How Safeline WAF Helped Stabilize and Protect My Homelab After Fully Dropping Cloudflare With a Secure VPS Front Layer

Running a homelab is all about learning, experimenting, and taking control of your own infrastructure. For years, Cloudflare acted as my security and proxy layer, filtering traffic and masking my home IP. But eventually, I decided to drop Cloudflare entirely and build a fully self-hosted alternative.

That change meant one thing: I needed a new strategy to protect my services and keep my real home IP completely hidden.

That’s when I deployed Safeline WAF on a Hetzner VPS, turning it into a secure, self-hosted reverse-proxy layer sitting in front of my homelab. And honestly, it worked far better than I expected.

Leaving Cloudflare Meant I Needed a New Shield

The moment I moved away from Cloudflare, I lost: • Anycast edge routing • Automated bot filtering • DDoS mitigation • Hidden origin IP • Edge caching • Layer-7 attack protection

This meant that if I exposed my home IP directly, it would quickly become a target and any attack would hit my household connection and hardware.

So I needed a new “front layer” that: • Sat outside my home network • Masked my real IP • Filtered all incoming traffic • Stopped attacks before they reached my house • Was lightweight enough to self-manage

Deploying Safeline WAF on a remote VPS became the perfect solution.

Creating a Secure Front Layer on a Hetzner VPS

Instead of exposing my homelab directly, I deployed Safeline WAF on a Hetzner VPS, which now acts as the public-facing entry point for all my services.

How the architecture works:

1. All external traffic hits the Hetzner VPS first The VPS has a public IP and runs Safeline WAF + a reverse proxy. 2. Safeline filters, analyses and sanitises requests Malicious traffic never reaches my home. 3. Only clean traffic is forwarded to my homelab Through an encrypted tunnel (WireGuard), the backend services remain fully hidden. 4. My real home IP is completely protected Nobody scanning the services ever sees it only the Hetzner VPS.

This setup essentially recreates the “origin shielding” that Cloudflare provided, but without relying on a third-party network or giving up control.

How Safeline WAF Performs as a Remote Shield

My Home IP Stays Completely Hidden

The biggest benefit of placing Safeline on a VPS is that:

Scanners

Bots

Attackers

Vulnerability crawlers

…never touch my home connection.

All they ever see is the Hetzner IP, which filters everything through Safeline before forwarding anything to my private network.

If someone tries to attack it, it’s the VPS getting the hits not my house.

Safeline Handles Attacks Far From My Homelab

Since Safeline blocks malicious traffic right at the VPS: • My home bandwidth isn’t consumed • My self-hosted apps remain calm and responsive • My ISP never sees attack patterns • My homelab hardware isn’t stressed

Cloudflare used to do this at a global scale now Safeline does it on my own infrastructure.

Lightweight Enough for a Small VPS

Even with increased direct traffic: • No high CPU spikes • No RAM explosions • No delays in forwarding clean requests

Safeline is efficient enough to run on a small Hetzner VPS without issues.

Complete Control, Without External Dependencies

By using my own VPS: • No reliance on Cloudflare • No vendor lock-in • No “hidden rules” • No unexpected throttling • No external outages affecting my setup

Safeline works predictably, and I control everything from end to end.

A Clean, Stable Setup Without Cloudflare

While many people depend entirely on Cloudflare to protect their self-hosted apps, moving away from it didn’t break anything for me. Instead, it made my setup more resilient and more under my control.

With Safeline running on a Hetzner VPS: • My services stayed online • My real home IP stayed hidden • Malicious traffic got filtered at the edge • My homelab stayed lightweight and protected • I avoided Cloudflare outages, routing issues, or dependency risks

It’s a self-hosted approach that gives you the same benefits Cloudflare provides but fully under your control.

If You’re Dropping Cloudflare, This Hybrid VPS + Safeline Setup Is a Game-Changer

You get: • Real IP masking • Layer-7 protection • Full transparency • Strong filtering • Low resource usage • Independent infrastructure • Zero third-party dependency

A clean, powerful and reliable way to run a modern homelab with true self-hosting principles.