Search…
Cloudflare Tunnel
Argo Tunnel creates a secure, outbound-only connection between your services and Cloudflare by deploying a lightweight connector in your environment. With this model, your team does not need to go through the hassle of poking holes in your firewall or validating that traffic originated from Cloudflare IPs.
Video
Useful Links
Files
Related videos
Credits

WATCH OUR VIDEO WALKTHROUGH - SUBSCRIBE FOR MORE!

Releases · cloudflare/cloudflared
GitHub
https://developers.cloudflare.com/cloudflare-one/faq/teams-troubleshooting/
developers.cloudflare.com
Cloudflare Tunnel | Secure Tunneling Software | Cloudflare
Cloudflare
A Boring Announcement: Free Tunnels for Everyone
The Cloudflare Blog
https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup
developers.cloudflare.com
config.yaml
609B
Binary
config.yaml

NGINX Proxy Manager (Reverse Proxy)

Cloudflare Setup (DNS)

Special thanks to Aeleos who worked with us to develop his original guide here: https://github.com/aeleos/cloudflared
Be sure to buy him a coffee!
Please read our disclaimer https://docs.ibracorp.io/#disclaimer.

Assumptions

For this setup, you need to have a domain which is managed by Cloudflare, and can be done on the free plan.

Create App Folder

First we need to make sure we have the app folder ready with the correct permissions. Thanks to this tip from our discord user @noodlemctwoodle, you can use the following command in the Unraid terminal to create the folder and set the correct permissions:
1
mkdir -p /mnt/user/appdata/cloudflared/ && chmod -R 755 /mnt/user/appdata/cloudflared/
Copied!

Authorise Cloudflared

There seems to be an issue with the latest version 2021.7.0 of cloudflared from cloudflare. Below commands have been adjusted to pull the 2021.6.0 version for now. Once there is a bug fix from cloudflare we will change this message and the commands back to use the latest.
Update August 25th 2021 No tag (latest) still does not seem to work. However specifying the latest version cloudflare/cloudflared:2021.8.2 works.
In unraid terminal, run the following command to authorise Cloudflared with the Cloudflare site you want to setup with a tunnel.
1
docker run -it --rm -v /mnt/user/appdata/cloudflared:/home/nonroot/.cloudflared/ cloudflare/cloudflared:2021.6.0 tunnel login
Copied!
It will print out a link to Cloudflare. Put this link in your web browser, and select which domain you want to use. Then, the daemon will automatically pull the certificate.

Create a tunnel

Now we need to create a tunnel. To do this we will run another command from the unraid terminal
1
docker run -it --rm -v /mnt/user/appdata/cloudflared:/home/nonroot/.cloudflared/ cloudflare/cloudflared:2021.6.0 tunnel create TUNNELNAME
Copied!
This will create your tunnels UUID.json file, which contains a secret used to authenticate your tunnelled connection with cloudflare. The JSON file is only needed for running the tunnel, but any tunnel modifications require the cert.pem. More information about what requires what can be found here.
Make sure you copy your UUID, as this will be used in later steps. It can always be found later by the name of the JSON file.

Create the config.yaml

Now we need to create a config.yaml to configure the tunnel
1
nano /mnt/user/appdata/cloudflared/config.yaml
Copied!
Now paste in the following and amend your reverse proxy IP:PORT, tunnel UUID and domain name if applicable
    if you have an ssl certificate on your reverse proxy, you need to pass in your domain name that the SSL cert is under
    if you want to proxy to an http server, use the commended ingress rule
    if you want to disable ssl verification, add noTLSVerify under originRequest
1
tunnel: UUID
2
credentials-file: /home/nonroot/.cloudflared/UUID.json
3
4
# NOTE: You should only have one ingress tag, so if you uncomment one block comment the others
5
6
# forward all traffic to Reverse Proxy w/ SSL
7
ingress:
8
- service: https://REVERSEPROXYIP:PORT
9
originRequest:
10
originServerName: yourdomain.com
11
12
#forward all traffic to Reverse Proxy w/ SSL and no TLS Verify
13
#ingress:
14
# - service: https://REVERSEPROXYIP:PORT
15
# originRequest:
16
# noTLSVerify: true
17
18
# forward all traffic to reverse proxy over http
19
#ingress:
20
# - service: http://REVERSEPROXYIP:PORT
Copied!
See here for more information about ingress rules and how they can be configured

Install cloudflared in unraid

Now, we need to install the app inside the Unraid UI.
    Go to the CA Apps Tab
    Search for cloudflared
    Install from aeleos' Repository
    Change the Repository: line to:
    1
    cloudflare/cloudflared:2021.6.0
    Copied!
Now we need to change the "Post Arguments". To do this we need to enable the "Advanced View" in the top right corner.
    You should see the below command inside of "Post Arguments". Replace UUID the the UUID for your tunnel generated in step 2.
1
Post arguments:
2
tunnel run UUID
Copied!
Now you can start your container and if all done correctly with no errors, you should have a running tunnel!

Setting up your DNS records

The next step will be to edit your domain DNS records.
    If you have an A record already, you can remove this as it is now not needed.
    Replace your A record with a CNAME record, that points to the domain root (@) and for the content, you need to add UUID.cfargotunnel.com (inserting your UUID that was copied earlier).

Example

Type
Name
Value
TTL
Status
CNAME
@
UUID.cfargotunnel.com
Automatic
CNAME
plex
@
Automatic
CNAME
portainer
@
Automatic
CNAME
radarr
@
Automatic
CNAME
sonarr
@
Automatic
You should now be able to access all of your apps without needed a port forward!

Troubleshooting

Certificate not valid for any names

If you see an error like
1
Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: x509: certificate is not valid for any names, but wanted to match youdomain.com
Copied!
In your config.yml try changing yourdomain.com to app.yourdomain.com, where app is a valid subdomain that you have a DNS record for. Despite this being a specific hostname, cloudflared should be able to use this subdomain to verify certificates for your other subdomains as they pass through the tunnel.

Example config.yml

1
tunnel: UUID
2
credentials-file: /home/nonroot/.cloudflared/UUID.json
3
4
ingress:
5
- service: https://192.168.1.20:18443
6
originRequest:
7
originServerName: proxy.yourdomain.com
Copied!

Enabling SSH Access via Web Rendered Terminal

Create the DNS record

Create a DNS record for the subdomain you want to go to for SSH access. Below is an example
Type
Name
Value
TTL
Status
CNAME
ssh
domain.com
Automatic
Orange ☁️

Add the Ingress Rule

Ingress rules resolve top down, so this rule should be above the - service: https://REVERSEPROXYIP:PORT/ rule.
1
- hostname: ssh.domain.com
2
service: ssh://SSHIP:PORT
Copied!

Sign up for Cloudflare Teams

This can be done here, free plan works up to 50 users but needs billing details, you may be able to get it to work with no plan

Add a Teams application

Add your application for your SSH service and then enable browser based rendering
    Guide by cloudflare can be found here

List and delete tunnels

List tunnels

To list all configured tunnels and see active connections:
1
docker run -it --rm -v /mnt/user/appdata/cloudflared:/home/nonroot/.cloudflared/ cloudflare/cloudflared:2021.6.0 tunnel list
Copied!
ID
NAME
CREATED
CONNECTIONS
NAMEID in hex
NAME of the tunnel
TIMESTAMP Date and time created
NUMBERxCFPOINT

Delete tunnels

To revoke and delete a tunnel:
1
docker run -it --rm -v /mnt/user/appdata/cloudflared:/home/nonroot/.cloudflared/ cloudflare/cloudflared:2021.6.0 tunnel delete TUNNELID
Copied!
If there are still active connections on the tunnel you need to force the deletion. Connections will be dropped:
1
docker run -it --rm -v /mnt/user/appdata/cloudflared:/home/nonroot/.cloudflared/ cloudflare/cloudflared:2021.6.0 tunnel delete -f TUNNELID
Copied!
Deleting the Tunnel also invalidates the credentials file associated with that Tunnel, meaning those connections can not be re-established.

Multiple domains

If you have multiple different domains and you want to use the tunnel and Cloudflared container, you only need to copy the UUID.cfargotunnel.com used for the CNAME across to other domains in Cloudflare.
There is no need to deploy multiple containers of Cloudflared. One container can do multiple domains.
You also do not need to modify your YAML any further. One valid subdomain entry is enough.

Multiple containers

If you still decide to run multiple containers (for example, if you wanted redundancy) you can check those connections with command in your Unraid terminal:
1
docker run -it --rm -v /mnt/user/appdata/cloudflared:/home/nonroot/.cloudflared/ cloudflare/cloudflared tunnel info UUID
Copied!
If you have one container using the single tunnel UUID and one/multiple domains using the single tunnel, you will only get 1 record when using the cli command.
If you have 2+ containers using the single tunnel UUID and one/multiple domains using the single tunnel, you will get a record for each cloudflared container when using the cli command.

Final Words

We hope you enjoyed this guide. It was conceptualized, written, and implemented by our community member Aeleos and Community Leader Hawks.
Our work sometimes takes months to research and develop. If you want to help support us please consider:
Thank you for being part of our community!
Last modified 1mo ago