Cloudflared Argo Tunnels with Zero Trust

Cloudflare Tunnel requires the installation of a lightweight server-side daemon, cloudflared, to connect your infrastructure to Cloudflare.

cloudflared is an open source project maintained by Cloudflare.

Releases can be found on GitHub. Downloads are available as standalone binaries or packages like Debian and RPM.

Detailed release notes can be found on the GitHub RELEASE_NOTES file.

Install Cloudfalred with Zero Trust (Option 1)¶

This option will assume you have already setup your domain in Cloudflare and enabled the Zero Trust (formerly Cloudflare Access) panel this will require you to setup at least one method of 2fa, the default is a OTP which is done via email, in my case I have setup Okta as my MFA.

In the demo, we will imagine we have a service to run like Sonarr which runs on my Ubuntu host in docker and exposes port 8989 over HTTP. This is what I will show when setting up the tunnel and application in the below.

Login to the Cloud Flare Zero Trust Panel¶

The panel can can be found here

Once you are logged in you should be greeted with a page that looks like this.

From this page you will need to select Access in the left hand menu then Tunnels from the sub section. You should then see the button in the top right hand corner which is labeled Create Tunnel.

Now press the button and follow the process in the below until you are at the point when it asks you to install the Tunnel Connector. Simply name the tunnel and select your source machine os.

Once you have the screen output of the two code snippets, you will select the one on the left to install, and configure the service, or if you have the cloudflared.service already installed then you will use the snippet on the right. These are bash commands that you run in turn on the same host as your service in this case the same host as our "Sonarr" service. When this is installed and configured you can proceed by scrolling down and pressing the next button, then entering the Public Hosname information, finally move back to the overview tab and press the save button.

With that being done, you should now have access to your application securely over HTTPS on the subdomain you assinged in this case at https://sonarr.j-harrison.co.uk. This will be fine for most applications that you do not want to protect with 2FA, for services like self hosted Plex / Jellyfin instances. However you will have some some other services which you dont want the general public to be able to browse to. This is where the Cloudflare Zero Trust Applications come in very handy.

This one looks complicated but is very simple. Name the application, then set the Subdomain and Domain to be exactly the same as your Public Hostname setup that we previously configured. Following that you can optionally add a custom logo if you wish but it isn't of much use unless you plan to use the CF dashboard. Name your Policy and assign the group that you created when you signed up, in my case I have it to only allow access from my email address, finally and optionally set the Additional settings (checkboxes) and save!.

Now the application is protected and you will be prevented from accessing the site without authenticating with cloudflare first!

Install Cloudflared Manually (Option 2)¶

Installation of Cloudflared¶

Log into the machine you wish to add a tunnel to in this example I will be using an Ubuntu Server machine.

# INSTALL CLOUDFLARED
mkdir ~/.cloudflared

cd ~/.cloudflared

wget -q https://bin.equinox.io/c/VdrWdbjqyF/cloudflared-stable-linux-amd64.deb

sudo dpkg -i cloudflared-stable-linux-amd64.deb

Create The Argo Tunnel¶

#This will create a tunnel json file in ~/.cloudflared named [tunnel-id].json
cloudflared tunnel create tunnelnamehere 

Configuration of Cloudflared¶

cloudflared tunnel login

This will present you with a link to follow, so open this link in a browser, this doesnt have to be on the same machine this can be done on another device., once complete this will place a cert.pem into ~/.cloudflared

Create The Config File For The Argo Tunnel¶

sudo nano ~/.cloudflared/config.yml

tunnel: [TUNNEL-ID TAKEN FROM THE JSON file IT CREATED]
credentials-file: /home/USER/.cloudflared/[TUNNEL-ID].json

config: /home/USER/.cloudflared/config.yml
# NOTE: You should only have one ingress tag, so if you uncomment one block comment the others

# forward all traffic to Reverse Proxy w/ SSL
ingress:
  - hostname: plex.yourdomain.co.uk
    service: https://0.0.0.0:4444
    originRequest:
      connectTimeout: 10s
      noTLSVerify: true
  - hostname: docs.yourdomain.co.uk
    service: https://0.0.0.0:4444
    originRequest:
      connectTimeout: 10s
      noTLSVerify: true
  - hostname: code.yourdomain.co.uk
    service: https://0.0.0.0:4444
    originRequest:
      connectTimeout: 10s
      noTLSVerify: true
  - hostname: ssh.yourdomain.co.uk
    service: ssh://0.0.0.0:22
    originRequest:
      connectTimeout: 10s
      noTLSVerify: true   
  - hostname: yourdomain.co.uk
    service: https://0.0.0.0:4444
    originRequest:
      connectTimeout: 10s
      noTLSVerify: true
  - service: http_status:404

Add Routing To Your Tunnel In Cloudflare¶

The following commands will add CNAME records pointing to your tunnel locations in the Cloudflare DNS Panel.

cloudflared tunnel route dns tunnelnamehere  hyperionlabs.co.uk

cloudflared tunnel route dns tunnelnamehere  plex.hyperionlabs.co.uk

cloudflared tunnel route dns tunnelnamehere  docs.hyperionlabs.co.uk

cloudflared tunnel route dns tunnelnamehere  code.hyperionlabs.co.uk

cloudflared tunnel route dns tunnelnamehere  ssh.hyperionlabs.co.uk

cloudflared tunnel route dns tunnelnamehere  www.hyperionlabs.co.uk

Setup The Cloudflared Service¶

sudo cp ~/.cloudflared/config.yml /etc/cloudflared/config.yml

sudo cloudflared service install

sudo systemctl enable cloudflared

sudo systemctl start cloudflared

sudo systemctl status cloudflared

sudo systemctl start cloudflared-update.timer

sudo systemctl enable cloudflared-update.timer

sudo systemctl status cloudflared-update.timer