Movatterモバイル変換

[0]ホーム
URL:

Expose Raspberry Pi to the Internet using Cloudflare Tunnel

August 15, 2021- 6 min read

I’ve been using Raspberry Pi from past 6 years as a file sharing and media server. This year I bought the latest version of Pi on an impulse and now I have no idea what to do with it.

Theofficial website describes Raspberry Pi as

a low cost, credit-card sized computer

Some websites like -This Blog Is Now Running on Solar Power gave me an inspiration to host a website on my Raspberry Pi. The content for the website can be added later when I’ll put my development skills to use, but at that moment I thought that it would be really cool to host a website straight our of my Raspberry Pi.

If I wish to host a server from my home network:

  1. I would require a Dynamic DNS since I do not have a static IP.
  2. A script to update the DDNS entry incase my IP changes.
  3. Port-forward to the Raspberry Pi’s local IP address.
  4. Set up certificates to support HTTPS.
  5. Hope that nobody hacks into your home network 🤞.

Hosting a server from your home network is a nightmare. The Internet is already a scary place with bad people all over the place. It’s risky to allow a vulnerable Raspberry Pi running inside your home which is accessible from the Internet. Once,a rouge Raspberry Pi resulted in NASA hack, beware!

The diagram below shows how port forwarding punches a hole into your router.

Port forwarding

What are Cloudflare Tunnels?

Recently, Cloudflare made aboringannouncement about offering Cloudflare tunnels (formally,Argo Tunnels) for free!

Cloudflare Tunnels create an encrypted tunnel between your server and the Cloudflare network using thecloudflared daemon. Because of this, users won’t directly connect to your server, instead they will connect via proxy through Cloudflare’s network.

This takes away a lot of steps involved in exposing your server from the home.

  1. There is no need to open any ports on your network. To the outside world and even your ISP, your server just looks like any other encrypted web traffic.
  2. There is no need to create, buy or mange TLS certificates ascloudflared handles all of this for you.
  3. Cloudflare utilizes smart routing to speed up traffic latency. They avoid congested network and high latency area which routing the traffic through their edge network.
  4. You get a WAF and DDOS protection built in.

Source

In the diagram below the user can only access theorigin(server) through the Cloudflare’s network but not directly. This will provide us an extra layer of security by hiding our origin source and as well as prevent bad actors from accessing the website directly.

cloudflared tunnel representation

Later, I might also take a look intofrp: Fast Reverse Proxy, but as on now I’ll stick to Cloudflare Tunnels.

How Tunnels work?

The HTTP tunnels are always initiated from the client side. Here, thecloudflared daemon will initiate the connection to the Cloudflare’s network. My university network would not allow port-forwarding or allow any outside traffic to connect directly. This client side initiation of the connection would help bypass such roadblocks. A single long lived connection is established where many logical sockets are created within one physical socket connection. This method is called Multiplexing.

Source: How ngrok works?
Source: Overview of how ngrok tunneling works

This is similar toTCP multiplexing, where a host with a single TCP connection can manage communication between multiple processes.

Source: http://www.tcpipguide.com/free/diagrams/portsmultiplexing.png

According to Cloudflare:

With Tunnel, users can create a private link from their origin server directly to Cloudflare without a publicly routable IP address. Instead, this private connection is established by running a lightweight daemon, cloudflared, on your origin, which creates a secure, outbound-only connection. This means that only traffic that routes through Cloudflare can reach your origin.

Tunnel secures your origin by making outbound-only connections to Cloudflare. This removes legacy model requirements of poking ingress rules into your machine often leaving your infrastructure vulnerable to attack.

Read More: The making of Cloudflare Warp
Read More: Traffic encryption between Cloudflare tunnel and HTTPS origin servers

Set up Cloudflared Tunnel

The following steps are required to set-up the tunnel:

  1. Create a Docker Image of cloudflared
  2. Login to Cloudflare
  3. Create a new tunnel
  4. Create a DNS entry for your tunnel
  5. Run the tunnel

We will create a new tunnel which will be accessible frompi.example.com.

This can also be done without Docker. Cloudflared can be installed as a service on the Raspberry Pi which do not support Docker.

The official guide is here:https://developers.cloudflare.com/cloudflare-one/tutorials/share-new-site

Build cloudflared Docker image

As of now, Docker hub doesn’t have anyarm64 image for cloudflared, let’s build one for ourselves.

# Clone cloudflared repository tunnelgit clone https://github.com/cloudflare/cloudflared.git--depth 1# Build Docker image on Raspberry Pidocker build-t"cloudflared:arm64v8"

Login to Cloudflare

Create cloudflared directory and give it 777 permission. This dangerously open permission is required because cloudflared container runs on a nonroot user and this user fails to write on the mounted folder if the folder doesn’t have this permission.

mkdir ~/.cloudflared&&chmod-R 777 ~/.cloudflared# Login to cloudflaredocker run--rm-v ~/.cloudflared:/home/nonroot/.cloudflared cloudflared:arm64v8 tunnel login

You’ll get a cloudflare link to login. Please select the domain you’d like to use. This will authorize cloudflared to create tunnel and new DNS entries.

Create a new Tunnel

# Create a new tunnel with name "pi"docker run--rm-v /home/ubuntu/.cloudflared:/home/nonroot/.cloudflared cloudflared:arm64v8 tunnel create pi

There will be no issue if the Raspberry Pi restarts or looses internet connection, thesenamed tunnels will help us to reconnect with cloudflare when it reconnects with the internet.

The newly created tunnel would return a UUID, please take a note of this.

Let’s create config file with all the details for the tunnel.

vim ~/.cloudflared/config.yml

In the below template replace the3aaabf8a-a834-2b7d-6ba8-3fb6b24306ff inconfig.yml with your tunnel ID.
The target in the config is192.168.1.111.

tunnel: 3aaabf8a-a834-2b7d-6ba8-3fb6b24306ffcredentials-file: /home/nonroot/.cloudflared/3aaabf8a-a834-2b7d-6ba8-3fb6b24306ff.json# The Nginx-Proxy-Manager is exposed on port 80, 81 and 443# I have also added cloudflare SSL certificates to NPM.- service: https://192.168.1.111  originRequest:    noTLSVerify:true

Source:https://github.com/aeleos/cloudflared

Create DNS entry for the tunnel

We can access the tunnel using Cloudflare’scfargotunnel.com domain as well.
Just add.cfargotunnel.com infront of the UUID. Like:3aaabf8a-a834-2b7d-6ba8-3fb6b24306ff.cfargotunnel.com

# Create DNS entry for "pi" subdomaindocker run--rm-v /home/ubuntu/.cloudflared:/home/nonroot/.cloudflared cloudflared:arm64v8 tunnel route dns pi pi.example.com

This will add a new DNS entry to your cloudflare account, the entry must be aCNAME. If it’s not CNAME then we have to create a manual entry for the tunnel.

Tunnel entry in cloudflare

More on Adding DNS Entry:https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/routing-to-tunnel/dns

Run the tunnel

# Run tunneldocker run--restart=always-d--network host-v /home/ubuntu/.cloudflared:/home/nonroot/.cloudflared cloudflared:arm64v8 tunnel run pi

For every new sub-domain, you can run thetunnel route dns command to add it on cloudflare.
More: Run a Tunnel - Cloudflare Documentation

Further read

Resources

Share:
[8]ページ先頭
©2009-2025 Movatter.jp