Cloudflare Zero Trust Tunnels (Previously Argo) for Home Internal Application Access

Cloudflare Tunnel was previously named Warp during the beta phase. As Warp was added to the Argo product family, Cloudflare changed the name to Argo Tunnel to match. Once Cloudflare decided that there is no longer required users to purchase Argo to create Tunnels, Argo Tunnel has been renamed to Cloudflare Tunnel.

In this post, I am gonna show how you can use Cloudflare Tunnel (free) to access our home lab internal network with a couple of simple steps and also how you can make this access secure.

Related posts:

• Use Cloudflare Argo Tunnel to Expose Internal Web Application to Internet
• [Free Hosting] Get Permanent Free Domain Name from EU.ORG & Integrate with Cloudflare
• Cloudflare Tips and Tricks
• <a href=”https://blog.51sec.org/2020/03/set-up-cloudflare-workers-to-use-your.html” style=”color: #666666; font-family: “Open Sans”, sans-serif; font-size: 13px; outline: 0px; text-decoration-line: none; transition: all 0.3s ease 0s;” title=”CloudFlare is the world’s leading provider of CDN solutions and domain name registration resolution solutions, and Workers is a serverless application based on its powerful CDN global cloud network. Having previously shared a post about how to…”>Set Up CloudFlare Workers to Use Your Own Domain

Diagram

Steps to Install Cloudflared in Windows

You will need a free Cloudflare account to log in and also you will need your own domain DNS records to be managed by Cloudflare.

• Free Cloudflare accound
• Free Domain (https://nic.eu.org/)

1 Add a tunnel

2 Create a new tunnel

3 Install and run a connector

1. Download https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-windows-amd64.msi. 
2. Double Click to run the installer cloudflared-windows-amd64.msi. The files will be installed under folder: C:\Program Files (x86)\cloudflared. You will not get a prompt the Cloudflared service has been installed successfully this kind of message. As long as you confirmed file from C:\Program Files (x86)\cloudflared folder, you are good to go for next step. 
3. Open Command Prompt or Powershell as Administrator.
4. Run the following command:

Content Loaded

$

cloudflared.exe service install eyJhIjoiN2YzNjkyNmRlOTI3ZWQ3NmEwYThhOGYyNWFhZjMxOGMiLCJ0IjoiOTkwMmE0ZTQtZWVjZS00ZTdmLWIyODctODgwMzQwMGY1YmUxIiwicyI6Ik9XSXlNR0poTVRFdE1qUTNNUzAwTkRka0xXSmhNMkl0T0dNMU9EQTJPR0UwWXpKbCJ9

PS C:\Users\WDAGUtilityAccount> cloudflared.exe service install eyJhIjoiN2YzNjkyNmRlOTI3ZWQ3NmEwYThhOGYyNWFhZjMxOGMiLCJ0IjoiOTkwMmE0ZTQtZWVjZS00ZTdmLWIyODctODgwMzQwMGY1YmUxIiwicyI6Ik9XSXlNR0poTVRFdE1qUTNNUzAwTkRka0xXSmhNMkl0T0dNMU9EQTJPR0UwWXpKbCJ9 2023-09-17T13:11:49Z INF Installing cloudflared Windows service 2023-09-17T13:11:49Z INF cloudflared agent service is installed windowsServiceName=Cloudflared 2023-09-17T13:11:49Z INF Agent service for cloudflared installed successfully windowsServiceName=Cloudflared PS C:\Users\WDAGUtilityAccount>

4 Route traffic to your applications

Save the configuration. 

Steps to Install Cloudflared in Docker

1. Install Docker

• apt update
• apt install docker.io
• apt update docker.io

2. Install Portainer (Option)

• docker volume create portainer_data
• docker run -d -p 9000:9000 –name portainer –restart always -v /var/run/docker.sock:/var/run/docker.sock -v portainer_data:/data portainer/portainer-ce:latest

3. Install and run Cloudfalred Docker

$

docker run cloudflare/cloudflared:latest tunnel --no-autoupdate run --token eyJhIjoiN2YzNjkyNmRlOTI3ZWQ3NmEwYThhOGYyNWFhZjMxOGMiLCJ0IjoiMTYyYTljNWItOGIyNy00MGJiLWJiMzctOTg3YTg3NTMzNzUwIiwicyI6Ik1tWmpOamsxTkdJdE9USmlaaTAwTVdWbExUa3haamt0WVRZM05tTmhPRFpsWmpFeiJ9

4. Console output

You might want to add -d into your docker command to make it run in a daemon mode at the background. 

$

docker run <b><i><u>-d</u></i></b> cloudflare/cloudflared:latest tunnel --no-autoupdate run --token eyJhIjoiN2YzNjkyNmRlOTI3ZWQ3NmEwYThhOGYyNWFhZjMxOGMiLCJ0IjoiMTYyYTljNWItOGIyNy00MGJiLWJiMzctOTg3YTg3NTMzNzUwIiwicyI6Ik1tWmpOamsxTkdJdE9USmlaaTAwTVdWbExUa3haamt0WVRZM05tTmhPRFpsWmpFeiJ9

netsec@hpthin:~$ sudo -i
[sudo] password for netsec:
root@hpthin:~# apt update
Hit:1 http://archive.ubuntu.com/ubuntu focal InRelease
Get:2 http://archive.ubuntu.com/ubuntu focal-updates InRelease [114 kB]
Hit:3 https://download.newrelic.com/infrastructure_agent/linux/apt focal InRelease
Get:4 http://archive.ubuntu.com/ubuntu focal-backports InRelease [108 kB]
Get:5 http://archive.ubuntu.com/ubuntu focal-security InRelease [114 kB]
Get:6 http://archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages [2,852 kB]
Fetched 3,188 kB in 4s (805 kB/s)
Reading package lists… Done
Building dependency tree¨C69CReading state information… Done¨C70C102 packages can be upgraded. Run ‘apt list –upgradable’ to see them.¨C71Croot@hpthin:~#¨C72Croot@hpthin:~# apt install docker.io¨C73CReading package lists… Done¨C74CBuilding dependency tree¨C75CReading state information… Done¨C76CSuggested packages:¨C77C  aufs-tools cgroupfs-mount | cgroup-lite debootstrap docker-doc rinse zfs-fuse | zfsutils¨C78CThe following packages will be upgraded:¨C79C  docker.io¨C80C1 upgraded, 0 newly installed, 0 to remove and 101 not upgraded.¨C81CNeed to get 26.4 MB of archives.¨C82CAfter this operation, 27.0 MB disk space will be freed.¨C83CGet:1 http://archive.ubuntu.com/ubuntu focal-updates/universe amd64 docker.io amd64 24.0.5-0ubuntu1~20.04.1 [26.4 MB]¨C84CFetched 26.4 MB in 3s (8,473 kB/s)¨C85CPreconfiguring packages …¨C86C(Reading database … 145184 files and directories currently installed.)¨C87CPreparing to unpack …/docker.io_24.0.5-0ubuntu1~20.04.1_amd64.deb …¨C88CUnpacking docker.io (24.0.5-0ubuntu1~20.04.1) over (20.10.21-0ubuntu1~20.04.2) …¨C89CSetting up docker.io (24.0.5-0ubuntu1~20.04.1) …¨C90CProcessing triggers for man-db (2.9.1-1) …¨C91Croot@hpthin:~# docker version¨C92CClient:¨C93C Version:           24.0.5¨C94C API version:       1.43¨C95C Go version:        go1.20.3¨C96C Git commit:        24.0.5-0ubuntu1~20.04.1¨C97C Built:             Mon Aug 21 19:50:14 2023¨C98C OS/Arch:           linux/amd64¨C99C Context:           default¨C100CServer:¨C101C Engine:¨C102C  Version:          24.0.5¨C103C  API version:      1.43 (minimum version 1.12)¨C104C  Go version:       go1.20.3¨C105C  Git commit:       24.0.5-0ubuntu1~20.04.1¨C106C  Built:            Mon Aug 21 19:50:14 2023¨C107C  OS/Arch:          linux/amd64¨C108C  Experimental:     false¨C109C containerd:¨C110C  Version:          1.6.12-0ubuntu1~20.04.3¨C111C  GitCommit:¨C112C runc:¨C113C  Version:          1.1.4-0ubuntu1~20.04.3¨C114C  GitCommit:¨C115C docker-init:¨C116C  Version:          0.19.0¨C117C  GitCommit:¨C118Croot@hpthin:~# docker run cloudflare/cloudflared:latest tunnel –no-autoupdate run –token eyJhIjoiN2YzNjkyNmRlOTI3ZWQ3NmEwYThhOGYyNWFhZjMxOGMiLCJ0IjoiMTYyYTljNWItOGIyNy00MGJiLWJiMzctOTg3YTg3NTMzNzUwIiwicyI6Ik1tWmpOamsxTkdJdE9USmlaaTAwTVdWbExUa3haamt0WVRZM05tTmhPRFpsWmpFeiJ9¨C119CUnable to find image ‘cloudflare/cloudflared:latest’ locally¨C120Clatest: Pulling from cloudflare/cloudflared¨C121Cdd5ad9c9c29f: Pull complete¨C122C960043b8858c: Pull complete¨C123Cb4ca4c215f48: Pull complete¨C124Ceebb06941f3e: Pull complete¨C125C02cd68c0cbf6: Pull complete¨C126Cd3c894b5b2b0: Pull complete¨C127Cb40161cd83fc: Pull complete¨C128C46ba3f23f1d3: Pull complete¨C129C4fa131a1b726: Pull complete¨C130C01f38fc88b34: Pull complete¨C131C6e24d515f042: Pull complete¨C132C0460cb7a0f85: Pull complete¨C133Cb39375cac515: Pull complete¨C134CDigest: sha256:93561dfa0032006354be56476f09e3d8743d53d202368672c2847c1631f7be50¨C135CStatus: Downloaded newer image for cloudflare/cloudflared:latest¨C136C2023-09-23T17:29:02Z INF Starting tunnel tunnelID=162a9c5b-8b27-40bb-bb37-987a87533750¨C137C2023-09-23T17:29:02Z INF Version 2023.8.2¨C138C2023-09-23T17:29:02Z INF GOOS: linux, GOVersion: go1.20.6, GoArch: amd64¨C139C2023-09-23T17:29:02Z INF Settings: map[no-autoupdate:true token:¨C251C]¨C140C2023-09-23T17:29:02Z INF Generated Connector ID: 33cee496-81df-4d32-a8a7-56cd4310ef93¨C141C2023-09-23T17:29:02Z INF Initial protocol quic¨C142C2023-09-23T17:29:02Z INF ICMP proxy will use 172.17.0.5 as source for IPv4¨C143C2023-09-23T17:29:02Z INF ICMP proxy will use :: as source for IPv6¨C144C2023-09-23T17:29:02Z INF Starting metrics server on 127.0.0.1:42961/metrics¨C145C2023/09/23 17:29:03 failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Receive-Buffer-Size for details.¨C146C2023-09-23T17:29:03Z INF Registered tunnel connection connIndex=0 connection=8959d98a-e305-4f86-8c16-ed2616281795 event=0 ip=198.41.192.167 location=yyz01 protocol=quic¨C147C2023-09-23T17:29:03Z INF Registered tunnel connection connIndex=1 connection=31892503-d646-4c1b-a4ac-0b6a10ab175a event=0 ip=198.41.200.73 location=ord02 protocol=quic¨C148C2023-09-23T17:29:03Z INF Updated to new configuration config=null version=0¨C149C2023-09-23T17:29:04Z INF Registered tunnel connection connIndex=2 connection=45771c08-0818-4d92-91fa-bb501c908f7e event=0 ip=198.41.200.23 location=ord11 protocol=quic¨C150C2023-09-23T17:29:05Z INF Registered tunnel connection connIndex=3 connection=30b37439-8e18-424b-bb36-6187fa658584 event=0 ip=198.41.192.27 location=yyz01 protocol=quic¨C151C2023-09-23T17:34:58Z INF Updated to new configuration config=”{\”ingress\”:[{\”service\”:\”http://192.168.2.8:3000\”,\”hostname\”:\”speedtest.51sec.eu.org\”,\”originRequest\”:{}},{\”service\”:\”http_status:404\”}],\”warp-routing\”:{\”enabled\”:false}}” version=1¨C152C2023-09-23T17:40:58Z ERR  error=”stream 105 canceled by remote with error code 0″ cfRay=80b4931c9926a228-YYZ event=1 ingressRule=0 originService=http://192.168.2.8:3000¨C153C2023-09-23T17:40:58Z ERR Request failed error=”stream 105 canceled by remote with error code 0″ connIndex=3 dest=https://speedtest.51sec.eu.org/downloading?n=0.17752728579938704 event=0 ip=198.41.192.27 type=http¨C154C2023-09-23T17:40:58Z ERR  error=”stream 97 canceled by remote with error code 0″ cfRay=80b4931adeeca228-YYZ event=1 ingressRule=0 originService=http://192.168.2.8:3000¨C155C2023-09-23T17:40:58Z ERR Request failed error=”stream 97 canceled by remote with error code 0″ connIndex=3 dest=https://speedtest.51sec.eu.org/downloading?n=0.2870544567397595 event=0 ip=198.41.192.27 type=http¨C156C2023-09-23T17:40:58Z ERR  error=”stream 109 canceled by remote with error code 0″ cfRay=80b4931d19a9a228-YYZ event=1 ingressRule=0 originService=http://192.168.2.8:3000¨C157C2023-09-23T17:40:58Z ERR Request failed error=”stream 109 canceled by remote with error code 0″ connIndex=3 dest=https://speedtest.51sec.eu.org/downloading?n=0.7172544233950537 event=0 ip=198.41.192.27 type=http¨C158C2023-09-23T17:40:58Z ERR  error=”stream 101 canceled by remote with error code 0″ cfRay=80b4931b8fdfa228-YYZ event=1 ingressRule=0 originService=http://192.168.2.8:3000¨C159C2023-09-23T17:40:58Z ERR Request failed error=”stream 101 canceled by remote with error code 0″ connIndex=3 dest=https://speedtest.51sec.eu.org/downloading?n=0.6693955675928318 event=0 ip=198.41.192.27 type=http¨C160C^C2023-09-23T17:41:52Z INF Initiating graceful shutdown due to signal interrupt …¨C161C2023-09-23T17:41:52Z INF Unregistered tunnel connection connIndex=0 event=0 ip=198.41.192.167¨C162C2023-09-23T17:41:52Z ERR Failed to serve quic connection error=”context canceled” connIndex=0 event=0 ip=198.41.192.167¨C163C2023-09-23T17:41:52Z INF Retrying connection in up to 1s connIndex=0 event=0 ip=198.41.192.167¨C164C2023-09-23T17:41:52Z INF Unregistered tunnel connection connIndex=1 event=0 ip=198.41.200.73¨C165C2023-09-23T17:41:52Z ERR Failed to serve quic connection error=”context canceled” connIndex=1 event=0 ip=198.41.200.73¨C166C2023-09-23T17:41:52Z INF Retrying connection in up to 1s connIndex=1 event=0 ip=198.41.200.73¨C167C2023-09-23T17:41:52Z INF Unregistered tunnel connection connIndex=2 event=0 ip=198.41.200.23¨C168C2023-09-23T17:41:52Z ERR Failed to serve quic connection error=”context canceled” connIndex=2 event=0 ip=198.41.200.23¨C169C2023-09-23T17:41:52Z INF Retrying connection in up to 1s connIndex=2 event=0 ip=198.41.200.23¨C170C2023-09-23T17:41:52Z INF Unregistered tunnel connection connIndex=3 event=0 ip=198.41.192.27¨C171C2023-09-23T17:41:52Z ERR Failed to serve quic connection error=”context canceled” connIndex=3 event=0 ip=198.41.192.27¨C172C2023-09-23T17:41:52Z INF Retrying connection in up to 1s connIndex=3 event=0 ip=198.41.192.27¨C173C2023-09-23T17:41:52Z ERR no more connections active and exiting¨C174C2023-09-23T17:41:52Z INF Tunnel server stopped¨C175C2023-09-23T17:41:52Z ERR icmp router terminated error=”context canceled”¨C176C2023-09-23T17:41:52Z INF Metrics server stopped¨C177Croot@hpthin:~# docker run -d cloudflare/cloudflared:latest tunnel –no-autoupdate run –token eyJhIjoiN2YzNjkyNmRlOTI3ZWQ3NmEwYThhOGYyNWFhZjMxOGMiLCJ0IjoiMTYyYTljNWItOGIyNy00MGJiLWJiMzctOTg3YTg3NTMzNzUwIiwicyI6Ik1tWmpOamsxTkdJdE9USmlaaTAwTVdWbExUa3haamt0WVRZM05tTmhPRFpsWmpFeiJ9¨C178C6faf071af6dd1e145ed4ea03c93471fe8aa83dc4c6c0b232cdea4ff91d181c65¨C179Croot@hpthin:~#

Access Policy – OneTime Password

One Time PIN

By default, One Time Password has been added for your authentication method. 

1 Add an application

Accept all available identity providers:

2  Add policies

3  Setup

4  Access to route.51sec.eu.org

Set Up Google as an IdP (Identity Provider)

You can add other authentication methods such as Google, GitHub as an identity provider. 

Set up Google as an identity provider

1. Visit the Google Cloud Platform console. Create a new project, name the project, and select Create.
2. On the project home page, go to APIs & Services on the sidebar and select Dashboard.
3. On the sidebar, go to Credentials and select Configure Consent Screen at the top of the page.
4. Choose External as the User Type. Since this application is not being created in a Google Workspace account, any user with a Gmail address can login.
5. Name the application, add a support email, and input contact fields. Google Cloud Platform requires an email in your account.In the Scopes section, we recommend adding the userinfo.email scope. This is not required for the integration, but shows authenticating users what information is being gathered. You do not need to add test users.
6. Return to the APIs & Services page, select Create Credentials > OAuth client ID, and name the application.
7. Under Authorized JavaScript origins, in the URIs field, enter your team domain.
8. Under Authorized redirect URIs, in the URIs field, enter your team domain followed by this callback at the end of the path: /cdn-cgi/access/callback. For example:
   <span class="CodeBlock--rows" style="box-sizing: inherit; cursor: text; display: block; margin: 0px;"><span class="CodeBlock--rows-content" style="box-sizing: inherit; display: inline-block; margin: 0px; min-width: 100%;"><span class="CodeBlock--row" style="box-sizing: inherit; display: block; margin: 0px; position: relative; width: 768.25px;"><span class="CodeBlock--row-indicator" style="box-sizing: inherit; margin: 0px;"></span><div class="CodeBlock--row-content" style="box-sizing: inherit; margin: 0px; padding: 0 var(--padding-horizontal); white-space: pre;"><span class="CodeBlock--token-plain" style="box-sizing: inherit; margin: 0px;">https://&lt;your-team-name&gt;.<div class="rfBrowextIocHighlightLink nonClickable" key="cloudflareaccess.com" link="https://app.recordedfuture.com/live/sc/entity/idn:cloudflareaccess.com" risk-score="0" style="background-color: rgba(255, 255, 255, 0); border-radius: 3px; box-sizing: inherit; display: inline-block; margin: 0px; padding-right: 5px; transition: background-color 0.3s ease 0s; white-space-collapse: collapse;" unique-id="9241733039016"><span class="rfBrowextIocHighlightLink__title" style="box-sizing: inherit; display: inline; margin: 0px; padding-left: 3px; vertical-align: middle;">cloudflareaccess.com</span></div>/cdn-cgi/access/callback</span></div></span></span></span>
9. Google will present the OAuth Client ID and Secret values. The secret field functions like a password and should not be shared. Copy both values.
10. In Zero TrustOpen external link, go to Settings > Authentication.
11. Under Login methods, select Add new. Choose Google on the next page.
12. Input the Client ID and Client Secret fields generated previously.
13. (Optional) Enable Proof of Key Exchange (PKCE)Open external link. PKCE will be performed on all login attempts.
14. Select Save.

Videos

References

• Zero Trust Help Page