Unable To Use DERP On Cloudflare Tunnel
Recently I have setup my home server to use a cloudflare tunnel allowing me to access coder via a zero trust verification process on the public internet or immediately when connecting to the respective cloudflare private network. This is highly convenient for me, however I noticed in the health tab that my performance may be degraded since the "Upgrade: DERP" header may be blocked on the load balancer, this is clearly due to the cloudflare tunnel however I couldn't see a solution when in the cloudflare dashboard. I wondered if anybody knew how to allow specific headers on the cloudflare network.
Thank You
Solution:Jump to solution
Indeed, I am primarily using public hostnames, the private network is only used in one special case. So it sounds as if the UDP protocol isn’t supported when using public hostnames on cloudflare tunnels, hence Coder cannot use DERP and defaults to using web sockets. Is that essentially what you are saying?
16 Replies
<#1233704395804250122>
Category
Help needed
Product
Coder OSS (v2)
Platform
Linux
Logs
Please post any relevant logs/error messages.
Does it look related?
https://github.com/coder/coder/issues/9337#issuecomment-1703100467
GitHub
SSH to workspace not working anymore with Cloudflare proxying enabl...
From one day to the other I cannot connect to my workspace via SSH anymore. I can SSH into other containers but my main workspace is not connecting. I downgraded, rebooted the whole instance, resta...
Yea, it seems like the same issue with Cloudflare stripping data required to switch to the DERP protocol however the solutions listed appeared to just involve disabling cloudflare proxying (impossible when using tunnels for obvious reasons) or sending DERP packets outside from the proxy which wouldn't work with my use case since if I were to bypass the tunnel there next to no benefit to having the tunnel.
Can you open a new issue?
I can do, but I feel as if this is a cloudflare issue or even maybe a configuration issue, not a bug with coder. But if you think it’s helpful for the development of coder I can
I am not sure if it's a bug. Just to clear things, I assume you followed this process.
1. Running Coder locally on a home server
2. Exposing it to cloudflare zero trust network with a
cloudflared tunnel --url localhost:PORT
3. This creates a try.cloudflare URL
4. You link a domain to your tunnel to access it over public internet
Please clear if I am missing anything. It's good if you can share all the reproduction stepsNot quite, I have setup a docker container running 'cloudflared' using a tunnel token generated from Cloudflares zero trust dashboard connected to my domain. This docker container is connected to a virtual docker network named 'backend' on my home server, which has all other containers which need access to the tunnel added to it including Coder. Inside the Zero Trust dashboard I have configured the necessary DNS records for these services, with coder this is *.mydomain.com -> http://Coder:7080, which is the name of the Coder container on the 'backend' network. The public hostnames are ordered so that the wildcard is the last record which catches all requests to subdomains which aren't configured, as a result this lets me use workspace port forwarding while also not having to purchase the advanced SSL certificate from cloudflare which is required for 3rd level domains on the cloudflare network e.g. WorkspacePort.coder.mydomain.com. I hope that all makes sense, if you need any clarification about anything just let me know (:
@Steven @Cian could you help debug this? Thank you 🙂
I do not believe cloudflare tunnleing supports UDP, which is required for DERP to work.
The Cloudflare Blog
Extending Cloudflare’s Zero Trust platform to support UDP and Inter...
Last year, we launched a new feature which empowered users to begin building a private network on Cloudflare. Today, we’re excited to announce even more features which make your Zero Trust migration easier than ever.
I also found
https://github.com/cloudflare/cloudflared/issues/990
GitHub
💡General
Upgrade header support · Issue #990 · cloudflare/cloudfl...Describe the feature you'd like I attempted to serve my Headscale and Tailscale DERP Servers behind Cloudflare Tunnels, but unfortunately, they are not functioning as expected. The main issue s...
looks like they strip any
Upgrade headers@Atif I did see that UDP post, however it is only for private networks. I have some tunnels setup on public hostnames and for that, UDP is not supported.
@Stephen, reading your first post again, you are trying to make this work from the public internet, and from a private network on cloudflare?
Solution
Indeed, I am primarily using public hostnames, the private network is only used in one special case. So it sounds as if the UDP protocol isn’t supported when using public hostnames on cloudflare tunnels, hence Coder cannot use DERP and defaults to using web sockets. Is that essentially what you are saying?
@Stephen that is correct.
ok, thank you everyone for your help (: