For many reasons I’m not a fan of port forwarding on my gateway. When I came across this blog: Secure home server with Unraid and Cloudflare // Chris’ Blog (nadeau.tv) shortly after Cloudflare had added a free service level to Teams and Tunnels I decided to give it a try. Note: Cloudflare has updated the process since and Teams is integrated into your account, thru Access. However, a Cloudflare Teams aka Cloudflare Zero Trust account has its advantages and I recommend both and both are free, though the later you do have to sign up with a credit card but there is a free tier.
The below is centered around how I did this on Unraid and I am NOT a guru, just a father of two who wanted a secure, relatively simple way to self-host pictures for myself and family and some other limited services, YMMV.
Process:
-
Get a Domain, if you don’t have one (up to you how, which registrar etc.)
-
Get a Cloudflare Account & Login
-
Recommended (And may be still required) Access Zero Trust from Cloudflare cPanel and signup with CC. Free Plan allows you to provide access to your services to 50 users.
Zero Trust aka Teams provides analytics of what is being accessed by whom, one pane view of applications, active tunnels, logs, groups etc. I have two domains using tunnels so this is very helpful for instance setting up Cloudflares gateway policies that can automatically block malware. -
From Cloudflare home cPanel add your site.
Extra documentation here: About Cloudflare – Cloudflare Help Center
-
Go to Domain registrar and change your nameservers to the ones given by Cloudflare
-
For Unraid, from Community Apps download Cloudflared – aeleos’ Repository (there is at least one other on CA and many on docker including the official one from Cloudflare – this is the one that works for me because the author wrote good instructions on git).
Aeleos’ Instructions: GitHub - aeleos/cloudflared
• The one issue I have with this template and docker is it doesn’t update. The template is set to an outdated tunnel version. Setting to latest does not work. I follow the official Cloudflare git page and update the version when needed manually.
• Unraid Docker Support Thread: [Support] aeleos - cloudflared tunnels - Page 3 - Docker Containers - Unraid
-
If you have any issues running Aeleos’ instructions the most common problem I found was no response for authenticating the tunnel. This was solved by making sure I was currently logged into my Cloudflare account.
-
Once you follow the tunnel setup and have the yaml file you will note you have options to route traffic three ways. I will gladly accept I am wrong in some way here but I am routing my tunnels over plain http, using the last option in the yaml file. So my end of yaml looks like this:
- To edit the yaml file you have to have a way to access it in appdata. Either share appdata and open the yaml in a text editor or use an app or plugin that allows direct access to appdata files for editing on unraid. My preferred option is filebrowser, I like its GUI, but there are many.
• All of my inbound traffic over the internet is https secured via Coudflare full end to end encryption setting.
-
The tunnel should be up and running and routing to your service. Now go back to Cloudflare, select access from the cPanel. Create an access policy for your subdomain/domain URL that you want to use for the tunnel.
-
Select DNS from Ccloudflare cPanel and update a CNAME record for the above URL that is tunnelUUID.cfargotunnel.com
-
Optional you can add Single Sign On, I really like this integration and found setting up the google integration for family easy. I followed Cloudflares instructions here: SSO integration · Cloudflare Zero Trust docs
If everything works your URL should give you a secure portal that then redirects correctly
- If you host multiple services download another Cloudflared tunnel and repeat. I have two tunnels running 24/7 with a couple others I turn on/off as needed.
• And because I tried, but hope someone may figure it out. I was not able to get Nextcloud to work over a tunnel. I did get Filerun to work over a tunnel and have switched. Didn’t need all the features of Nextcloud. Found at least one or two comments online with the same issue.
Additional Resources: Cloudflare: How to Set up Cloudflare (Argo) Tunnel FREE on Unraid (ibracorp.io)
**If I missed anything let me know and I will update. The community can make this better so help everyone else out with any comments or corrections you might have. **