Unable To Use DERP On Cloudflare Tunnel

Recently I have setup my home server to use a cloudflare tunnel allowing me to access coder via a zero trust verification process on the public internet or immediately when connecting to the respective cloudflare private network. This is highly convenient for me, however I noticed in the health tab that my performance may be degraded since the "Upgrade: DERP" header may be blocked on the load balancer, this is clearly due to the cloudflare tunnel however I couldn't see a solution when in the cloudflare dashboard. I wondered if anybody knew how to allow specific headers on the cloudflare network. Thank You
Solution:
Indeed, I am primarily using public hostnames, the private network is only used in one special case. So it sounds as if the UDP protocol isn’t supported when using public hostnames on cloudflare tunnels, hence Coder cannot use DERP and defaults to using web sockets. Is that essentially what you are saying?
Jump to solution
16 Replies
Codercord
Codercord7mo ago
<#1233704395804250122>
Category
Help needed
Product
Coder OSS (v2)
Platform
Linux
Logs
Please post any relevant logs/error messages.
Atif
Atif7mo ago
GitHub
SSH to workspace not working anymore with Cloudflare proxying enabl...
From one day to the other I cannot connect to my workspace via SSH anymore. I can SSH into other containers but my main workspace is not connecting. I downgraded, rebooted the whole instance, resta...
Stephen
StephenOP7mo ago
Yea, it seems like the same issue with Cloudflare stripping data required to switch to the DERP protocol however the solutions listed appeared to just involve disabling cloudflare proxying (impossible when using tunnels for obvious reasons) or sending DERP packets outside from the proxy which wouldn't work with my use case since if I were to bypass the tunnel there next to no benefit to having the tunnel.
Atif
Atif7mo ago
Can you open a new issue?
Stephen
StephenOP7mo ago
I can do, but I feel as if this is a cloudflare issue or even maybe a configuration issue, not a bug with coder. But if you think it’s helpful for the development of coder I can
Atif
Atif7mo ago
I am not sure if it's a bug. Just to clear things, I assume you followed this process. 1. Running Coder locally on a home server 2. Exposing it to cloudflare zero trust network with a cloudflared tunnel --url localhost:PORT 3. This creates a try.cloudflare URL 4. You link a domain to your tunnel to access it over public internet Please clear if I am missing anything. It's good if you can share all the reproduction steps
Stephen
StephenOP7mo ago
Not quite, I have setup a docker container running 'cloudflared' using a tunnel token generated from Cloudflares zero trust dashboard connected to my domain. This docker container is connected to a virtual docker network named 'backend' on my home server, which has all other containers which need access to the tunnel added to it including Coder. Inside the Zero Trust dashboard I have configured the necessary DNS records for these services, with coder this is *.mydomain.com -> http://Coder:7080, which is the name of the Coder container on the 'backend' network. The public hostnames are ordered so that the wildcard is the last record which catches all requests to subdomains which aren't configured, as a result this lets me use workspace port forwarding while also not having to purchase the advanced SSL certificate from cloudflare which is required for 3rd level domains on the cloudflare network e.g. WorkspacePort.coder.mydomain.com. I hope that all makes sense, if you need any clarification about anything just let me know (:
Atif
Atif7mo ago
@Steven @Cian could you help debug this? Thank you 🙂
Emyrk
Emyrk7mo ago
I do not believe cloudflare tunnleing supports UDP, which is required for DERP to work.
Atif
Atif7mo ago
The Cloudflare Blog
Extending Cloudflare’s Zero Trust platform to support UDP and Inter...
Last year, we launched a new feature which empowered users to begin building a private network on Cloudflare. Today, we’re excited to announce even more features which make your Zero Trust migration easier than ever.
Atif
Atif7mo ago
GitHub
💡General Upgrade header support · Issue #990 · cloudflare/cloudfl...
Describe the feature you'd like I attempted to serve my Headscale and Tailscale DERP Servers behind Cloudflare Tunnels, but unfortunately, they are not functioning as expected. The main issue s...
Atif
Atif7mo ago
looks like they strip any Upgrade headers
Emyrk
Emyrk7mo ago
@Atif I did see that UDP post, however it is only for private networks. I have some tunnels setup on public hostnames and for that, UDP is not supported. @Stephen, reading your first post again, you are trying to make this work from the public internet, and from a private network on cloudflare?
Solution
Stephen
Stephen7mo ago
Indeed, I am primarily using public hostnames, the private network is only used in one special case. So it sounds as if the UDP protocol isn’t supported when using public hostnames on cloudflare tunnels, hence Coder cannot use DERP and defaults to using web sockets. Is that essentially what you are saying?
Emyrk
Emyrk7mo ago
@Stephen that is correct.
Stephen
StephenOP7mo ago
ok, thank you everyone for your help (:
Want results from more Discord servers?
Add your server