MikroTips: Cloudflare Zero Trust Tunnel
Вставка
- Опубліковано 20 жов 2024
- Normunds from MikroTik explains how to set up the cloudflared tunnel in a MikroTik router using the container feature. Protect your server using the excellent Cloudflare Zero Trust family of services, using your MikroTik router.
Tip: make sure your VETH interface does not fall into the "WAN" interface list, in that case, firewall might want to block it.
now THIS is pod-racing!!!
this channel keeps getting better and better! Dont slow down guys!!!
can l ask again for a possible future video about bridge vlans? something like "the definitive rOS v7 bridge vlan tutorial"?
something that stops all forum discussions about the proper way of doing it?
As Cloudflare is one of the top CDN and widely used, I can see benefits of 2 features request as a maybe on extra package call Cloudflare to have DDNS and tunnel something like zero tier package which was game changer, Normunds counting on you.
Zerotier is a game changer. No more open ports on router and you can run services in a cgnat environment.
Agreed would be used as much or more than wireguard which is on the ROS! Put in the ROS or in a package for all devices!!!
@@Anavllama i am unable to tunnel to the router itself with this, I tried 127.0.0.1:8290 to access winbox , but not working..
Zerotier is good, I'm being using the for almost a year to join my local network from abroad, but there is a big difference from the cloudflare zero trust tunnels, the difference is that it offers DDOS protection and SSL out of the box without no additional configuration... also, it works well to attach a domain to a "non-static ip" from a homelab server...
Considering the security cautions MT provides in using containers, makes another strong case for Zero Trust Tunnel to be on the ROS or in a package and NOT on containers. Thus the functionality can be available to all MT devices. Users could access the Trust Tunnel without the added complexity as well. Its a logical approach and sane approach.
Quote: you need physical access to the router to enable support for the container feature, it is disabled by default;
once the container feature is enabled, containers can be added/configured/started/stopped/removed remotely!
if the router is compromised, containers can be used to easily install malicious software in your router and over network;
your router is as secure as anything you run in container;
if you run container, there is no security guarantee of any kind;
running a 3rd party container image on your router could open a security hole/attack vector/attack surface;
an expert with knowledge how to build exploits will be able to jailbreak/elevate to root;
As long as you stick to trusted containers, there is no more risk than integrating the cloudflared daemon directy into RouterOS.
The warnings are there because people can also install containers from unknown sources.
We can't integrate every useful tool into RouterOS. At one point we have to decide, what is core RouterOS that most people will use, and what should be optionally available through containers.
@@mikrotik Understood I just strongly disagree with your decision and until you have better logic than mine I will keep insisting on what is best for users! Users that have non-arm devices, and that should not be forced into learning containers. Add Zerotrust as a package not in the core OS.
After installing CloudFlared container it's not running. Run for 2-3sec then stopped.
Any suggestions?
R.board= RB5009, ROS ver. 7.15
Thats great video. Its exacltly what i searched
Nice. Unfortunately,, does not work with RB3011 - no manifest found for this architecture.....
hmm, my AC3 also got no manifest for the arhitecture error :( looks like arm32 is not supported - hopefully, for a while
Superbe. Was looking for months to deal with cg-nat situations. Until I hit on cf tunnels.
I hope it will remain a free service.
Many many thanks.
You added wireguard to the core OS, please add zerotrust cloudflare as AT LEAST as an options package!! That is a reasonable compromise. What do I need to do, send you cases of Canadian Beer or visit Latvia and cook you pancakes with Canadian Maple syrup and back bacon ???
Question: I have a very restrict "drop all" rule in my ipv4 firewall, how should I configure the firewall rules to work well with this Zero Trust Tunneling? thanks @Mikrotik
There is no need, since the router itself is making an outbound connection from itself to the cloudflare server. Nothing is connecting to your router in this case.
Hi, thanks for the great video , I followed the above and I have containers running on on my MikrotTik, when I go do create the container for this one I get a status error on the container? any advice
Same here, HAP AC3 > error response getting manifests: 404 / was unable to import, container b117621d-34a9-47ee-9be6-010a630b0d22. Tried to pull pihole, same error. What happen? It used to work on 7.6
Is it possible to use this to remotely access the winbox itself?
I mean yea why not
Does this work on mikrotik's 4G LTE routers? Wasn't able to setup cloudflare.
@Normunds? The solution will work fine while I'm using LTE mobile connection so I get dynamic IP, and my ISP nats my connection?
No NAT, the ZeroTier servers do some magic called UDP hole punching
The video that I was looking for! 😮
It is so nice you using hap ax^2 at your home. I want too. But just don't say I shall buy it if I want to.
It’s available in many distributors, but you probably need to place a reservation.
@@mikrotik I was told by my distributor that delivery to him is only at the beginning of April, does not fit really to your info here.
When come the support of Docker Containers on CHR Devices, comes very handly
I'm getting "no manifest found for this architecture"
I'm running a RB3011 - ARM64. It should have one. Am I missing a step?
rb3011 is arm32 not 64, no arm32 available from cf official
I running Cloudflare tunnel in Proxmox LXC container.
How to set local DNS entries for services on same server but different ports?
I have hairpin on Mikrotik but how can I see all traffic goes thru tunnel.. Client PC in LAN->WAN->Tunnel->LAN Server
Hello mikrotik .RIP seems not to be working in os version 7 . Pls show me how . ? I know other routing protocol in os 7 but rip seems not to be working . Why ?
can we do the same for TWINGate connectors ?
hello , great news , but i have question , it`s possible to access mikrotik admin gui (webfig mikrotik) via cloudflare tunnels ?
Yes, you should use almost the same instructions as in the video.
This docker is available only for newest mikrotik routers with ARM64
what are the speed limit ? for example uploading files to NAS
We tested 500Mbits. Cloudflare is fast and has severs in many countries
How to use tcp type tunnel to access svn services?
Turn on noTLSVerify , show Bad gateway Error code 502
Cloudflare zero trust tunnel won't forward the visitor ip address, which in your website logs only show localhost or 127.0.0.1 ip
we need tutorial about setting up warp+ on mikrotik
networkchuck did also a good video on that in general :)
thanks for the mikrotik specific video though! cheers guys
Thanks! Another awesome video..
Does not work on RB1100 with 32bit arm
hey I have one issue though, I have 2 containers which are working fine but after reboot only one is starting even both are set to start on boot, what is the reason for this behavior? how can I ensure both are actually starting?
Send your RIF file to support, could be a big somewhere
If you put your containers in the routers default storage, it could be that one got partially saved in a RAM drive and after a reboot it's missing files.
@@RB01-lite nope I am using a usb stick for storage
Thanks! I will try it.
Why is this functionality hidden in dockers/containers, can it be brought up to the normal router level (like wireguard etc)...........
All features can’t be included, OS will become too large. For less popular features you can use container
It's a pretty niche feature and would give the MikroTik team a lot more resources to maintain, rather than spending those resources on something else.
CloudFlare maintains this docker image so it doesn't cost MikroTik any resources to maintain.
If we'd include every small feature some users may want into ROS, it'd become a pain to maintain.
@@mikrotik why not designing ros7 like ros6 and let us uninstall things we dont need? I have tons of stuff in my ros7 devices i will NEVER use and have disabled on ros6. i dont like this "all installed and enabled" approach in ros7. plus it gives way more attack surface.
@NORMUS & Aroop I think it should NOT be considered niche and should be mainstream on the router. Since the router is really not capable of protecting attacks against the WANIP (not an edge device) it makes sense to push all users to being able to use cloudflare for the port forwarding of any server to a safe, non public WANIP setup. It makes infinite sense to me as that is a huge use of many of the devices. I can see this easily being much more widely used than wireguard for example. This is one functionality that MT should make mainstream or available as a separate package. Many home users have NAS servers or other servers and using the MT right now, makes their WANIP a target. For instance, my CCR1009 is not capable of running dockers....... So unless MT plans on add dockers to all architectures, then containers are not a panacea and not able to take advantage of zero trust tunnel, which makes MT implementations more secure for many server users is just plain wrong! Do the right thing! All MT users, many of them home users who may not have arm or docker savvy, will appreciate it.
Why do you insist RouterOS is unable to protect? There are plenty of existing features that can do that
Another wicked video.
awesome content as aways!
does any one run some traefik on routerOS? can we have a video about that?
when i activate cloudfleare on mikrotik it stops, why?
Check what is written in "Log"
@@mikrotik No error comes out
@@mikrotik error was unable to import, container 1212803f-9581-4a61-bfea-d12f7944774d
Do you have enough space in your device?
@@mikrotik I have USB 128 gb
If you need to make room for zerotrust tunnel as an options package or part of ROS, just remove the OVPN code. :-)
great, thanks
Yggdrasil Network next 😃
important note,!, only work with ARM64.
there are docker images of cloudflared compatible with arm32
Amazing!
awesome