All writing
Automation

Tines CE + Cloudflare Tunnels: The Ultimate (Free) Home Lab Automation Power Couple

How to connect a hosted SOAR platform (Tines) to your private network infrastructure using Cloudflare Tunnels for free.

SB
Sif Baksh Network automation & security
Tines CE + Cloudflare Tunnels: The Ultimate (Free) Home Lab Automation Power Couple
Direct Answer

You can securely connect Tines Cloud (Community Edition) to a private home lab for free by utilizing a Cloudflare Tunnel. By configuring a Tunnel on a local linux instance and applying IP whitelisting for Tines' egress IPs (44.246.174.5 and 54.70.210.130) in the Cloudflare WAF, you create a secure, authenticated bridge to internal APIs (like Proxmox) without a paid Tines plan.

The Problem: The “Cloud-to-Local” Gap

If you’ve explored Tines Community Edition (CE), you know it’s one of the most powerful SOAR platforms available. However, a common hurdle for home lab enthusiasts is connectivity. While the hosted cloud version is free, connecting it to your private infrastructure (like a Proxmox cluster or local NAS) usually requires an expensive paid plan to unlock secure network tunnels.

Most users default to opening ports on their router and using Dynamic DNS (DDNS). This is a security nightmare. We need a way to bridge Tines Cloud to a Local Lab that is:

  1. Secure (No open inbound ports).
  2. Authenticated (Only Tines can talk to it).
  3. Completely Free.

The Solution: Cloudflare Tunnels

Cloudflare Tunnels (formerly Argo Tunnel) create an encrypted, outbound-only connection between your local environment and the Cloudflare edge. By placing our local API behind a tunnel, we can expose it via a public hostname that only accepts traffic from specific sources—in this case, Tines.

The Architecture

The traffic flow looks like this:

  1. Tines Cloud sends an HTTP Request to your public hostname (e.g., proxmox.yourdomain.com).
  2. Cloudflare WAF intercepts the request and verifies the source IP.
  3. If the IP matches Tines, the request is passed through the Cloudflare Tunnel.
  4. The Cloudflared agent running in your lab receives the request and forwards it to your local Proxmox IP.

Step 1: Deploy the Cloudflare Tunnel

First, install the cloudflared agent on a small Linux VM or container in your lab.

# Example for Debian/Ubuntu
curl -L --output cloudflared.deb https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb
sudo dpkg -i cloudflared.deb

# Authenticate and create your tunnel
cloudflared tunnel login
cloudflared tunnel create homelab-automation

In the Cloudflare Zero Trust dashboard, point your hostname (e.g., tines-api.yourdomain.com) to the local service (e.g., https://192.168.1.50:8006).

Step 2: Lock Down the WAF (Crucial)

Exposing your Proxmox API to the internet is dangerous. We must ensure only Tines can reach this tunnel.

Go to Security > WAF in Cloudflare and create a “Custom Rule”:

  • Field: IP Source Address
  • Operator: is in
  • Values:
    • 44.246.174.5
    • 54.70.210.130
  • Action: Allow

Then, create a second rule that Blocks all other traffic to that specific hostname.

Step 3: Configure Tines

In your Tines storyboard, create an HTTP Request Action:

  • URL: https://tines-api.yourdomain.com/api2/json/nodes
  • Method: GET
  • Headers: Add your Authorization or PVEAPIToken header.

Because the request originates from Tines’ dedicated egress IPs, Cloudflare will permit the traffic, and your tunnel will securely deliver it to your local Proxmox node.

Conclusion: Total Control for $0

This setup bypasses the connectivity limitations of Tines CE and provides a professional-grade integration for your home lab. You now have the power of cloud-native automation with the security of an outbound-only private tunnel.

Project Resources:

automationsecuritytinescloudflarehomelab
Back to all writing