Cloudflare Tunnel, also known as the Cloudflare Argo Tunnel, is a free service offered by Cloudflare that allows you to host servers without exposing your public IP address or having to open ports. It works by routing traffic through Cloudflare’s network, which means it works behind NAT (network address translation) and does not expose your IP address. This makes it easy to host servers without having to worry about certificates or other complexities.
To use Cloudflare Tunnels, you need a few prerequisites:
- A domain: You don’t have to transfer your domain or add domains to Cloudflare, but you can register a domain with them if you want. To use Cloudflare Tunnels with your existing domain, you’ll need to change the name servers for your domain to point to Cloudflare. This is to make use of the Cloudflare network.
- A server that can run the Cloudflare Tunnel client or server: The client can run as a Docker container, or as a standalone daemon on Linux, Mac, or Windows.
- The ability to communicate with the servers you want to connect to: The server running the Cloudflare Tunnel client or server must be able to communicate with the other servers or services you want to connect to.
- Trust in Cloudflare: It’s important to trust Cloudflare, as they will be acting as a reverse proxy and handling SSL termination for your connections. This means that any data passing through the proxy could be seen by Cloudflare. However, it’s worth noting that the Cloudflare Tunnel tool is open source, so you can review how it works and ensure that you trust Cloudflare’s handling of your data.
One final consideration is the security of your data. Because Cloudflare is acting as a reverse proxy, any data that passes through it could be seen by Cloudflare. It’s important to consider who you trust with your data when setting up services like Cloudflare Tunnels. If you have sensitive information that should never be exposed to the public, you may not want to have it within reach of the Cloudflare service.
Overall, Cloudflare Argo Tunnel is a useful tool for hosting servers without having to worry about exposing your public IP address or opening ports. Just make sure to consider the security of your data and who you trust with it when setting up the service. Their official website has several posts going into details but today we are going to focus on setting up the Cloudflare Argo tunnel using docker.
How the Cloudflare tunnel actually works
One way to make a service publicly accessible with a certificate is to use a tool like Nginx reverse proxy and a firewall like pfSense. This involves setting up HAProxy and the firewall and pointing it to the services running on your server. However, this approach exposes your public IP address and may not be suitable for all users, especially if your internet service provider (ISP) is not equipped to handle DDoS attacks.
An alternative approach is to use Cloudflare Tunnels, which allows you to expose a service publicly without exposing your public IP address. The Cloudflare Tunnels tool can run as a Docker container, a daemon, or a service on Windows, Mac, or Linux. It connects to the Cloudflare edge, which sits between you and the services you want to access. This allows you to access any services that the server running Cloudflare Tunnels has lateral access to, without exposing your public IP address. The Cloudflare tool continuously synchronizes with Cloudflare’s servers to let them know its location, which means it can dynamically handle changes to your IP address.
To set up Cloudflare Tunnels, you will need to install the tool on your server and configure it to connect to the Cloudflare edge. You will also need to ensure that your DNS is properly configured to point to the Cloudflare network. Once the tool is set up, you can access your services publicly through Cloudflare edge, without exposing your public IP address.
Setting Up the Cloudflare tunnel using docker
Go to the Cloudflare Zero Trust Dashboard and navigate to the “Access” tab. Click on “Tunnels” and then “Complete Setup”.
Select the “Free” plan and proceed to payment. Note that you will need to provide a payment method, but you will not be charged.
Click on “Tunnels” again and then “Create Tunnel”. Give the tunnel a name (e.g. “The Tunnel”) and choose a system architecture for the tunnel connector.
Cloudflare provides documentation on how to do this, as well as several options for running the tunnel client or server, including Debian, Docker, Mac, Linux, and Windows. But for our case, we are going to focus on the Cloudflare tunnel docker implementation.
Copy the provided code snippet for the chosen system architecture and paste it into a terminal window on a machine with Docker installed. Make sure to add the
-d --name --restart flags when running the docker command to run the connector in the background and give the container a name.
docker run --name cloudflaretunnel --restart unless-stopped cloudflare/cloudflared:latest tunnel --no-autoupdate run --token API_TOKEN
This will run the tunnel as a daemon in Docker, with the specified name and restart behavior. Make sure to replace
API_TOKEN with the actual server token provided by Cloudflare.
Once the tunnel is running, you can go back to the Cloudflare Dashboard (Zero Trust dashboard ) and click next on the tunnel set up to set up the domains or subdomains that you want to expose through the tunnel. You can also click on the tunnel you have created and then select the public hostname.
For each domain, you will need to specify the type (e.g. HTTP or HTTPS), the IP address of the server running the tunnel, and the port number of the service you want to expose. For services with self-signed certificates, click on “Additional App Settings” and set “TLS Verify” to “No”. Save the hostname.
Repeat steps 5 and 6 for any additional services you want to expose through the tunnel.
Once you have configured your domains and services, you can test the tunnel by accessing the domains from a web browser. If everything is set up correctly, you should be able to access the services through the tunnel without exposing your public IP address. Test the connection to your services using the public hostname (e.g. proxy.yourdomain.com). You should be able to access the service from inside and outside your home network.
That’s it! You have successfully set up a Cloudflare tunnel to expose your web-based services. The tunnel acts as a reverse proxy, keeping your home network secure while allowing you to access your services from anywhere.
Adding an extra layer of security
If you want to add an extra layer of security to your Cloudflare tunnel, you can do so by setting up restricted access to your service. Here’s how:
Go to the Cloudflare Zero Trust Dashboard and navigate to the “Access” tab. Click on “Applications” and then “Add Application”.
Select “Self Hosted” as the application type and give the application a name (e.g. “The Application”)
Under the Application configuration, give it a descriptive name and select a subdomain same as the public hostname you want to protect. You can leave the other configuration data as default but of course, feel free to change it where necessary.
Under “Policy Name”, choose a name for the policy that will be used to restrict access to the service (e.g. “The Application Policy”). Also set the session duration timeout, or you can leave it to match the one configured for the application.
Under “Config Rules”, select the method you want to use to authenticate users who want to access the service. Options include requiring an email address, a specific domain name, IP range, country, or certificate.
Click Next and then “Add Application” to complete the process.
To test the restricted access, copy the link to the service and send it to someone who should be able to access it (e.g. someone with the required email address or domain name). They will receive a code via email, which they can use to sign in and access the service.
Keep in mind that if you delete a tunnel but leave the hostnames attached to it, you may run into issues creating a new tunnel with the same names. To avoid this, make sure to delete the hostnames before deleting the tunnel. Also, keep an eye on any host IP changes to make sure that the public hostnames still point to the correct IP address. You may consider setting up notifications in case something goes down.
Overall, the Cloudflare tunnel system is a useful tool for exposing web-based services securely. While there may be some bugs or limitations to be aware of, the added security of the restricted access feature is a valuable asset.