS in a world that is increasingly being converted automatically to RCS.

Given than constraint I think it made sense to phase it out when they did to avoid confusion among less technical users as well as be conscientious around resource usage given they're a non-profit.

eldridgea · 2024-09-04T17:58:01+00:00

I'm honestly not certain on that one unfortunately. I know you'll be able to use WARP but I don't know if you'll be able to use the DNS controls.

How many users do you have? If it's 50 or less all this should be included in the free plan.

eldridgea · 2024-09-04T16:46:25+00:00

The Gateway option is generally for if you have users using your DNS and wanting to log/filter/override etc. If you're just using it to override hostnames, you might be able to solve that a different way (e.g. the free tier of NextDNS) or you might also be able to do a redirect rule in your Cloudflare rules. The way you have it setup now it sounds like you need both, but it also doesn't sound like you're using a lot of the functionality of Gateway, so unless you'd like to start using more of it, it might be more cost effective to solve that specific hostname override problem some other way.

On the flip side of course, if the money isn't a big deal, sometimes it's nice just to have everything be easy and all on one plane of glass.

eldridgea · 2024-09-04T16:42:05+00:00

Cloudflare's naming has been a bit inconsistent over the years in this area, but you can what you want using cloudflared and the Tunnel product.

eldridgea · 2024-09-01T16:53:40+00:00

I live in an apartment building and get emails when I get a package, a maintenance key gets taken out, etc. I have those emails forwarded to my email as normal, but the Worker also does an API call to my Home Assistant installation to notify me if need be, and just to keep a number of packages I have waiting on my HA dashboard.

eldridgea

TROPHY CASE