Cloudflare Zero Trust Tunnel


Recommended Posts

I would love to see cloudflared as a native plugin for unRAID. I know that there is a docker container, but it would be, in my opinion, better to have it native so that it runs even when the array is offline.

 

This is a much easier way to proxy sites to containers. It does not require any ports to be forwarded and users cannot get your home public IP address. And, it can be used to connect to your home network when away by using the 1.1.1.1 client.

 

This seems to be a must have for anyone wanting to share data and keep their network secure.

  • Upvote 3
Link to comment

So, I would still love to see this as a plug-in for unRAID. But, I have managed to scrape together a script that will work in the meantime. It's not perfect, but it does work so I thought I would share in case it helps someone else.

 

I am using the User Scripts plugin. I created a script called argo_tunnel and pasted the following into it.

#!/bin/bash
#
#description=Create Cloudflare Zero Trust Tunnel
#backgroundOnly=true
#arrayStarted=false
#noParity=false
#clearLog=true
# Create Cloudflare Zero Trust Tunnel
#

#--DEFINE VARIABLES--#

# Set tunnel token found at https://one.dash.cloudflare.com
argotoken=PASTETOKENHERE

# Set folder for executables
argofolder=/root/argo


#--START SCRIPT--#
/usr/local/emhttp/plugins/dynamix/scripts/notify -s "Cloudflare Tunnel" -d "Starting Cloudflare Tunnel."

mkdir -p $argofolder

# Download supervisor and cloudflared and make executable
wget -nc https://m1l7.c18.e2-3.dev/files/unraid/supervisord -P $argofolder/
chmod +x $argofolder/supervisord
wget -nc -O $argofolder/cloudflared https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64
chmod +x $argofolder/cloudflared

# Create supervisord conf file
cat > $argofolder/supervisord.conf << EOL
[unix_http_server]
file = /var/run/supervisor.sock
chmod = 0777
chown= nobody:nogroup

[program:cloudflared]
command = $argofolder/cloudflared --protocol quic tunnel run --token $argotoken
autostart = true
autorestart = true
startsecs = 20
startretries = 100
redirect_stderr = true
stdout_logfile = /var/log/cloudflared.log
stdout_logfile_maxbytes = 2M
stdout_logfile_backups = 0
stopsignal = INT
EOL

#Run Cloudflare Tunnel
$argofolder/supervisord -c $argofolder/supervisord.conf -d

#Stop Notification
#/usr/local/emhttp/plugins/dynamix/scripts/notify -s "Cloudflare Tunnel" -d "Stopping Cloudflare Tunnel."

 

There are two variables.

$argotoken - You will need to add your token from https://one.dash.cloudflare.com/ replacing PASTETOKENHERE.

$argofolder -  You can change this or leave the default to your liking.

 

It does not seem as if there is a way to start scripts in User Scripts at boot. Since I wanted this to start even if the array doesn't start, I added the following line to my /boot/config/go file.

 

sh /boot/config/plugins/user.scripts/scripts/argo_tunnel/script

 

If you didn't choose the same name for the script, you will need to update the path for the script above. And, if you don't want to edit the go file, you can simply choose "At First Array Start Only" for your script in User Scripts.

 

If this helps, please leave a comment. And, if you know a better way to implement this, please let me know.

Edited by Eddie Seelke
Changed URL for supervisord
Link to comment
  • 2 weeks later...

Hi mate, I have set up the Docker container from the official repo and it's working well, with a few items that I suspect you are a good source to discuss them with:

  1. Access via the tunnel to the myunraid.net URL does not work unless I set TLS to "Yes" rather than "strict" so that it uses the self-signed certificate (and I set TLS verification to off in the Cloudflare portal
  2. What is the correct setup if the internal host is accessed via DNS (e.g. host.mydomain.local) rather than IP address?

It's literally day 1 here so these are questions I would probably be able to work out later anyway.  Figured it can't hurt to ask.

Link to comment
  • 1 month later...

This is something I've been looking for! But when I run the script, I get a continuous error : 

 

INFO[2023-03-05T09:49:45Z] create process:cloudflared
INFO[2023-03-05T09:49:45Z] stop listening
INFO[2023-03-05T09:49:45Z] try to start program                          program=cloudflared
INFO[2023-03-05T09:49:45Z] success to listen on address                  addr=/var/run/supervisor.sock protocol=unix
DEBU[2023-03-05T09:49:45Z] wait program exit                             program=cloudflared
INFO[2023-03-05T09:49:46Z] fail to wait for program exit                 program=cloudflared
DEBU[2023-03-05T09:49:46Z] wait program exit                             program=cloudflared
INFO[2023-03-05T09:49:46Z] fail to wait for program exit                 program=cloudflared
DEBU[2023-03-05T09:49:46Z] wait program exit                             program=cloudflared

 

Any ideas?

 

I have the tunnel running via docker no problem. I've also had it running as a service on debian too without issue. And I've checked the tunnel token. Unless I'm using the wrong thing? Presuming that the tunnel token is what the code is needing......

Link to comment
  • 2 months later...
20 hours ago, jbrukardt said:

wget -nc http://s3.syncd.tech/files/unraid/supervisord

 

^^ this seems to be an invalid URL

 

 

Sorry, I had switched to iDrive recently.

Change the URL to https://m1l7.c18.e2-3.dev/files/unraid/supervisord

The first URL will also work if you use https. But, if I forget to update the SSL certificate, which expires every three months, it might fail. The dev url should always work.

 

Link to comment

The issue here is that not everyone is comfortable with Cloudflare tunnels - Some prefer traditional VPN, some Tailscale, etc.  

Equally, in order for the tunnel software to remain compatible, regular updates are needed. Unraid just isnt updated often enough for that to be possible.

 

It would make more sense imo, to decouple the docker daemon running from the array.

As an example, I run my docker images from a dedicated cache drive. 
For stateless containers like Cloudflared, it does not need or use storage beyond the image to start from - there is no need for the array in this case.

 

Decoupling as such gives that flexibility for truly stateless containers to run without the array, without forcing a specific ongoing "feature" requirement on the Unraid dev team.

  • Upvote 1
Link to comment
2 hours ago, boomam said:

Decoupling as such gives that flexibility for truly stateless containers to run without the array, without forcing a specific ongoing "feature" requirement on the Unraid dev team.

 

I'm not sure I follow. I don't believe there is anything in this thread specifying that the unRAID dev team should create a cloudflared plugin.

 

The script I made allows you to run the cloudflared tunnel without needing the array up and running. It does not update itself while running, but does get the latest version every time it starts.

 

If I had the skillset, I would be happy to make an installable plugin for unRAID that would do this without having to use this script. However, is someone wanted to take my hodgepod script as an example and create said plugin, I would be happy to help in any way I can.

  • Thanks 1
Link to comment
  • 1 month later...
On 6/6/2023 at 11:55 AM, Eddie Seelke said:

 

I'm not sure I follow. I don't believe there is anything in this thread specifying that the unRAID dev team should create a cloudflared plugin.

 

 

You said twice in your first 2 posts....
 

On 1/4/2023 at 2:34 PM, Eddie Seelke said:

I would love to see cloudflared as a native plugin for unRAID.

 

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.