Why Tunnel?

Although using proxied DNS by Cloudflare is good, we still need to punch holes (notably 80 and 443) on our firewall or router.

With tunnel, our “agent” will reach out to Cloudflare instead of HTTP request coming through our firewall.

Cloudflare Tunnel Preparation

Cloudflare Team

Before we can proceed with setting up tunnel, we’ll need to proceed with setting up Cloudflare team.

Follow instruction given by Cloudflare Get started · Cloudflare Zero Trust docs.

By default, you have already enabled OTP configuration. So, just follow the guide.

Cloudflare Tunnel

To start setting up tunnel, we can follow Via the dashboard · Cloudflare Zero Trust docs to set up the tunnel at Cloudflare end.

Token

Before proceeding to next step, copy the token to a notepad. We’ll need it for next steps.

Running cloudflared on docker

Image selection

Since I’ll be running this container on RPi, we’ll pick one available from erisamoe/cloudflared. Otherwise, we can build our own image.

Docker Internal Network

Create a network in docker. In my case, I pick the name “cf” to indicate that this will be connected via CloudFlare.

docker-compose.yaml

We’ll use the following yaml in portainer.

version: '3.8'

services:
  tunnel:
    image: erisamoe/cloudflared
    command: 'tunnel run'
    deploy:
      replicas: 2
    environment:
      - TZ=Asia/Singapore
      - TUNNEL_TOKEN=${TUNNEL_TOKEN}
    restart: unless-stopped
    networks:
      - cf
    
networks:
  cf:
    external: true

We’ll then put the token into environment variables section with name TUNNEL_TOKEN. I’m using 2 replicas in case one of the RPi went down.

Network
Make sure we are connecting to the internal network we created earlier. Other services which we want to connect from internet will also require this network to be attached.

Service URL (Cloudflare Dashboard)

  • To add a new subdomain to the “reverse proxy” configuration, go to Configure on your connected tunnel
  • From Public Hostname tab, click on Add
  • Enter your subdomain, this will make a new entry in our main DNS
  • Choose your service type (HTTP vs HTTPS)
  • Use [stack_name]_[service_name]:[internal_port] for the URL

Proxy type
For socks proxy, configuration can be found in Additional settings > Connection > Proxy Type

Last modified: 9 October 2022