Cloudflare Zero Trust Tunnel

[Eddie Seelke]

I would love to see cloudflared as a native plugin for unRAID. I know that there is a docker container, but it would be, in my opinion, better to have it native so that it runs even when the array is offline.

 

This is a much easier way to proxy sites to containers. It does not require any ports to be forwarded and users cannot get your home public IP address. And, it can be used to connect to your home network when away by using the 1.1.1.1 client.

 

This seems to be a must have for anyone wanting to share data and keep their network secure.

[Eddie Seelke]

So, I would still love to see this as a plug-in for unRAID. But, I have managed to scrape together a script that will work in the meantime. It's not perfect, but it does work so I thought I would share in case it helps someone else.

 

I am using the User Scripts plugin. I created a script called argo_tunnel and pasted the following into it.

#!/bin/bash
#
#description=Create Cloudflare Zero Trust Tunnel
#backgroundOnly=true
#arrayStarted=false
#noParity=false
#clearLog=true
# Create Cloudflare Zero Trust Tunnel
#

#--DEFINE VARIABLES--#

# Set tunnel token found at https://one.dash.cloudflare.com
argotoken=PASTETOKENHERE

# Set folder for executables
argofolder=/root/argo


#--START SCRIPT--#
/usr/local/emhttp/plugins/dynamix/scripts/notify -s "Cloudflare Tunnel" -d "Starting Cloudflare Tunnel."

mkdir -p $argofolder

# Download supervisor and cloudflared and make executable
wget -nc http://s3.syncd.tech/files/unraid/supervisord -P $argofolder/
chmod +x $argofolder/supervisord
wget -nc -O $argofolder/cloudflared https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64
chmod +x $argofolder/cloudflared

# Create supervisord conf file
cat > $argofolder/supervisord.conf << EOL
[unix_http_server]
file = /var/run/supervisor.sock
chmod = 0777
chown= nobody:nogroup

[program:cloudflared]
command = $argofolder/cloudflared --protocol quic tunnel run --token $argotoken
autostart = true
autorestart = true
startsecs = 20
startretries = 100
redirect_stderr = true
stdout_logfile = /var/log/cloudflared.log
stdout_logfile_maxbytes = 2M
stdout_logfile_backups = 0
stopsignal = INT
EOL

#Run Cloudflare Tunnel
$argofolder/supervisord -c $argofolder/supervisord.conf -d

#Stop Notification
#/usr/local/emhttp/plugins/dynamix/scripts/notify -s "Cloudflare Tunnel" -d "Stopping Cloudflare Tunnel."

 

There are two variables.

$argotoken - You will need to add your token from https://one.dash.cloudflare.com/ replacing PASTETOKENHERE.

$argofolder -  You can change this or leave the default to your liking.

 

It does not seem as if there is a way to start scripts in User Scripts at boot. Since I wanted this to start even if the array doesn't start, I added the following line to my /boot/config/go file.

 

sh /boot/config/plugins/user.scripts/scripts/argo_tunnel/script

 

If you didn't choose the same name for the script, you will need to update the path for the script above. And, if you don't want to edit the go file, you can simply choose "At First Array Start Only" for your script in User Scripts.

 

If this helps, please leave a comment. And, if you know a better way to implement this, please let me know.

Edited January 25 by Eddie Seelke
Changed URL for supervisord

[Kaldek]

Hi mate, I have set up the Docker container from the official repo and it's working well, with a few items that I suspect you are a good source to discuss them with:

1. Access via the tunnel to the myunraid.net URL does not work unless I set TLS to "Yes" rather than "strict" so that it uses the self-signed certificate (and I set TLS verification to off in the Cloudflare portal
2. What is the correct setup if the internal host is accessed via DNS (e.g. host.mydomain.local) rather than IP address?

It's literally day 1 here so these are questions I would probably be able to work out later anyway.  Figured it can't hurt to ask.

[ricostuart]

This is something I've been looking for! But when I run the script, I get a continuous error : 

 

INFO[2023-03-05T09:49:45Z] create process:cloudflared
INFO[2023-03-05T09:49:45Z] stop listening
INFO[2023-03-05T09:49:45Z] try to start program                          program=cloudflared
INFO[2023-03-05T09:49:45Z] success to listen on address                  addr=/var/run/supervisor.sock protocol=unix
DEBU[2023-03-05T09:49:45Z] wait program exit                             program=cloudflared
INFO[2023-03-05T09:49:46Z] fail to wait for program exit                 program=cloudflared
DEBU[2023-03-05T09:49:46Z] wait program exit                             program=cloudflared
INFO[2023-03-05T09:49:46Z] fail to wait for program exit                 program=cloudflared
DEBU[2023-03-05T09:49:46Z] wait program exit                             program=cloudflared

 

Any ideas?

 

I have the tunnel running via docker no problem. I've also had it running as a service on debian too without issue. And I've checked the tunnel token. Unless I'm using the wrong thing? Presuming that the tunnel token is what the code is needing......