Cloudflare Tunnel Setup

To run a Cloudflare Tunnel from UnRAID you will need to manually create the docker container.

Name: Cloudflared Tunnel

Repository: cloudflare/cloudflared:latest

Post Arguments: tunnel --no-autoupdate run --token <tunnel-token>

Icon URL: Any Icon URL you like

Your Tunnel Token can be found by creating a Tunnel within Cloudflare Zero Trust > Access > Tunnels. The token is provided in the docker run command

Once the container is running it will grab it's configuration automatically from Cloudflare and also make 4x seperate TCP/443 connections outbound using the QUIC protocol. The Cloudflare Tunnel should now have a status of "HEALTHY"

Cloudflare Access

Cloudflare access is a product within Cloudflare Zero Trust. Access allows us to share HTTP, SSH and RDP session securely via the Cloudflare Tunnel

Head to Cloudflare Zero Trust > Access > Tunnels > "your tunnel" > Configure > Public Hostname and click Add a public hostname

This configuration is letting our Cloudflare Tunnel know how to route to our Authelia instance in our network. Authelia in my network is listening on https://192.168.0.2:9091 and has a self-signed SSL certificate

Subdomain: auth.<domain-name>

Service: HTTP or HTTPS

URL: IP Address & Port Authelia is listening

NoTLSVerify: Enable this if you are using a self-signed SSL certificate as Cloudflare only trust their own root certificates

Once saved Cloudflare will automatically push this configuration to your Cloudflare Tunnel and it will immediately be accessible via the specifed domain name

auth.<domain-name> is accessible via the internet and has a valid SSL certificate

We have now configured remote access to our Authelia application hosted on UnRAID

Things to note:

• auth.<domain-name> must be accessible by any device needing to authenticate via OIDC

• This is the only site not protected via Zero Trust

• We can create Cloudflare Page Rules to restrict IP Addresses, Countries and others from accessing this site