Traffic is not reaching my server through the Zero Trust Tunnel.
The tunnel is healthy, the domain is online, and the server is correctly bound to the destination IP and Port I have set, but I cannot connect to my server.
What am I doing wrong?
28 Replies
For Arbitrary TCP, you need to install and use cloudflared access locally https://developers.cloudflare.com/cloudflare-one/applications/non-http/arbitrary-tcp/
Arbitrary TCP · Cloudflare Zero Trust docs
Cloudflare Access provides a mechanism for end users to authenticate with their single sign-on (SSO) provider and connect to resources over arbitrary …
Cloudflared is running on my end
you're running something like:
and then trying to connect via localhost:25559?
By locally I mean on the client machine. The server runs cloudflared and the tunnel itself, each client needs to run that to access the resource
or you can use Private Networking and have the client run WARP (VPN)
Is there no way to have people able to simply connect to poz3.tonatsi.uk without installing cloudflared themselves?
I don't care about security as my application has its own authentication systems in place
No
Cloudflare would have to provide your tunnel with a unique IPv4 (expensive) and also provide l4/l3 ddos protection
Cloudflare does have Spectrum, reverse proxy for tcp/udp, but you'd need Enterprise version to use it with any port and it has no integration with Tunnels
Tunnels work with http/https applications out of the box because they just go through the normal http proxy
and I assume I have no way to open a reverse ssh tunnel to this domain, as cloudflare does not actually host servers? (Using Cloudflare only)
You mean proxying ssh?
I'm not entiirely sure of the terminology. I used Reverse Tunnel Services like Ngrok and Serveo
Serveo is no longer working for me for an unknown reason, and I reached my cap for Ngrok
ah you mean like local/remote port forwarding
to bypass my CG-Nat, yes
nothing like that sadly
tunnels work great for http apps but yea can't just expose generic tcp/udp stuff without having the client run software
It feels really weird that a random service like Serveo works with exposing arbitrary ports through reverse SSH and yet Cloudflare doesn't
Though it makes more sense when I remember that Cloudflare is specifically for websites
They just weren't build for it, yea originally tunnels were part of the Argo Smart Routing offering designed to speed up websites
plus CF would have to protect their network/give you free ddos prot (which you would otherwise need Enterprise Spectrum to get), and the cost of IPv4s s expensive
I don't feel like either of those should be necessary
even cloudflared access works just by tunneling TCP over a websocket lol
wydm? They have to protect their network, otherwise it would impact other services on it. If they didn't give you a unique IP, they'd have no idea where to send traffic to.
How else does the tunnel know where to send traffic to?
What's preventing them from re-using that?
(Genuine question, I'm curious)
HTTP Proxies work without unique ips because they support it on the application level, as part of connecting it exposes the host header (with https its using SNI, part of TLS, with http its just the host header)
Basically Cloudflare's proxy understands the http protocol, and part of it, it exposes the hostname its trying to reach. So it can serve the right certificate and content
Oh, I see
They could in theory support more applications like that. But that would be a lot of work, and some don't expose an identifer like that
So cloudflare doesn't need to manage specifically website traffic because the underlying firmware/hardware supports specifically that
That makes sense
ehh it's more like they specifically have a part of their proxy just for handling http that understands the protocol, and the protocol supports that
yeah
Either way it's outside of the 'jurisdiction' of the rest of the services
all you get out of a normal connection is src ip, src port, dst ip, dst port.
iirc some services do stuff where they randomly allocate ports, using that to identify but it's kind of poor experience and would still require CF to give l3/l4 ddos protection which otherwise is Enterprise only
(CF Spectrum, CF's tcp/udp reverse proxy, offers a few select protocols for non-enterprise but it's crazy expensive, more of a trial lol, $1/gb)
alright then
Having Cloudflared installed on every client isn't ideal but also not impossible; Are there free alternatives you know of that I can use for bypassing CG-nat?
Is this for minecraft or something more generic?
Yes, I'm self-hosting multiple servers on the same device and I want to be able to expose them all simultaneously
Maybe https://playit.gg/ ? I haven't tried it myself but other people have recommended it/talked about it, I think that would do what you're looking for and includes 4 servers for free/unlimited if you use bungeecord
II'll check it out
While it's not ideal, It is immediately working, thank you.
It sucks that I need to pay them 30€ a year for the privilege of routing the traffic through my own hostname