Building Cloudflare (Argo) Tunnels to Self-Host Web Services

For many reasons I’m not a fan of port forwarding on my gateway. When I came across this blog: Secure home server with Unraid and Cloudflare // Chris’ Blog (nadeau.tv) shortly after Cloudflare had added a free service level to Teams and Tunnels I decided to give it a try. Note: Cloudflare has updated the process since and Teams is integrated into your account, thru Access. However, a Cloudflare Teams aka Cloudflare Zero Trust account has its advantages and I recommend both and both are free, though the later you do have to sign up with a credit card but there is a free tier.

The below is centered around how I did this on Unraid and I am NOT a guru, just a father of two who wanted a secure, relatively simple way to self-host pictures for myself and family and some other limited services, YMMV.

Process:

1. Get a Domain, if you don’t have one (up to you how, which registrar etc.)

2. Get a Cloudflare Account & Login

3. Recommended (And may be still required) Access Zero Trust from Cloudflare cPanel and signup with CC. Free Plan allows you to provide access to your services to 50 users.
   Zero Trust aka Teams provides analytics of what is being accessed by whom, one pane view of applications, active tunnels, logs, groups etc. I have two domains using tunnels so this is very helpful for instance setting up Cloudflares gateway policies that can automatically block malware.

4. From Cloudflare home cPanel add your site.

22940×331 16.6 KB

Extra documentation here: About Cloudflare – Cloudflare Help Center

5. Go to Domain registrar and change your nameservers to the ones given by Cloudflare

6. For Unraid, from Community Apps download Cloudflared – aeleos’ Repository (there is at least one other on CA and many on docker including the official one from Cloudflare – this is the one that works for me because the author wrote good instructions on git).
   Aeleos’ Instructions: GitHub - aeleos/cloudflared

• The one issue I have with this template and docker is it doesn’t update. The template is set to an outdated tunnel version. Setting to latest does not work. I follow the official Cloudflare git page and update the version when needed manually.

• Unraid Docker Support Thread: [Support] aeleos - cloudflared tunnels - Page 3 - Docker Containers - Unraid

7. If you have any issues running Aeleos’ instructions the most common problem I found was no response for authenticating the tunnel. This was solved by making sure I was currently logged into my Cloudflare account.

8. Once you follow the tunnel setup and have the yaml file you will note you have options to route traffic three ways. I will gladly accept I am wrong in some way here but I am routing my tunnels over plain http, using the last option in the yaml file. So my end of yaml looks like this:
   

• To edit the yaml file you have to have a way to access it in appdata. Either share appdata and open the yaml in a text editor or use an app or plugin that allows direct access to appdata files for editing on unraid. My preferred option is filebrowser, I like its GUI, but there are many.

• All of my inbound traffic over the internet is https secured via Coudflare full end to end encryption setting.

31582×891 58.7 KB

9. The tunnel should be up and running and routing to your service. Now go back to Cloudflare, select access from the cPanel. Create an access policy for your subdomain/domain URL that you want to use for the tunnel.

10. Select DNS from Ccloudflare cPanel and update a CNAME record for the above URL that is tunnelUUID.cfargotunnel.com

11. Optional you can add Single Sign On, I really like this integration and found setting up the google integration for family easy. I followed Cloudflares instructions here: SSO integration · Cloudflare Zero Trust docs

If everything works your URL should give you a secure portal that then redirects correctly

11168×1954 57.6 KB

12. If you host multiple services download another Cloudflared tunnel and repeat. I have two tunnels running 24/7 with a couple others I turn on/off as needed.

• And because I tried, but hope someone may figure it out. I was not able to get Nextcloud to work over a tunnel. I did get Filerun to work over a tunnel and have switched. Didn’t need all the features of Nextcloud. Found at least one or two comments online with the same issue.

Additional Resources: Cloudflare: How to Set up Cloudflare (Argo) Tunnel FREE on Unraid (ibracorp.io)

**If I missed anything let me know and I will update. The community can make this better so help everyone else out with any comments or corrections you might have. **

Couple updates (no edit on the OP, bummer):

Step 9a: Make sure to go to the your tunnel docker template, advanced view. Add the tunnel string you created in the preceeding steps to tunnel run UUID post argument

Screenshot 2022-02-21 2114132869×1023 96.6 KB

Adding Extra Security to the Tunnel EndPoint - This is in reference to the OP of wanting it secure. I prefer cloudflare taking the first hit via their sign on page, their firewall rules etc versus my gateway or my server software.

• First cloudflare firewall
  You get limited firewall rules for free, mor if you pay. Simple bot net protection to turn on in both an automatic rule.

Screenshot 2022-02-21 2056031642×414 21.1 KB

And then deployable rules. 5 rules free. Simple geoblocking, not undefeatable but a start, and another bot blocker rule (I think its a leftover as they have evolved, I run both for now). Working on more rules myself.

Screenshot 2022-02-21 2057081582×958 64.1 KB

Firewall rules are done per domain. There are also DDoS tools available

• Other Features Available - Scrape Shield, Traffic Analyzer, Login Attempts, Page Rules (3 Free), Limited Analytics

Main Cloudflare Account Security Offers a Security Overview - Must be Triggered by User, not immediately available, and a Zero Trust Panel, ZeroTrust is the rebranding of Cloudflare Teams

• Teams and Zero Trust has features similar to Firewall except its Gateway Policies and can be applied to more than one domain

Screenshot 2022-02-21 211146811×583 14.3 KB

Cloudflare just launched a GUI to create tunnels. You can deploy tunnels in Unraid with a single terminal command. No yaml file building, no downloading the app, updating settings etc as above, just one command to deploy and three quick gui steps and you are up and running.

1. Log into Cloudflare ZeroTrust, select Tunnels from access, its beta now.

Screenshot 2022-03-27 170646336×625 10.6 KB

2. Click new tunnel and select docker. Copy the command and paste into notepad.
   
   

   Screenshot 2022-03-27 1707331650×1008 72.9 KB

Add the extra info for Unraid for the install location. I’m not an expert here but this worked for me as a command:

docker run -it --rm -v /mnt/user/appdata/cloudflared:/home/nonroot/.cloudflared/ cloudflare/cloudflared:2022.3.4 tunnel [PLUStunnelTOKENCloudflareCreated]

3. Return to cloudflare and complete the gui which includes what URL settings and where to point the service. Once finished the tunnel is up and running.

4. Don’t forget to go to Cloudflare Access of your Domain if you want to secure the endpoint with security features such as login, SSO etc.

Ridiculously easy to use Tunnels (cloudflare.com)

Can’t currently recommend the Cloudflare GUI process with Unraid 6.9.2. It does work, but the tunnels are unstable. I’m not proficient enough to figure out the issue and well the older process in the OP creates stable tunnels.