[Support] aeleos - cloudflared tunnels


Recommended Posts

Is there an easy way to tell if the tunnel is working?

 

A command perhaps?

 

When I try to look at the clouldflared log - it is blank for a second and then crashes. No idea why. It is the only docker log that does that. But as a result, I can't see what is going on.

Link to comment
2 hours ago, Profezor said:

Is there an easy way to tell if the tunnel is working?

 

A command perhaps?

 

When I try to look at the clouldflared log - it is blank for a second and then crashes. No idea why. It is the only docker log that does that. But as a result, I can't see what is going on.

RESOLVED - Started from scratch. All working now

Link to comment

I'm thinking of setting this up, but I have two questions:

1) How are you handling local access. You wouldn't want to go out to the internet to access your local resources. I already do split DNS, but if your pointing to a port, then I'd have to use a reverse proxy.

 

2) I have mixed services dependant on SWAG for it's security like pihole, nextcloud, graylog. But some of them have their own IP's that SWAG hook into. Would these services break?

 

3) Maybe out of scope here, but I want to setup another proxynet that doesn't use the main unraid IP address for this. 

Link to comment
On 4/5/2022 at 6:45 PM, ppunraid said:

I'm thinking of setting this up, but I have two questions:

1) How are you handling local access. You wouldn't want to go out to the internet to access your local resources. I already do split DNS, but if your pointing to a port, then I'd have to use a reverse proxy.

 

2) I have mixed services dependant on SWAG for it's security like pihole, nextcloud, graylog. But some of them have their own IP's that SWAG hook into. Would these services break?

 

3) Maybe out of scope here, but I want to setup another proxynet that doesn't use the main unraid IP address for this. 

 

1) I handle local access using PiHole on a raspberry pi, with Local DNS entires for each of my subdomains to point them back to the internal unraid IP address. I have a dd-wrt router that points DHCP clients to the pihole for DNS requests. I have a reverse proxy (Previously SWAG but now Traefik) on port 443 on unraid, so that the redirected requests look the same from inside and outside the network (same subdomain, https, etc).

 

2) I'm not exactly sure what you mean here, but you should be able to set up pihole and nextcloud as I have them working with this. In general you can either specify a different origin ip address for a specific subdomain with the cloudflare configuration itself, or you can have everything go to a reverse proxy and have the proxy point to a different IP address.

 

3) I'm also not exactly sure what you mean here but if you are talking about running the CF tunnels connection through a proxy it should be possible but it would likely increase the latency a fair bit.

 

 

Link to comment

How do you use this with the new GUI config Cloudflare came out with? They make it sound so easy, but it didn't have the option to choose unRAID using Docker, so I can't just copy and paste what it told me. I haven't set up any tunnels before.

 

https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/tunnel-guide/

https://lzomedia.com/blog/how-to-setup-a-cloudflare-tunnel-new-using-gui-method/

Edited by Iceman24
Link to comment
On 4/7/2022 at 5:06 PM, Iceman24 said:

How do you use this with the new GUI config Cloudflare came out with? They make it sound so easy, but it didn't have the option to choose unRAID using Docker, so I can't just copy and paste what it told me. I haven't set up any tunnels before.

 

https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/tunnel-guide/

https://lzomedia.com/blog/how-to-setup-a-cloudflare-tunnel-new-using-gui-method/

 

You can use the GUI easily by taking the run token the tunnel gives you and modifying the command in the docker template. Something like Post Arguments: tunnel run --token <Your Tunnel Token from GUI>

Link to comment
  • 3 weeks later...

Am i going mad. or has this broken? setup and connecting. but every request results in the same error.

 

2022-04-29T14:47:57Z ERR error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: dial tcp [ip for NGIX:443 goes here but removed]: connect: no route to host" cfRay=[blanked]-LHR originService=[ip for NGIX:443 goes here but removed]

2022-04-29T14:47:57Z ERR Failed to handle QUIC stream error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: dial tcp [ip for NGIX:443 goes here but removed] : connect: no route to host" connIndex=1

 

Followed two guides to compare settings. tried setting disabletlsverify to true, just get 502 errors. even tried setting up each host name in the yaml. same deal. *hits head off wall*

  • Upvote 1
Link to comment
  • 2 weeks later...

installed first time tunnel for Oracle VPS by https://docs.ibracorp.io/vaultwarden-on-oracle-cloud-vps/

but having error of tunnel error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: dial tcp 129.xxx:443: i/o timeout" cfRay=70abxxxxxxxxxxx-CDG originService=https://129.xxxx:443

 

i have in config like in guide:

 

ingress:
   - service: https://129.1xxxxxxx1:443
     originRequest:
      originServerName: npm.mysite.com
but in unraid guide is:

ingress:
   - service: https://localproxynet:443
     originRequest:
      originServerName: mysite.com

Link to comment
  • 2 weeks later...
On 5/20/2022 at 3:55 AM, Goldmaster said:

Seam to having permission issues with this on 6.10

 

If you are willing to look at the official docs you can modify the docker to only run with a token in the extra parameters, and the configuration can be done on the CF website. This should solve any permission issues.

 

On the part about 6.10, my understanding is any permission issues aren't anything to do with the container or unraid but with incorrect permissions that unraid wasn't respecting before. Its possible you may need to force the container to use the user id you want, which can be done with --user 99:100 (for nobody:users) in extra parameters.

Link to comment
On 5/29/2022 at 4:12 PM, aeleos said:

 

If you are willing to look at the official docs you can modify the docker to only run with a token in the extra parameters, and the configuration can be done on the CF website. This should solve any permission issues.

 

On the part about 6.10, my understanding is any permission is

On 5/20/2022 at 11:55 AM, Goldmaster said:

Seam to having permission issues with this on 6.10

sues aren't anything to do with the container or unraid but with incorrect permissions that unraid wasn't respecting before. Its possible you may need to force the container to use the user id you want, which can be done with --user 99:100 (for nobody:users) in extra parameters.

 

 

 

chmod 777 /mnt/user/appdata/cloudflared seems to solve this. Whether that's a good idea or not, however...

Link to comment
  • 2 weeks later...
On 4/4/2022 at 2:48 PM, Profezor said:

RESOLVED - Started from scratch. All working now

Did you just uninstall and then cleanup the appdata? just uninstalled and im still getting the logs not loading and just flashing by. im on 6.10 and was working fine. I should not have to fix things after a stable update.

Edited by Goldmaster
Link to comment
  • 1 month later...
  • 1 month later...

I am looking to enable warp routing and I can't quite figure out how to pass the extra post arg.  

I added this into my config.yaml and the logs show it is configured.

 

warp-routing:

   enabled: true

 

But I need to pass this extra arg

"cloudflared tunnel route ip add 192.168.2.0/24 UUID"  any idea how to do that?  open console just crashes for me every time.  

Link to comment

 Hi is there a solution to these error, the issue i have is that  CF seems to be working for  afew hours and then i receive these error. If iu restart the app  all is fine  again for a few hours. if go to  NGNIX and load the two apps i am connected thru HTTPS ??

 

2022-08-27T17:46:39Z ERR error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: EOF" cfRay=7416a0beabb038ba-VIE originService=https://192.168.xx.xx:19443


2022-08-27T17:46:40Z ERR error="Unable to reach the origin service. The service xx.xx:19443
2022-08-27T17:46:40Z ERR Request failed error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: EOF" connIndex=1 dest=https://mtamo.co.uk//site/wp-includes/wlwmanifest.xml ip=198.41.192.67 type=http
2022-08-27T17:46:40Z ERR error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: EOF" cfRay=7416a0c04d9738ba-VIE originService=https://192.168.xx.xx:19443

27T17:46:40Z ERR Request failed error="Unable to reach the origin service. The service may be down or it may not be responding to

 

Any advice would be appreciated.

Link to comment

Thanks for this guide and docker @aeleos, was able to set it up and close my port frowarding rules. 

 

How are you guys handeling reating new certs ? DNS challenge ??
I use NPM and since i closed the ports 80 and 443 i get error when creating new certs. 

I also assume that this applies when renewing certificates also

Link to comment
  • 3 weeks later...

So I'm a little lost. In the Ibracorp video, when you take a look at his installed docker apps, he didn't already have the dockerized container installed

image.png.434acc8bcb6036cb5fd125d08015b658.png

 

Am I supposed to install it before following the directions on the GitHub page?

 

I tried following without it, but I'm getting the following error:

`error writing cert to /home/nonroot/.cloudflared/cert.pem: open /home/nonroot/.cloudflared/cert.pem: permission denied`

 

I know that `/home/nonroot/` doesn't exist in my filesystem, am I supposed to create it?

 

Then I read something on here that if I use the dockerized container, i'm supposed to use some UUID/token in the advanced settings. I saw that, but where do I get that from? Do i have to create a tunnel first through cloudflare's site?

Edited by HoLyCoW
Link to comment

I just followed the ibracorp video and have it up and running. My only change was to the config. I have the following...

 

tunnel: UUID

credentials-file: /home/nonroot/.cloudflared/UUID.json

 

# NOTE: You should only have one ingress tag, so if you uncomment one block comment the others

 

# forward all traffic to Reverse Proxy w/ SSL

 

ingress:

        - service: https://REVERSEPROXYIP:PORT

                 originRequest:

                         noTLSVerify: true

 

#forward all traffic to Reverse Proxy w/ SSL and no TLS Verify

 

#ingress:

        # - service: https://REVERSEPROXYIP:PORT

                      # originRequest:

                                 # noTLSVerify: true

 

# forward all traffic to reverse proxy over http

 

           #ingress:

                   # - service: http://REVERSEPROXYIP:PORT

 

 

I kept getting errors with "originServerName: yourdomain.com" in my config. 

Link to comment

I'm just going to put this here for anyone else.

 

If you look at the written guide on Ibracorp's website (https://docs.ibracorp.io/cloudflare-tunnel/), the first step they say is to create the appdata directory and give it proper permissions first with the following command:

mkdir -p /mnt/user/appdata/cloudflared/ && chmod -R 777 /mnt/user/appdata/cloudflared/

 

Then you can follow the rest of the video.

Edited by HoLyCoW
  • Thanks 1
Link to comment
  • 2 weeks later...

Update: After a lot more work I'm now able to access my containers through the cloudflare tunnel. Game changer! I think my main problems were some sloppy copy/paste in my nginx.conf file and not paying close enough attention to which port numbers were mapped to http and https in Swag.

 

What's interesting is that I can only get this to work with a tunnel created on the CLI. I've tried twice to use a tunnel created through the cloudflare UI and I can't get that to work. I feel like I tried all the config options in the UI, like different IP addresses and localhost, but I must be missing something. The tunnel is active and I can see in the logs when requests come through, but I just get various error messages depending on which IP I use or localhost. I don't think it really matters, but it bothers me when I can't figure something out. If anyone has this working with a UI-created tunnel, please let me know.

 

Next challenges are figuring out how to enable LAN access with my custom domain and properly securing the external access.

 

-------------------------------------------

 

After a solid 6 hours on this, I throw myself to the mercy of the good people in this great community.  Most of this stuff is new to me, so it is 100% likely to be user error.

 

I followed Ibracorps' guides for setting up the Cloudflare tunnel and configuring swag. I think I have scrapped everything and started over 4 times now. I've also carefully read through this whole topic and tried all the suggestions. I'm getting the "unable to reach the origin service" messages. In a browser, mydomain.com gives me a 502 error.

 

2022-10-04T05:14:46Z ERR  error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: EOF" cfRay=754b6f95f8fb7ab7-LAX originService=https://192.168.1.107:8001

2022-10-04T05:14:46Z ERR Request failed error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: EOF" connIndex=3 dest=https://mydomain.com/favicon.ico ip=xxx.xx.xxx.77 type=http

 

Things I've tried:

  • Setting noTLSVerify: true
  • Setting originServerName to subdomain.mydomain.com (subdomain has a valid CNAME record)
  • Trying both http and https for the service

One very simple thing I'd like to confirm is exactly which IP address I should use for the service in the cloudflared config file. My swag port mappings are:

  • 172.18.0.5:443/TCP -->192.168.1.107:8001
  • 172.18.0.5:80/TCP __> 192.168.1.107:44301

I access my Unraid UI at http://192.168.1.107. I've been assuming I should use the 192.168 IPs as the service (edit: I've also tried the 172.18 IPs). Is that correct?

 

Because most of this is new to me I'm limited in my ability to troubleshoot because I don't know how to tell exactly where in the chain the problem is. Seems like I'm either pointing the tunnel to swag improperly, or I've got a problem with my swag setup that's causing it to not respond. I welcome any and all suggestions.

Edited by naxos
Added additional info to IPs that I've tried.
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.