[Support] aeleos - cloudflared tunnels

[LeoRX]

I get this error if the tunnel was not shutdown gracefully. 

Reboot the router seems to do the trick for me.  It may have something to do with getting a different IP address.

 

[SiRMarlon]

2 hours ago, SiRMarlon said:

So did anyone ever figure out how to address this issue? My logs are getting full of these errors and I've tried everything that everyone has suggested to no avail. Everything is working and connecting just fine

 

 

 

If anyone is curious ... I got my errors fixed. And my log has been cleared of errors for the past hour with no issues. Make sure you guys only have one ingress rule in your config.yml file 

 

 

Also make sure you have all your sub-domain CNAMEs setup and pointed in the right direction

 

 

And verify that you have everything good to go with NPM one key thing was I switched all my certificates to the Cloudflare provided ones and moved away from LetsEncrypt. I think this might have been the key because I had a mix of LetsEncrypt certs and Cloudflare certs

 

 

After I cleaned all this up the errors from my logs are gone

 

 

 

Edited October 12, 2022 by SiRMarlon

[ConnerVT]

On 8/22/2022 at 2:04 AM, diehardbattery said:

If I want to bypass the tunnel for a particular subdomain, is it as easy as setting said subdomain to dns only assuming the tunnel passes everything to swag/npm?

 

I am going to bump this question, as it didn't get answered, and I am wondering the same thing.  Been searching for a solution (or there just is no solution) before I install this.

 

I would like to run all but my Plex server through the tunnel.  I have a NPM and Cloudflare setup, with all but my Plex cached in the Cloudflare DNS setup.  All share the same domain, with separate subdomains.  With Plex set to "DNS Only" in Cloudflare, will the traffic still go through the tunnel or not?  And if it will go through the tunnel, is there a way to configure it not to?

[ConnerVT]

 

On 8/22/2022 at 2:04 AM, diehardbattery said:

If I want to bypass the tunnel for a particular subdomain, is it as easy as setting said subdomain to dns only assuming the tunnel passes everything to swag/npm?

 

On 10/18/2022 at 9:53 AM, ConnerVT said:

I am going to bump this question, as it didn't get answered, and I am wondering the same thing.  Been searching for a solution (or there just is no solution) before I install this.

 

I hate to bump my last post, but would truly love to figure this out.

 

If there isn't anyone who can answer, I'll spend some time to find out.  But that brings me to another question:

 

Is there a (easy) way to determine which accesses are going from the tunnel into my server vs those which are not from the tunnel?  If there is, I would set this up and try several configurations, accessing my server from outside my local network.

[sylus]

I think you can just close or open the relevant ports to see, if the tunnel is used or not.

If u have all ports closed and use your custom domain to excess Plex, the tunnel ist used. 

[micci]

Hi, 

 

I am getting this error when trying to install cloudflared - I actually cant even get the container to run and stay open and when I try to download the certs I get the permissions error - does anyone have any experience on how I might try to fix it?

 

Thanks

 

Edited November 1, 2022 by micci

[micci]

The log file from the cloudflared container

[naxos]

5 hours ago, micci said:

Hi, 

 

I am getting this error when trying to install cloudflared - I actually cant even get the container to run and stay open and when I try to download the certs I get the permissions error - does anyone have any experience on how I might try to fix it?

 

Thanks

 

 

Looks like a permissions issue. Did you see this post?

[HellraiserOSU]

Hello! I'm on the step of installing the docker container. I edited the config.yaml and put in my UUID in the correct places. When you start the cloudflared container, it keeps restarting with this

 

Use `cloudflared tunnel run` to start tunnel XXXXXX-XXXX-XXX   where the x's are my UUID

 

I removed the restart argument and it just runs.. posts that message in the log file, and stops.. Can someone help me on this one? I've tried redoing the container a few times. Thanks!
 

[Tolete]

On 11/28/2022 at 6:32 AM, HellraiserOSU said:

Hello! I'm on the step of installing the docker container. I edited the config.yaml and put in my UUID in the correct places. When you start the cloudflared container, it keeps restarting with this

 

Use `cloudflared tunnel run` to start tunnel XXXXXX-XXXX-XXX   where the x's are my UUID

 

I removed the restart argument and it just runs.. posts that message in the log file, and stops.. Can someone help me on this one? I've tried redoing the container a few times. Thanks!
 

 

double check your config file. I have seen this when there are more then one ingress rule/hosts. make your your config file looks like this.

 

tunnel: UUID
credentials-file: /home/nonroot/.cloudflared/UUID.json

# NOTE: You should only have one ingress tag, so if you uncomment one block comment the others

# forward all traffic to Reverse Proxy w/ SSL
ingress:
  - service: https://REVERSEPROXYIP:PORT
    originRequest:
      originServerName: sub.yourdomain.com
      
#forward all traffic to Reverse Proxy w/ SSL and no TLS Verify
#ingress:
#  - service: https://REVERSEPROXYIP:PORT
#    originRequest:
#      noTLSVerify: true

# forward all traffic to reverse proxy over http
#ingress:
#  - service: http://REVERSEPROXYIP:PORT

 

 

 

[Tolete]

On 10/12/2022 at 3:17 AM, SiRMarlon said:

 

If anyone is curious ... I got my errors fixed. And my log has been cleared of errors for the past hour with no issues. Make sure you guys only have one ingress rule in your config.yml file 

 

 

hello,

What version of the container are running?

[Dundee]

Im trying to setup the tunnel and I have 2 questions.

Its partially working:

- browser (filebrowser) is working

- netdata isnt working, i get the coudflare host error

- pihole2 isnt working, i get a "No webpage was found for the web address" error

- netdata isnt working, i get the coudflare host error

 

So that's the first question: what's going on? All the addresses in "service" are good.

I tried with in an incognito browser to avoid cache problems.

 

My second question is: how can i use the tunnel on both things that have their own ip (ex: filebrowser) and others than use the unraid server ip (192.168.1.50 is the unraid server)

 

 

Thanks!

 

 

 

 

[Shesakillatwo]

I have purchased a Domain and setup the Cloudflared Tunnel.  I am using SWAG as the Reverse Proxy.  I have edited the app.subdomain.conf files for several things and I have some end points accessible from the outside world and some are not.  This is what I am trying to fix. 

 

I have two Unraid Servers and the Cloudflared Docker is installed on my "dataserver".  I have a few other Dockers and two VM's which I want to be able to access through the tunnel.  I cannot access the VM's or the one Adguard Docker on this machine I want to despite having tried many things.  I am however able to access my backup Adguard instance (which is running on a Raspberry Pi) fine through the Cloudflared tunnel.  I have configured both the main and backup Cloudflare tunnels the same except for their specific IPs so I do not understand why one works and the other does not.  I do have separate subdomain.conf files for each.

 

I was also hoping to access the "VM Console(VNC)" for one of the two VM's on this unraid Server but I cannot figure out how to configure this???  I can also not access a VM on the Second Unraid Server.  Again, I do not know how to configure to get to the  "VM Console(VNC)" on that VM.  Any help on this would be appreciated. 

 

I can access my main router from the outside the network fine through router.my_domain.com and that works.  I can also access some dockers on my second unraid server "mediaserver" including plex, nextcloud, guacamole and vaultwarden but I cannot access others like my freepbx docker.

 

 

Edited January 15, 2023 by Shesakillatwo

[dcteal]

Question(s) on setting up a Cloudflare tunnel and the ingress configuration using https://github.com/aeleos/cloudflared. It notes that the documentation is for legacy tunnels and for 'current' tunnels you can follow the official CF guide and then you can create tunnels and routes through the CF panel. Does this mean you don't need to create a config.yaml file to configure the tunnel, etc and all configuration can be done on the Cloudflare portal (dash.cloudfare.com) Access-Tunnels modify tunnel configuration? Does anyone have documentation on setting up 'current' tunnels with ingress configuration, etc.

[wgstarks]

I'm going to be relocating my unraid server soon to an area where all my ISP solutions will be using a CG-NAT so I'm looking for a way to work around that (primarily for Plex). Can I accomplish it with this docker and a free Cloudflare account?

[LeoRX]

2 minutes ago, wgstarks said:

I'm going to be relocating my unraid server soon to an area where all my ISP solutions will be using a CG-NAT so I'm looking for a way to work around that (primarily for Plex). Can I accomplish it with this docker and a free Cloudflare account?

As far as I'm aware you shouldn't be putting stream traffic through argo tunnel.  Apprently its in the T&C somewhere.

 

As an alternative, maybe look in to Tailscale to setup an exit node somewhere create an encrypted connection between your plex clients and server.

[wgstarks]

1 minute ago, LeoRX said:

As an alternative, maybe look in to Tailscale to setup an exit node somewhere create an encrypted connection between your plex clients and server.

Thanks. I can run Tailscale on my pfsense firewall (IIRC) but I'll need to figure out the "setup an exit node somewhere" part. Not sure what that means?

[LeoRX]

15 minutes ago, wgstarks said:

Thanks. I can run Tailscale on my pfsense firewall (IIRC) but I'll need to figure out the "setup an exit node somewhere" part. Not sure what that means?

https://tailscale.com/kb/1103/exit-nodes/
 

this kb explain it pretty well.  hope this helps.

[wgstarks]

10 hours ago, LeoRX said:

https://tailscale.com/kb/1103/exit-nodes/
 

this kb explain it pretty well.  hope this helps.

Thanks. I get it. Pay for a VPS and point the tunnel there. That way anyone can access Plex at that IP address. 

[LeoRX]

18 minutes ago, wgstarks said:

Thanks. I get it. Pay for a VPS and point the tunnel there. That way anyone can access Plex at that IP address. 

you could look in to putting a raspberry pi at someone's house or running a free tier off oracle cloud.  not sure what the data charge is for the latter.

[ConnerVT]

First a thanks for this docker.  I have it set up and running perfectly on my server, with NPM then proxying services both on my server and throughout my network.  Followed the (original) IBRACORP video (s/o for that as well).

 

My questions are not directly related to the docker container, but I've been pouring over Cloudflare docs and searching the internet, and still haven't found an answer.

 

As I said, I currently have Cloudflared running on my server.  My Cloudflare DNS has a CNAME Name for my domain.org and Content <UUID>.cfargotunnel.com.  The rest of my CNAME entries are subdomain and domain.org.  I no longer have an A Type, as I already have a domain.org record.  So far, so good.

 

What I want to do is add a tunnel on a different machine.  It needs to be up and accessible when the Unraid server (with NPM) is unavailable.  I wish to access this server with admin.domain.org.

 

The current .yaml file on the server has originServerName: domain.org as NPM is handling all of the subdomain routing (at least, that's what I think is happening).  But I suspect it will get confused if I also add a tunnel on another machine (with the same <UUID>).

 

This is what I think I need do.  Please check my reasoning, and tell me if there is a more elegant way of doing this:

• Update the .yaml file on the server with individual entries for each subdomain it is proxying.  The service: https://REVERSEPROXYIP:PORT remain the same as currently configured.
• Install/configure Cloudflared on the additional system, using the same tunnel <UUID> as on the server.  Configure this .yaml file with the appropriate service: https://REVERSEPROXYIP:PORT and originServerName: admin.domain.org.  Add this CNAME record to my DNS.

 

Am I on the right path?  Appreciate any feedback that is offered.

[SnugglyDino]

On 1/16/2023 at 1:28 PM, dcteal said:

Question(s) on setting up a Cloudflare tunnel and the ingress configuration using https://github.com/aeleos/cloudflared. It notes that the documentation is for legacy tunnels and for 'current' tunnels you can follow the official CF guide and then you can create tunnels and routes through the CF panel. Does this mean you don't need to create a config.yaml file to configure the tunnel, etc and all configuration can be done on the Cloudflare portal (dash.cloudfare.com) Access-Tunnels modify tunnel configuration? Does anyone have documentation on setting up 'current' tunnels with ingress configuration, etc.

I have this same question. I must be naive or stupid because the "Note" on the guide page for Current Tunnels makes it seem like such a simple thing. After playing around I clearly have no idea what I'm doing cause I can't get it to work. Please let me know if you get an answer to this question or figure it out yourself.

[Ademar]

Why is the version hardcoded to "2021.8.2"?

[Tucubanito07]

Does anyone know how can I get cloudflare tunnel that is on 10.10.1.43 proxy network be able to communicate with BR0 10.10.1.4 container for remotely? I can get it to work under the proxy network but not under BR0 which gets an IP address from my router. Any help is greatly appreciated. 

[jhartley]

On 2/6/2022 at 11:14 AM, portonalga said:

 

@kakmoster change your config.yaml to a subdomain again. It just won't work with the root domain, at least not with NPM and the streamline I followed to set up the CloudflareD docker service. This is the link to the instructions I followed, which work like a charm.

 

Well, I have to apologize once again, because as it happens, the problem was not Cloudflare, or any of the dockers, or certificates or anything related to technology at all.

 

It was, as it is 90% of the times, a user error, because the user (me) was ignorant, and chose to remain ignorant.

 

Since I had never used NPM, I basically added everything just like I added Nextcloud, which accessible over HTTPS, not even giving it any mind.

 

As you see in my first post asking for help, I have ALL of the instances on HTTPS:

 

So, I started thinking "maybe these dockers and services don't work over HTTPS, and the tunnel and NPM are what's going to secure them over HTTPS". Lo and behold, now all of them work (with the exception of my PFSense, I haven't figured that one out yet, but I know I'm keeping it on HTTP until I figure it out).

 

The solution?, here it is:

 

Having said that, as I mentioned at the start of my post, I want to apologize to everyone in this thread, in special to @LeoRX and @aeleos for making you waste your time.

 

This networking and security path is tricky, and I thank God that the community is (for the most part) so tightly knit and willing to help each other.

 

You guys are a blessing, thank you so much for helping me out. At the very least, your comments and suggestions led me to look deeper into it and finally figure it out.

 

This is why the saying of "Give a man a fish...." is so true. I am certain that if someone had given me the answer from the get-go I would just have done it and be done with it. But then I would never have tried to look around, research and finally come up with a solution by myself (after all the input and suggestions from the great folks here), which means I would still be ignorant of some stuff that now I understand much better.

 

What endpoint do you point to in your cloudflared/config.yml? I ask because I made these changes in NPM and used http instead of https for each host. However, if I point to NPM endpoint using the following:
ingress:
  - service: https://192.168.1.20:18443
    originRequest:
      originServerName: MYDOMAIN.com

I get the following error in the Cloudflared Tunnel log:

ERR Request failed error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: remote error: tls: unrecognized name" connIndex=3 dest=https://app.domain.com/favicon.ico event=0 ip=198.41.192.77 type=http

 

But if I point to an http enpoint in my cloudflared/config.yml like so:

 

ingress:
  - service: http://192.168.1.20:1880
    originRequest:
      originServerName: MYDOMAIN.com

 

Everything works. But this doesn't seem to be secure to me.

 

Additional Note:

Pretty sure this is a TLS issue. When I add noTLSVerify: true to my config file it will work when connected to my https port. I am not understanding why this is the case. I created a client certificate in CloudFlare and added it as a customer cert in NPM. What am I doing wrong? This has to be something stupid simple.

@aeleos

Edited May 16, 2023 by jhartley