{"id":4825,"date":"2022-04-11T15:17:26","date_gmt":"2022-04-11T07:17:26","guid":{"rendered":"https:\/\/www.jameseduard.com\/?p=4825"},"modified":"2022-04-11T15:17:26","modified_gmt":"2022-04-11T07:17:26","slug":"how-to-create-free-cloudflare-tunnel","status":"publish","type":"post","link":"https:\/\/www.jameseduard.com\/?p=4825","title":{"rendered":"How to Create Free Cloudflare Tunnel"},"content":{"rendered":"\n\n\n

Tutorial Scenario:<\/h3>\n\n\n\n
  1. Signup for a free Cloudflare for Teams.<\/li>
  2. Install and authenticate cloudflared on a Raspberry Pi 4.<\/li>
  3. Create a Cloudflare Tunnel.<\/li>
  4. Configure the Tunnel details.<\/li>
  5. Create DNS records to route traffic to the Tunnel.<\/li>
  6. Run and manage the Tunnel.<\/li>
  7. Add a Zero Trust policy.<\/li>
  8. Run Tunnel as a service.<\/li><\/ol>\n\n\n\n

    Step 1: Signup for a free Cloudflare for Teams:<\/h2>\n\n\n\n

    Navigate to Cloudflare for Teams<\/a> and signup for a free account. Cloudflare has a well documented Get started<\/a> site to walk you through the setup process. For this step, you don\u2019t need to go beyond signing up.<\/p>\n\n\n\n

    Step 2: Install and authenticate Cloudflared on a Raspberry Pi 4:<\/h2>\n\n\n\n
    1. First of all, if you\u2019d like to check your device\u2019s architecture, run the following command:<\/li><\/ol>\n\n\n\n
      uname -a\n<\/pre>\n\n\n\n
      1. Navigate to Install Cloudflared<\/a> site to download the proper package for your architecture. In my case, I will install the Cloudflared daemon on my RPI-4, which is an arm64<\/strong> architecture.<\/li><\/ol>\n\n\n\n
        arm64 architecture (64-bit Raspberry Pi 4):<\/h5>\n\n\n\n
        sudo wget -O cloudflared https:\/\/github.com\/cloudflare\/cloudflared\/releases\/latest\/download\/cloudflared-linux-arm64\nsudo mv cloudflared \/usr\/local\/bin\nsudo chmod +x \/usr\/local\/bin\/cloudflared\ncloudflared -v\n<\/pre>\n\n\n\n
        AMD64 architecture (Debian\/Ubuntu):<\/h5>\n\n\n\n
        sudo wget https:\/\/bin.equinox.io\/c\/VdrWdbjqyF\/cloudflared-stable-linux-amd64.deb\nsudo apt-get install .\/cloudflared-stable-linux-amd64.deb\ncloudflared -v\n<\/pre>\n\n\n\n
        armhf architecture (32-bit Raspberry Pi):<\/h5>\n\n\n\n
        sudo wget https:\/\/bin.equinox.io\/c\/VdrWdbjqyF\/cloudflared-stable-linux-arm.tgz\ntar -xvzf cloudflared-stable-linux-arm.tgz\nsudo cp .\/cloudflared \/usr\/local\/bin\nsudo chmod +x \/usr\/local\/bin\/cloudflared\ncloudflared -v\n<\/pre>\n\n\n\n
        1. Once we have installed Cloudflared successfully, we will run the following command to authenticate the cloudflared to our Cloudflare account.<\/li><\/ol>\n\n\n\n
          cloudflared login\n<\/pre>\n\n\n\n
          Running the above command will launch the default browser window and prompt you to login to your Cloudflare account. Then, you will be prompted to select a hostname site, which we have create previously in Part 1: Step 2<\/a>.<\/p>\n\n\n\n
          As soon as you have chosen your hostname, Cloudflare will download a certificate file to authenticate Cloudflared<\/strong> with Cloudflare\u2019s network.<\/p>\n\n\n\n
          The cert.pem gives Cloudflared the capabilities to create tunnels and modify DNS records in the account. Once you have created a named Tunnel, you no longer need the cert.pem file to run that Tunnel and connect it to Cloudflare\u2019s network. However, hte cert.pem file is still required to create additional Tunnels, list existing tunnels, manage DNS records, or delete Tunnels.<\/p>\n\n\n\n
          \"cloudflare\"\/<\/a><\/figure>\n\n\n\n
          \"cloudflare\"\/<\/a><\/figure>\n\n\n\n
          \"cloudflare\"\/<\/a><\/figure>\n\n\n\n
          \"cloudflare\"\/<\/a><\/figure>\n\n\n\n
          Once authorization is completed successfully, your cert.pem will be download to the default directory as shown below.<\/p>\n\n\n\n
          \"cloudflare\"\/<\/a><\/figure>\n\n\n\n
          If you\u2019re running a headless server (no monitor or keyboard), you could copy the authentication URL and paste it in a browser manually.<\/p>\n\n\n\n
          The credentials file contains a secret scoped to the specific Tunnel UUID which establishes a connection from cloudflared to Cloudflare\u2019s network. cloudflared operates like a client and establishes a TLS connection from your infrastructure to Cloudflare\u2019s edge.<\/p>\n\n\n\n
          Step 3: Create a Cloudflare Tunnel:<\/h2>\n\n\n\n
          1. Now, we are ready to create a Cloudflare Tunnel<\/strong> that will connect Cloudflared<\/strong> to Cloudflare\u2019s edge. Utilizing the following command will create a Tunnel with tht name and generate an ID credentials file for it.<\/li><\/ol>\n\n\n\n
            Prior to creating the Tunnel, you may need to exit the Command Line (CL). Next, let create the Tunnel.<\/p>\n\n\n\n
            Note: replace <NAME> with any name of your choosing for the Tunnel.<\/em><\/p>\n\n\n\n
            cloudflared tunnel create <NAME>\n<\/pre>\n\n\n\n
            Once the Tunnel is created, a credential file is generated. It\u2019s a JSON file that has the Universally Unique Identifier (UUID) assigned for the Tunnel.<\/p>\n\n\n\n
            Note: although the Tunnel is created, the connection is not established yet.<\/em><\/p>\n\n\n\n
            \"cloudflare\"\/<\/a><\/figure>\n\n\n\n
            Step 4: Configure the Tunnel details:<\/h2>\n\n\n\n
            Although we can configure the Tunnel run in an add hoc mode, we will go over creating a configuring the Tunnel to automatically run it as a service.<\/p>\n\n\n\n
            Cloudflare utilizes a configuration file<\/strong> to determine how to route traffic. The configuration file contains keys and values, which is written in YAML<\/strong> syntax. You may need to modify the following keys and values to meet your configuration file requirements:<\/p>\n\n\n\n
            Keys<\/th>Values<\/th><\/tr><\/thead>
            tunnel<\/td>Tunnel name or Tunnel UUID<\/td><\/tr>
            credentials-file<\/td>location of credentials file (JSON)<\/td><\/tr>
            hostname<\/td>subdomain.hostname.xxx (example, test.example.com)<\/td><\/tr>
            service<\/td>url to local application – http:\/\/localhost:8000<\/td><\/tr>
            service<\/td>http_status:404<\/td><\/tr>
            port of your app<\/td>80<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
            By default, on Linux systems, Tunnel expects to find the configuration file in ~\/.cloudflared<\/em>, \/etc\/cloudflared<\/em> and \/usr\/local\/etc\/cloudflared<\/em> in that order. Let\u2019s create our config file and save in the default expected directory for this tutorial.<\/p>\n\n\n\n
            sudo nano ~\/.cloudflared\/config.yml\n<\/pre>\n\n\n\n
            Or,<\/p>\n\n\n\n
            sudo nano home\/<username>\/.cloudflared\/config.yml\n<\/pre>\n\n\n\n
            \"cloudflare\"\/<\/a><\/figure>\n\n\n\n
            Then, we will paste our keys and values as shown below:<\/p>\n\n\n\n
            tunnel: 1082b601-bce9-45e4-b6ae-f19020e7d071\ncredentials-file: \/root\/.cloudflared\/1082b601-bce9-45e4-b6ae-f19020e7d071.json\n\ningress:\n  - hostname: test.mytunnel.ml\n    service: http:\/\/localhost:80\n  - service: http_status:404\n<\/pre>\n\n\n\n
            \"cloudflare\"\/<\/a><\/figure>\n\n\n\n
            If you don\u2019t have any application ready to test the Tunnel, I\u2019d suggest installing NGINX web server and port mapping it to port 80 as I\u2019ve done in the configuration file. Expand me…<\/p>\n\n\n\n
            Let\u2019s make sure that we have all files in this directory:<\/p>\n\n\n\n
            ls -al\n<\/pre>\n\n\n\n
            Now, we have configured all required files to run the Tunnel in the default directory.<\/p>\n\n\n\n
            \"cloudflare\"\/<\/a><\/figure>\n\n\n\n
             Expand me…<\/p>\n\n\n\n
            Step 5: Create DNS records to route traffic to the Tunnel:<\/h2>\n\n\n\n
            Cloudflare can route traffic to our Tunnel connection using a DNS record or a loud balancer. We will configure a DNS CNAME record to point to our Tunnel subdomain. There are two ways to acheive this mission:<\/p>\n\n\n\n
            A. Manually:<\/strong> navigate to the DNS tab on Cloudflare Dashboard, create a new CNAME record and add your subdomain of your Tunnel as follows:<\/p>\n\n\n\n
            1. Type: CNAME<\/li>
            2. Name: any subdomain name of your choosing.<\/li>
            3. Target: consists of two parts: <UUID<\/em>> and <cfargotunnel.com<\/em>> such as, <UUID.cfargotunnel.com<\/em>><\/strong><\/li><\/ol>\n\n\n\n
              B. Programmatically:<\/strong> run the following command from the command line. This command will generate a CNAME record that points to the subdomain of a specific Tunnel. The result is the same as creating a CNAME record from the dashboard as shown in step A.<\/p>\n\n\n\n
              cloudflared tunnel route dns <UUID or NAME> test.example.com\n<\/pre>\n\n\n\n
              \"cloudflare\"\/<\/a><\/figure>\n\n\n\n
              Note: unlike the previous Argo Tunnel architecture, this DNS record will not be deleted if the Tunnel disconnects.<\/em><\/p>\n\n\n\n
              Step 6: Run and manage the Tunnel:<\/h2>\n\n\n\n
              The run<\/strong> command will connect cloudflared to Cloudflare\u2019s edge network using the configuration created in step 4. We will not specify a configuration file location so Cloudflared retrieves it from the default location, which is ~\/.cloudflared\/config.yml<\/em><\/p>\n\n\n\n
              cloudflared tunnel run <UUID> or <Tunnel Name>\n<\/pre>\n\n\n\n
              \"cloudflare\"\/<\/a><\/figure>\n\n\n\n
              If the config.yml file is not placed in the default directory, we need to pinpoint to its location to run the Tunnel:<\/p>\n\n\n\n
              cloudflared tunnel --config path\/config.yml run <NAME> or <UUID>\n<\/pre>\n\n\n\n
              We can review the list of Tunnels we have created by running the following command:<\/p>\n\n\n\n
              Cloudflared Commands:<\/h4>\n\n\n\n
              Functions<\/th>Commands<\/th><\/tr><\/thead>
              Create a Tunnel<\/td>cloudflared tunnel run <NAME<\/em>><\/td><\/tr>
              List Tunnels<\/td>cloudflared tunnel list<\/td><\/tr>
              Stop Tunnel<\/td>cloudflared tunnel stop <NAME<\/em>><\/td><\/tr>
              Restart Tunnel<\/td>cloudflared tunnel restart <NAME<\/em>><\/td><\/tr>
              Delete Tunnel<\/td>cloudflared tunnel delete <NAME<\/em>><\/td><\/tr>
              Force Delete Tunnel<\/td>cloudflared tunnel delete -f <NAME<\/em>><\/td><\/tr>
              Show each Cloudflared info<\/td>cloudflared tunnel info <NAME<\/em>><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
              Stopping Cloudflared will not delete the Tunnel or the DNS record created. Although Tunnel deletes DNS records after 24-48 hours of a Tunnel being unregistered, it does not delete TLS certificates on your behalf once the Tunnel is shut down. If you want to clean up a Tunnel you\u2019ve shut down, you can delete DNS records in the DNS editor and revoke TLS certificates in the Origin Certificates section of the SSL\/TLS tab of the Cloudflare dashboard.<\/p>\n\n\n\n
              To update Cloudflared<\/em>:<\/p>\n\n\n\n
              sudo cloudflared update\n<\/pre>\n\n\n\n
              To uninstall Cloudflared<\/em><\/p>\n\n\n\n
              sudo cloudflared service uninstall \n<\/pre>\n\n\n\n
              Step 7: Add a Zero Trust policy:<\/h2>\n\n\n\n
              Now, we are ready to head back to Teams dashboard to configure our application and create a Zero Trust Policy.<\/p>\n\n\n\n
              1. On Teams dashboard, navigate to the Application tab and click on Add an application.<\/li><\/ol>\n\n\n\n
                \"cloudflare\"\/<\/a><\/figure>\n\n\n\n
                1. Select Self-hosted.<\/li><\/ol>\n\n\n\n
                  \"cloudflare\"\/<\/a><\/figure>\n\n\n\n
                  1. Choose an application name, Session Duration, subdomain and Application domain. Then, click on Next.<\/li><\/ol>\n\n\n\n
                    Notice that the Tunnel duration ranges from 15 mins to 1 month.<\/em><\/p>\n\n\n\n
                    \"cloudflare\"\/<\/a><\/figure>\n\n\n\n
                    1. Add a name to the rule and select Bypass<\/strong> as a Rule action. On Configure a rule, include Everyone. This rule allows everyone to view our NGINX site at test.mytunnel.ml<\/strong><\/li><\/ol>\n\n\n\n
                      \"cloudflare\"\/<\/a><\/figure>\n\n\n\n
                      1. In the Advanced settings, enable automatic cloudflared authentication and browser rendering.<\/li><\/ol>\n\n\n\n
                        \"cloudflare\"\/<\/a><\/figure>\n\n\n\n
                        \"cloudflare\"\/<\/a><\/figure>\n\n\n\n
                        Finally, our application is now available in Cloudflare Access and is part of our Application list. We can navigate to a browser and type in our url test.MyTunnel.ml<\/strong> and if our Tunnel is established correctly, we shall see our NGINX web server running as shown below.<\/p>\n\n\n\n
                        \"cloudflare\"\/<\/a><\/figure>\n\n\n\n
                        Step 8: Run Tunnel as a service:<\/h2>\n\n\n\n
                        By running the following command, the Tunnel can be installed as a system service which allows the Tunnel to run at boot automatically as launch daemon. By default, the Tunnel expects to find the configuration file in the default directory, ~\/.cloudflared\/config.yml<\/em> but to run Tunnel as a service, we might need to move the config.yml file in ~\/etc\/cloudflared\/<\/em>.<\/p>\n\n\n\n
                        We can employ the move mv<\/strong> command to do the job: mv <path\/config.yml> to <\/etc\/cloudflared\/<\/em>><\/p>\n\n\n\n
                        The below command is in my case with my RPI-4 and how I moved the config file to \/etc\/cloudflared\/<\/p>\n\n\n\n
                        sudo mv \/home\/p2\/.cloudflared\/config.yml \/etc\/cloudflared\/\n<\/pre>\n\n\n\n
                        Now, we are ready to run Tunnel as a service utilizing the command below:<\/p>\n\n\n\n
                        sudo cloudflared service install \n<\/pre>\n\n\n\n
                        Conclusion:<\/h2>\n\n\n\n
                        We have successfully established a secure Cloudflare Tunnel that links our locally hosted NGINX web server to Cloudflare\u2019s network without requiring any public IP address, port-forwarding or punching through a firewall. We have also configured the Tunnel as a service to start at boot, and now we have our NGINX web server associated and accessible via our domain name, test.MyTunnel.ml<\/p>\n","protected":false},"excerpt":{"rendered":"
                        Tutorial Scenario: Signup for a free Cloudflare for Teams. Install and authenticate cloudflared on a Raspberry Pi 4. Create a Cloudflare Tunnel. Configure the Tunnel details. Create DNS records to route traffic to the Tunnel. Run and manage the Tunnel. Add a Zero Trust policy. Run Tunnel as a service. Step 1: Signup for a<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[825,52,47],"tags":[881,747,774],"class_list":["post-4825","post","type-post","status-publish","format-standard","hentry","category-cloudflare","category-devops","category-how-tos","tag-argo","tag-cloudflare","tag-tunnel"],"_links":{"self":[{"href":"https:\/\/www.jameseduard.com\/index.php?rest_route=\/wp\/v2\/posts\/4825","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.jameseduard.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.jameseduard.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.jameseduard.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.jameseduard.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4825"}],"version-history":[{"count":0,"href":"https:\/\/www.jameseduard.com\/index.php?rest_route=\/wp\/v2\/posts\/4825\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.jameseduard.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4825"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.jameseduard.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4825"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.jameseduard.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4825"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}