keates-website

Argo Tunnel

No, we are not going to talk about the 4.16 mile tunnel that was built for mine drainage back in 1893 however you can click here if you would like to know more. As this site is more suited for everything that is computing, I’m covering a different kind of ‘Argo Tunnel’. (Not known as that anymore)



Instead we will be covering what ‘Cloudflare Tunnel’ (formally known as Argo Tunnel) actually is. Cloudflare Tunnel creates a lightweight connector in your environment to provide a secure, outbound-only link between your services and Cloudflare. Your team won’t have to go through the issues of testing your firewall for vulnerabilities or confirming that traffic came from Cloudflare IPs with this model as according to Cloudflare themselves here.

Why would this be useful for you or me for that matter? Here is an example where this service would be useful upon researching when I use setting up my unRaid server. Majority of Internet Service Providers (ISP) globally will block a number of ports to stop you from able to send and receive data from a hosting service that you may be using or you just simply don’t have access to a router. You could try to host a website on a desktop PC in your local network but when you decide you can to forward or open a port so someone from the outside world want to access it, while you can configure that in your firewall, it would still be blocked by your Internet Provider.

Luckily we could enable UPnP (Universal Plug and Play) to allow devices on your local network to dynamically open ports for applications such as multiplayer gaming and real-time communications. However, some important ports like 443 and/or 80 are blocked regardless if you set them to be open, but then you would also have to make sure it is secure from online baddies. Another option with some ISPs you could pay them more to have them unlocked, but that be quite expensive not so much for businesses but for individuals like you and I. However, as you might have guessed there is yet another option which is free (not the domain but we’ll cover that), secure and very easy to setup! That’s where Cloudflare Tunnels becomes useful.

Tutorial

What do I need?

For this to work, you will need to have a domain that is managed by Cloudflare. You can find a very inexpensive domain through Cloudflare or other providers and have that transferred to Cloudflare.

As of 25th of March 2022, there is a graphical user interface that can manage and setup your tunnels on Cloudflare but I will be covering the command line option as its what I did and it is very straight forward.

Create a App Folder

First we need to make sure we have the app folder ready with the correct permissions. Thanks to this tip from our discord user @noodlemctwoodle, you can use the following command in the Unraid terminal to create the folder and set the correct permissions:

mkdir -p /mnt/user/appdata/cloudflared/ && chmod -R 777 /mnt/user/appdata/cloudflared/

However, you can skip this section and perform a ‘New Permissions’ on the ‘Appdata’ after installing the docker container to have correct permissions.

Authorisation

To authorise Cloudflared with the Cloudflare site you wish to set up using a tunnel, run the following command in Unraid terminal.

docker run -it --rm -v /mnt/user/appdata/cloudflared:/home/nonroot/.cloudflared/ cloudflare/cloudflared:latest tunnel login

It will generate a Cloudflare link for printing. Choose which domain you want to use by pasting this link into your web browser. The certificate will then be automatically retrieved by the daemon.

Create a tunnel

We now need to create a tunnel. We will issue the following command from the Unraid terminal to accomplish this:

docker run -it --rm -v /mnt/user/appdata/cloudflared:/home/nonroot/.cloudflared/ cloudflare/cloudflared:latest tunnel create TUNNELNAME

The UUID.json file for your tunnel, which contains a secret used to authenticate your tunnelled connection with Cloudflare, will be created as a result of this. The cert.pem file is required for any tunnel modifications but is not required for running the tunnel itself. You can find more details here.

It is important to make sure to copy your UUID because you are going to need it later.

Creating the config.yaml

Now we need to create a config.yaml to configure the tunnel:

nano /mnt/user/appdata/cloudflared/config.yml

Now paste in the following and amend your reverse proxy IP:PORT, tunnel UUID and domain name if required. Below are some pointers:

  • If your reverse proxy has an SSL certificate, you must enter the domain name that hosts the SSL certificate.
  • Use the commended ingress rule to proxy to a http server if you want to.
  • Add noTLSVerify under originRequest if you want to disable SSL verification.
tunnel: UUID
credentials-file: /home/nonroot/.cloudflared/UUID.json

# NOTE: You should only have one ingress tag, so if you uncomment one block comment the others

# forward all traffic to Reverse Proxy w/ SSL
ingress:
  - service: https://REVERSEPROXYIP:PORT
    originRequest:
      originServerName: yourdomain.com

#forward all traffic to Reverse Proxy w/ SSL and no TLS Verify
#ingress:
#  - service: https://REVERSEPROXYIP:PORT
#    originRequest:
#      noTLSVerify: true

# forward all traffic to reverse proxy over http
#ingress:
#  - service: http://REVERSEPROXYIP:PORT

See here for more information about ingress rules and how they can be further configured.

Install cloudflared

Now, we need to install the ‘cloudflared’ docker container inside the Unraid UI.

  • Search for cloudflared in the CA Apps Tab
  • Install from aeleos’ Repository
  • Change the Repository: line to:
cloudflare/cloudflared:latest

Now we need to change the “Post Arguments”. To do this we need to enable the “Advanced View” in the top right corner. Search for “Post Arguments” and add the code below replacing “UUID” with your UUID.

Post arguments: 
tunnel run UUID

Start your container and if everything works correctly with no errors, you should have a running tunnel!

Configuring DNS Records

The next step will be to edit your domain DNS records, if you are not comfortable or just purchased a new domain, watch the video below to get up to speed.

https://www.youtube.com/embed/oBONjM3OXuc?feature=oembedHow to setup Cloudflare DNS Server

https://youtube.com/watch?v=oBONjM3OXuc
How to setup Cloudflare DNS Server

If you have experience with setting up a DNS server, you can skip the video and continue below:

  • If you already have an A record, you can delete it because it is no longer required.
  • Change your A record to a CNAME record that points to the domain root (@), and you must include UUID.cfargotunnel.com to the content (inserting your UUID that was copied earlier).


TypeNameValueTTLStatus
CNAME@UUID.cfargotunnel.comAutomaticCloudflare
CNAMEplex@AutomaticCloudflare
CNAMEradarr@AutomaticCloudflare
CNAMEsonarr@AutomaticCloudflare
CNAMEhomarr@AutomaticCloudflare
Example of configuring your DNS server

All of your apps ought to now be accessible without requiring a port forward!

Troubleshooting

Certificate not valid for any names

If you get an error like below:

Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: x509: certificate is not valid for any names, but wanted to match youdomain.com

Try replacing yourdomain.com in your config.yml with app.yourdomain.com, where app is a legitimate subdomain for which you have a DNS record (configured in both cloudflare and your reverse proxy). Despite the fact that this is a unique hostname, cloudflared ought to be able to utilise this subdomain to check the certificates of your other subdomains as they travel through the tunnel.

Example config.yaml

tunnel: UUID
credentials-file: /home/nonroot/.cloudflared/UUID.json

ingress:
  - service: https://192.168.1.20:18443
    originRequest:
      originServerName: app.yourdomain.com

Cannot Determine Default Configuration Path

If you are receiving an error like the following, it could be due to the config file being named incorrectly or is stored in the wrong location.

Cannot determine default configuration path. No file [config.yml config.yaml] in [~/.cloudflared ~/.cloudflare-warp ~/cloudflare-warp /etc/cloudflared /usr/local/etc/cloudflared]bash
error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: dial tcp 127.0.0.1:8080: connect: connection refused" cfRay=XXXXXXXXXXXX-NRT originService=http://localhost:8080

You can see that the logs indicate that it is unable to access the config.yml file and instead utilises the default configuration, pointing to the origin server 127.0.0.1:8080.

Make sure your configuration file is stored in the directory detailed below and has the name config.yml.

appdata/mnt/user/appdata/cloudflared/root

General Troubleshooting

If you are receiving an error that hasn’t been detailed here, check out here and hereon the Cloudflare troubleshooting pages.

Warning!

Streaming media

WARNING
IT IS AGAINST CLOUDFLARE TERMS OF SERVICE TO USE PROXYING VIA CLOUDFLARE FOR ANY CONTENT THAT IS NOT HTML TRAFFIC. 
THIS INCLUDES THE STREAMING OF MEDIA VIA THEIR NETWORK. 

YOU RISK YOUR CLOUDFLARE ACCOUNT BEING BANNED IF YOU DO NOT HEED THIS WARNING!

FOR MORE INFORMATION REFER TO THE OFFICIAL TOS:
https://www.cloudflare.com/en-gb/terms/
SPECIFICALLY SECTION 2.8 Limitation on Serving Non-HTML Content

To be safe – turn the proxy off on any subdomains which do not use HTML content by changing the cloud icon in DNS to grey (proxy off) or better yet don’t create a domain to your media server such as Plex and instead use a dedicated app to access.

Conclusion

Thank you for reading this tutorial and hope it assists you in setting up Cloudflare tunnels to access your dockers from outside.

To be updated…

michaelkeates

,

Leave a Reply

Your email address will not be published. Required fields are marked *