Looking to do it via GUI? Check out our latest video here: ua-cam.com/video/RUJy9fjoiy4/v-deo.html Hope you guys enjoy today's video. It took a lot of work from fellow community members and I've been super excited about it. I'm sure you have many questions - we're all working together on Discord, feel free to join us! discord.gg/VWAG7rZ 🙂 Let us know your thoughts below!🙂
Getting a 502 error? Try changing yourdomain.com to host.yourdomain.com, where host is a valid subdomain that you have a DNS record for. Despite this being a specific hostname, cloudflared should be able this name to verify certificates for your other subdomains as they pass through the tunnel. This is in reference to the config.yaml
Thanks heaps IBRA/Sycotix. As a fellow Aussie, I appreciate all you're doing for the community. I was searching all day for how to help secure up my router/NPM and couldn't find a way to not have 80 and 443 open. Now they're closed, thanks to you!
Hello, everything is ok but showing it as http on access to my website. Whereas I can get as https from 443 ports with rope routing. Where should I adjust or where I made mistakes.
Hi, changing the CNAME-content of the nginx works, but existing npm-apps does not work any more. When I open one, the browser opens nginx again with the subdomainname of my app?!? Where is the misakate?!? Thanks a lot.
@@IBRACORP Getting the Host error when loading my site. Doing my SSL like your video where you make your own. But trying manually also works. Where should I be looking? Was previously working with the open ports.
Its important to note that for anyone who wants to do this for raw TCP connections (like hosting a game server), the client who is connecting to the server also must have cloudflared installed and run the access command
Dang that is such a huge drawback for me. Set this all up and it was great, then I realized it wouldn't work for game hosting. At least it wouldn't be practical I should say.
Thank You IBRACORP, easy to follow. Ran into a few errors and worked thru them. syntax etc. The last one that was perplexing was a 502 gateway error from the origin server. I ended up changing my config.yml ingress to SSL without TLS, restarted the connector and everything worked great. Bitwarden, Nextcloud etc thru the NGINX Proxy Manager. My Home environment was my test bed as I need to port this configuration over to my police dept where we have a Sonicwall router. With the Sonicwall, opening and managing open ports can be a drag. So this is going to be great. Thanx again..
Hello, I'm having the same issue. Is there any suggestions you have? I have tried with the without TLS and no luck as also getting origin service error in the cloudflare logs
When updating to the latest version (around 17:13 minutes) after clouflared/cloudflared you should be adding a colon NOT a semi-colon THEN the version number. Makes all the difference.
Awesome. Best timing ever 😁 I'll implement it on my server first, when it works I'll do my friend's server/domain. Hope his error 522/526 will be end of life this way. Thanks a million 😘
Just installed the tunnel on my own server/domain. All went well up until trying to access my subdomains. Do I still need the A record by cloudflare-ddns or should it be working withoud the A record? one of the error lines: 2021-06-17T19:54:33Z ERR error="x509: certificate is not valid for any names, but wanted to match domain.ext" cfRay=-AMS originService=: another error line: 2021-06-17T19:56:06Z ERR error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: x509: certificate is not valid for any names, but wanted to match domain.ext" cfRay=-AMS originService=:
Another awesome video! First few times of running this on my openmediavault using the docker compose script in portainer did not work. I had to do a couple of mods to the compose file such as changing the version number from 3.8 down to 3.3. Also had to remove the word "data" from the volume path. Lastly, I was looking at both your instructions and the instructions from aeleos and named config.yml in the compose file but had actually created a config.yaml instead. renaming the file to config.yml solved that. Last thing I had to do was use one of the valid subdomains in the ingress section and voila! Again, thank you for putting so much time into these videos!!! HUGE THANKS IBRACORP!!!!!! P.S. -- The latest tag now seems to work just fine
am getting stuck at the tunnel creation step. the command runs but the UUID is never given! and when i try to run the list tunnels command it gives "Error listing tunnels: failed to decode response: json: cannot unmarshal object into Go value of type []tunnelstore.Tunnel" when i try to recreate the tunnel it says tunnel exists.... EDIT: I had to download cloudflared in windows then via powershell run the tunnel list command, got the uuid from there then completed the steps. the json file was created as ".json" so with no filename just the extension, i renamed it manually and set the filename part to the UUID and it worked! but i had to add noTLSVerify: true line to the originRequest: section of the YAML file, now it all works! i hope you add those 2 issues to the tutorial (also the github). Thanks!
Fantastic stuff...... and done..... This and the CF/NPM stuff is the best thing I've done for my server..... The foundation on which everything else is built.....
In the video you mention to build this over Nginx. However, the way I understand it, which correct me if I'm wrong, once that's setup, Nginx becomes redondant and useless, no? Personally, Nginx is giving me issues. Even by adding the custom CF Cert, Nginx still pushes a letsencrypt cert. And then CF don't wanna give me my server on my domain, because it's not a recognized and valid cert (error 526). I been looking for a way to hide my network, without going the reverse proxy route and to cut down on processes along the route. If I understand it correctly, NextCloud, CF Tunnel, CF cert on my NextCloud and I'm good and protected all around with that? Thanks
This has been working great for the past year or so, all of a sudden I am getting a bad gateway error from cloudlfare now. Any ideas what could have caused it?
error parsing YAML in config file at /home/nonroot/.cloudflared/config.yml: yaml: line 3: could not find expected ':' I was very careful copying it over. The file name IS config.yml. I pasted all the correct info. I changed the version to cloudflare/cloudflared:latest and the problem is still happening. IDK what is causing this.
Im not sure if you check this but I just followed many of your tutorials and I arrived at using cloudflare tunnel. The tunnel is healthy but I get a Bad gateway error when trying to load overseer. Did I miss something simple that broke this? My config worked when I just had cloudflare pointing to my network IP directly.
This is so helpful. Wondering how you have you internal DNS setup for your self hosted services? Assume on your LAN you have DNS resolving to Nginx Proxy Manager so your not having to go out to the Internet and back in via the tunnel to reach these applications? Also, are you still doing letsencrypt certs on NPM in addition to the cloudflare certs?
I just did this today, and my proxy was working previously, but now I get this when I try to go to the proxy.... Not sure what to do. status":"OK","version":{"major":2,"minor":10,"revision":2
It worked fine for about a year, since today i get "ERR error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: EOF"" anyone else?
Any thoughts on this?At 11:30 in the video you are writing to a JSON file, and it returns a JSON with an ID. When I do so, I don't get an error, but the ID is blank and the json file that is written is blank. Any thoughts? INFO[2021-07-26T15:13:00Z] Writing tunnel credentials to /home/nonroot/.cloudflared/.json. cloudflared chose this file based on where your origin certificate was found. INFO[2021-07-26T15:13:00Z] Keep this file secret. To revoke these credentials, delete the tunnel. INFO[2021-07-26T15:13:00Z] Created tunnel with id
same and i get this when i try to list and delete them docker run -it --rm -v /mnt/user/appdata/cloudflared:/home/nonroot/.cloudflared/ cloudflare/cloudflared tunnel list Error listing tunnels: failed to decode response: json: cannot unmarshal object into Go value of type []tunnelstore.Tunnel
Good video but nowadays many ISPs are giving IPv6 and you can use it to host services as IPv6 has no NAT im using all my services this way (as my ipv4 address is NATed) only difference you need to do is instead of a AA record in cloudflare you add AAAA record of the ipv6 address of the homeserver. Best part is that your IP wont change unless you reboot your router manually. Making a video on IPv6 would be really helpful for those behind CG-NAT as IPv6 is a new technology and there are no youtube videos about it.
ive just started with this, followed everything to the letter, cloudflare says the tunnel is active, however i get 502 error when trying to access the page. any ideas?
Sorry to ask again, but what about using Plex? As far as I understand Plex still "need" to have a port forward. Adding this to a Dynamic IP, how you manage it with this tunnel? As far as my network voodoo let me understand, the tunnel will only manage the communication for an ingress trough the subdomain.domain.tld configured in CF and communicating to the NPM docker. Any direct use of any of this dockers trough local IP:port won't use this tunnel, neither any communication of the server. Example if I have deluge.domain.tld pointing to the deluge docker, using that URL I can access from outside my server LAN to the Web UI and that will be done trough the tunnel, but the deluge itself (also with a VPN) won't download or upload anything trough that tunnel. As you explain, the config in the CF have @ -> UUID, and deluge -> @, but if I have plex also, I have make the config like that? That won't try to communicate trough the tunnel? I won't be need for plex to maintain the right IP with CF DDNS and a port forward? Sorry too long of an explanation.
Thanks for this great guide. Just one question, since we're tagging the versions, does that mean we have to manually update each time new versions release? Is it not possible to have updating automated?
Yeah, he even mentions "dont forget to come back and change it". If i remember correctly there is a dockername:latest tag (latest instead of version) but i have no idea if it is the same as having it untagged.
Wonderful video! I got it all complete, but when I try to test it I get an Error 1014 from Cloudflare. I noticed that you use a CNAME for the tunnel instead of an A record. The error seems to point to the fact that I'm also using a CNAME instead of the expected A. How did you get around this?
@@IBRACORP Hey mate! Given this, does this mean that with the new free option, this gives no routing benefit as shown in your diagram? At that point, the difference between using the free tunnel vs simply having orange subdomains would be just the portability, no port forwarding, and ISP port block bypass factors? I don't have ISP issues nor do I need portability and I'm pretty ok having some ports open, so would this mean there'd be no real benefit for me if everything is already currently orange? I'm mainly thinking from a user standpoint so I was really after the routing stuff!
Hi Great work! But I didn‘t Getränke the Plex Thing. Actually I have a Setup in unraid and nginx Reverse Proxy Manager an Plex connected via subdomain in cloudflare With the opened Plex Port on my router . Is This against Their rules or just the tunneling oft Plex streams?
Tunnel working flawlessly, but I experience an issue regarding Nextcloud. When my android phones are connected to local network (same as unraid/nextcloud), they can't connect to nextcloud using nextcloud app (for auto upload for example), just switching to mobile data and it works. Working on outside networks too. Don't know what to do or configure ?...
Thanks for the video!! I am getting the 502 error, you've said in some comments, to update the config.yaml to use a valid subdomain...I have used a subdomain that points to my main domain (I am behind a CGNAT) should that still work or should I point the CNAME for the subdomain to something else? I still can't get it to work. Damn CGNATs...
after setting this sup does one still need to port forward NPM or wireguard ports on the router? What about the previous Cloudflare DDNS setup. Is that still needed or can that be deleted? Amazing videos btw. i completely revamped my server using your guides. Thank you!
Nope the beauty of this setup is that those ports can now be closed as they are now via the tunnel. Same goes for DDNS since the CloudFlare DNS entry points to the tunnel and not an IP address :)
@@IBRACORP Sorry to ask again, but what about using Plex? As far as I understand Plex still "need" to have a port forward. Adding this to a Dynamic IP, how you manage it with this tunnel? As far as my network voodoo let me understand, the tunnel will only manage the communication for an ingress trough the subdomain.domain.tld configured in CF and communicating to the NPM docker. Any direct use of any of this dockers trough local IP:port won't use this tunnel, neither any communication of the server. Example if I have deluge.domain.tld pointing to the deluge docker, using that URL I can access from outside my server LAN to the Web UI and that will be done trough the tunnel, but the deluge itself (also with a VPN) won't download or upload anything trough that tunnel. As you explain, the config in the CF have @ -> UUID, and deluge -> @, but if I have plex also, I have make the config like that? That won't try to communicate trough the tunnel? I won't be need for plex to maintain the right IP with CF DDNS and a port forward? Sorry too long of an explanation.
Question: Is there anyway to get a NAT reflection like function to work with this when you are local with the Tunneled site? I have terribly slow internet and this makes even my local connections slow as well. Possible workaround maybe? I use PFSense with HA Proxy but soon I won't have a public IP anymore. Can this also be used to get a VPN through a Double NAT?
Good question Aaron. I haven't tested this myself but off the top of my head I can probably assume yes, I use both Tailscale and the tunnel together. Both we covered in videos
Not sure if you're still replying to comments here but just in case. I am running into an error at the very beginning where after I type the initial docker run in and I authorize my domain all I get is "waiting for login" in my unraid terminal. Any idea what is going on?
So once you have got the tunnel up and running can you close the all ports that you have open on your router or do they have to remain open? i have 80, 443, 1880 and 4431 open for NPM and Heimdall.. can i delete the port forwarding info on my router for them once this tunnel up? Love this content, thank you.
With my limited understanding of networking, I have a question. Don't you achieve similar results when using one of those xyz-vpn docker containers and connect all the services through that network. Sure, the basics http and https ports need to be open if using exposed services via a reverse proxy, but other than that it is very similar?
Well, you could. But you usually need to pay for them. Further, not exposing or needing ports 80 and 443 is a huge seller to a lot of people who don't have access to use those ports by greedy ISPs. Further again, Cloudflare's CDN boasts great reach and performance, all for free. Plenty of other things, too. But I'm not saying everyone needs to go for it - I am saying they should.
I recently played with this on my Pi 4 but can't set it up as a service as I'm currently running Cloudflare DoH for Pi-hole. I can't find how to set them up side by side, not an easy thing to Google haha.
If I'm understanding correctly then if I leave port forwarding for plex then it will try to route plex traffic through the port first before trying to route through the tunnel?
This a great solution! Is their a way to take advantage of the SSL and not go out to the internet. For example, my laptop hitting my domain pointed at my local nginx proxy manager, which then forwards that to a server in homelab. Would the tunnel route all that traffic to internet?
A couple of ways you can do this. Either setup internal DNS and point the name resolution for your domains to the reverse proxy, or setup a NAT Loopbackrule on your firewall (if it supports it obviously) to redirect internal traffic back internally to the reverse proxy. The latter is the method I use with CF tunnel and traefik reverse proxy.
I really need help, i followed the tutorial but when i try to open for example sonarr trought nginx i get a error 502 bad gateway, when i look at the logs from cloudflared i get this error: ERR error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: x509: certificate is not valid for any names, but wanted to match my.domain" Already tried changing from my.domain to host.my.domain by adding a Cname host pointing to my.domain but its still not working. Im almost sure everything is OK but its been close to 5 hours smacking my head against the wall and i have to idea how to fix this. Thanks
@@ardenswirl7361 In the end i decided to setup nginx proxy manager and use the cloudflare ddns docker to update the ip on cloudflare. Had to open some ports but overall really secure. Just had the idea of using some pentesting tools and try to test the most common security issues on one of my websites.
bro it wont work i have the same issue so i cantacted isp they have blocked ports and they say to open ports u need to buy static ip and i said i will if you let me try first and they let me try for 15 mins everything was working in that 15 mins they jsut want to earn more money by looting customers port forwaring wont work for you change isp
Everything works exactly the same as before. The only difference is how you connect to Cloudflare from your server. I have mine working with my previous Authelia set up too so everything is protected just the same as before.
Allegedly, /home/nonroot/.cloudflared doesn't exist even though if I try to regenerate the login it says it will be overwritten because the .pem file already exists. But in terminal, the /home dir is completely empty (logged in as root). Any ideas?
Hey jacob, try running the following command first before the docker run command from your unraid terminal "mkdir -p /mnt/user/appdata/cloudflared/ && chmod -R 777 /mnt/user/appdata/cloudflared/"
Great video, thanks so much, I am having one problem. I keep getting 502 errors. The only way I can get through to my sites is to add "noTLSVerify: true" to the config. Any idea why this is happening? Also is it safe to have this setting enabled? Any help would be greatly appreciated.
Try changing yourdomain.com to host.yourdomain.com, where host is a valid subdomain that you have a DNS record for. Despite this being a specific hostname, cloudflared should be able this name to verify certificates for your other subdomains as they pass through the tunnel. This is in reference to the config.yaml
I’m assuming you can only make a tunnel for HTTP traffic correct? For example you couldn’t route in Minecraft service traffic via the tunnel since Cloudflare proxy only supports HTTP protocol.
"Try changing yourdomain.com to host.yourdomain.com, where host is a valid subdomain that you have a DNS record for. Despite this being a specific hostname, cloudflared should be able this name to verify certificates for your other subdomains as they pass through the tunnel." This refers to the config.yaml
Unraid only uses a template to read from Docker Hub. So the container is the same and can be found on Docker Hub by CloudFlare :) hub.docker.com/r/cloudflare/cloudflared
@@IBRACORP Im getting the same error as they describe : 'error writing cert to /home/nonroot/.cloudflared/cert.pem: open /home/nonroot/.cloudflared/cert.pem: permission denied'
Is it possible to set this up for multiple domains? I currently have two separate domains running through CF CDN > NPM > Unraid. I thought based on the docs I might be able to do it through the ingress section of the yml file, but the part at around 9:50 where you authorize to a specific domain threw me off.
We're currently still testing this Mike but I personally have multiple domains in CF but on separate servers (one live and one test). So I'll let you know, plenty of discussion in the Discord too
@@IBRACORP So I basically created a folder for each domain under /mnt/user/appdata/cloudflared and edited the docker commands to create the tunnels for each domain in their respective folders. I then created two yaml files and two argo containers, 1 for each domain. Not sure if this is the best way, but it's working.
@fimak I think your comment got deleted. I got a notification but can't see the comment. The notification cuts off right before the config. @IBRACORP are you able to approve the comment or see it and post the config?
So the issue with Cloudflare and Plex is the caching aspect that Cloudflare discourages right? So isn't the simple fix to just go to "Rules" and add your Plex subdomain and turn off Rocket Loader, and set Cache Level Bypass? Or is there more to it then what I have been told?
Look that might but I hope you understand the position I'm in means I cannot guarantee that. And I don't want to be responsible for any action taken on your account. So what you choose to do is up to you. Are you catching my drift?
@@IBRACORP Ok, I understand your point now, hopefully someone can eventually confirm if it is 100% safe. I been doing it this way for about 2 years now and if they do decide to take action hopefuly they atleast give out a warning.
Hi @ibracorp, when I do this, it's not printing out an ID (obviously this is critical) in the terminal for some reason, any ideas? it prints created tunnel with id nothing here
Great video. Almost everything worked flawlessly. The only problem that I ran into was Emby, which is set to DNS Only. It will not connect at all in this configuration. When I proxy that subdomain, it connects without a problem but I can't run Emby through CF like that per the rules... right?
Great Video. Finally a good solution for a year long problem. Despite the security benefits, how is the privacy? When the traffic gets encrypted who holds the keys cloudflare or my services? Is a End to end Encryption with the Tunnel possible? So can cloudflare see unencrypted traffic? Would be nice if someone has more experience with that then me and could help me.
Do you think this would help with my nextcloud? I set up the origin cert as you had in previous videos. But now I have issues uploading large files to Nextckoud. I think it has to do with cloudflare's limit on traffic/bandwidth?
@@teh_don The limit for a free user is 100MB, up to 200 for business+ and up to 500 for enterprise It's surprising they don't have an unlimited option. The setting is under 'Network'
I got it on the second try i think it may be related to the releases discrepancies, the commands reference 2021.6.0 but i swapped for the Aug. update but didn't change the commands there after, either way thanks a bunch new subscriber here loving your videos they are very helpful!
Hi, really awesome, but nginx does not work how you described. I can open nginx (with my root domain entry in config.yml), but when I add a new entry in nginx (and a new cname in Cloudflare dashboard, which points to my root-domain) it opens the nginx site again (with subdomain entry in the url)?!? I don´t know what´s wrong. Maybe you can explain it in some more details? That would be great.
do you have still the certificates in your npm-apps and do you still have the possibility to create and auto-update the certificates? I do not have this possibility and I don´t understand how you realise this with npm through cloudflared. It would be nice, if you could explain this a little bit deeper, so that it can easier be build. Thanks a lot.
I love cloudflared, because I don´t have a public IP (cgnat!). With cloudflared I have a fantastic solution for my cgnat-problem, but I need authelia, because most apps need 2fa. So the question is, how could this be configured? I already know how to work with npm and authelia and I am able to use cloudflared, but I don´t know how to combine both?!? If you know, please explain, thanks :-)
Something intestering, after running these commands that I copied from the GitHub page it didn't list a UUID in the terminal.. so I checked the appdata folder to cloudflared and it's not in the file name. I only have (.json). If I try to create a new tunnel with the same name it says it already exists and if I try to see what tunnels I have previously created it shows nothing there. What happened?
it's as if the tunnel is there but I can't get the UUID or delete/use it. I deleted the appdata folder, installed cloudflared, uninstalled remove appdata folders. started over from scratch and it says the tunnel still exists..
Try changing yourdomain.com to host.yourdomain.com, where host is a valid subdomain that you have a DNS record for. Despite this being a specific hostname, cloudflared should be able this name to verify certificates for your other subdomains as they pass through the tunnel. This is in reference to the config.yaml
@@IBRACORP Thanks. As of now, I still get many hits on my firewall, either from within my home country or from direct IP address. I have the GeoIP block from Cloudflare already, so if I understand correctly, setting up an Argo Tunnel will stop the hits from within my home country via my domain since they are the only thing allowed as of now?
Cheers Marvin! Try changing yourdomain.com to host.yourdomain.com, where host is a valid subdomain that you have a DNS record for. Despite this being a specific hostname, cloudflared should be able this name to verify certificates for your other subdomains as they pass through the tunnel. This is in reference to the config.yaml
@@IBRACORP I also get this error "ERR error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: x509: certificate is not valid for any names, but wanted to match host.al"
i am having this error when i fired up cloudflared "error parsing YAML in config file at /home/nonroot/.cloudflared/config.yaml: yaml: line 6: did not find expected '-' indicator". Hope that you will be able to advise what i did wrong. :)
Hi Rong, I believe you will have added an extra space or the formatting is incorrect. YAML is very particular. Suggest you copy our template and edit to suit
When I run the initial tunnel list command I get - Error locating origin cert: Client didn't specify origincert path when running from terminal - is there an initial setup step I missed?
It is not working for when I set the config.yaml to https it fails when it set to http it say this is not https traffic does npm need to running https as mine is http?
That's not possible. You should have two ports to NPM. One being HTTP and one being HTTPS. In this case we are only forwarding https traffic one whatever port you have configured to NPM (in my case 18443). We also need to set https in the url on the yaml
Wonderful video again! I think I followed every step carefully, tried again and again, but still receive “ Error 1033, Argo tunnel error”. What I am doing wrong?
The 1033 error means your tunnel wasn’t connected to our network at the time. You can run 'cloudflared tunnel' list to see the list of connections from your tunnel.
Any chance you could do a video on getting fail2ban set up with NPM? Seems like it'd add a nice extra level of security on top of authelia, and Argo tunnels.
How come you don't have an A record? I blindly followed and added my domain as a CNAME and deleted the A record thinking all would work fine (I also didn't note down my public IP to put back in) Now I can't open anything forwarded from NGINX
@@IBRACORP I keep getting a 502 error and the logs say it is unable to reach the origin service. Not sure where I can start to troubleshoot. Found my IP so I can always revert if I can't get this working..
@@IBRACORP Sorry, I completely missed those. Tried adding various subdomains, but now I get "error passing YAML in config file" referencing the line with the added subdomain. My browser then gives me a 1033 error
Looking to do it via GUI? Check out our latest video here: ua-cam.com/video/RUJy9fjoiy4/v-deo.html
Hope you guys enjoy today's video. It took a lot of work from fellow community members and I've been super excited about it.
I'm sure you have many questions - we're all working together on Discord, feel free to join us! discord.gg/VWAG7rZ 🙂
Let us know your thoughts below!🙂
Getting a 502 error? Try changing yourdomain.com to host.yourdomain.com, where host is a valid subdomain that you have a DNS record for. Despite this being a specific hostname, cloudflared should be able this name to verify certificates for your other subdomains as they pass through the tunnel.
This is in reference to the config.yaml
Thanks heaps IBRA/Sycotix. As a fellow Aussie, I appreciate all you're doing for the community. I was searching all day for how to help secure up my router/NPM and couldn't find a way to not have 80 and 443 open. Now they're closed, thanks to you!
Thank you mate absolute pleasure to have helped you, thanks for supporting your fellow Australians 🙂✌️
Hello, everything is ok but showing it as http on access to my website. Whereas I can get as https from 443 ports with rope routing. Where should I adjust or where I made mistakes.
Hi, changing the CNAME-content of the nginx works, but existing npm-apps does not work any more. When I open one, the browser opens nginx again with the subdomainname of my app?!? Where is the misakate?!? Thanks a lot.
5:35 - fort porwarding
Almost made it a day without anyone mentioning it! Haha
@@IBRACORP
Getting the Host error when loading my site. Doing my SSL like your video where you make your own. But trying manually also works. Where should I be looking? Was previously working with the open ports.
@@marshy.. same issue here
we should be able to delete all the port forwards in our router? Or was I preemptive
Its important to note that for anyone who wants to do this for raw TCP connections (like hosting a game server), the client who is connecting to the server also must have cloudflared installed and run the access command
Thank you for this.
I thought Argo tunnels only support outbound connections
Dang that is such a huge drawback for me. Set this all up and it was great, then I realized it wouldn't work for game hosting. At least it wouldn't be practical I should say.
Thank You IBRACORP, easy to follow. Ran into a few errors and worked thru them. syntax etc. The last one that was perplexing was a 502 gateway error from the origin server.
I ended up changing my config.yml ingress to SSL without TLS, restarted the connector and everything worked great. Bitwarden, Nextcloud etc thru the NGINX Proxy Manager.
My Home environment was my test bed as I need to port this configuration over to my police dept where we have a Sonicwall router. With the Sonicwall, opening and managing open ports can be a drag. So this is going to be great.
Thanx again..
Great to hear! Thanks for watching
Hello, I'm having the same issue. Is there any suggestions you have? I have tried with the without TLS and no luck as also getting origin service error in the cloudflare logs
Thanks!
Thank you!
Great video as usual. Much better than trying to track a dynamic IP address.
Agreed!
I was intimidated by the title of this video. But wow you made it so easy. Happy to be closing another port.
This is what I've been waiting for since being slammed by CGNAT...thanks for the dev and tutorial on this one!!!!
Glad I could help! Thanks for watching
When updating to the latest version (around 17:13 minutes) after clouflared/cloudflared you should be adding a colon NOT a semi-colon THEN the version number. Makes all the difference.
You are 100% correct, thanks for pointing it out. Lucky I'm not an English teacher
@@IBRACORP could you not just use the :latest tag to always be up to date on stable releases?
Hay mate,
Excellent video. I'm behind Double NAT and this solves my issue. You earned a sub.
Thanks.
Finally allows me to use Starlink with self hosting and bypass the ipv6 headache!
Awesome. Best timing ever 😁 I'll implement it on my server first, when it works I'll do my friend's server/domain. Hope his error 522/526 will be end of life this way.
Thanks a million 😘
Just installed the tunnel on my own server/domain. All went well up until trying to access my subdomains. Do I still need the A record by cloudflare-ddns or should it be working withoud the A record?
one of the error lines:
2021-06-17T19:54:33Z ERR error="x509: certificate is not valid for any names, but wanted to match domain.ext" cfRay=-AMS originService=:
another error line:
2021-06-17T19:56:06Z ERR error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: x509: certificate is not valid for any names, but wanted to match domain.ext" cfRay=-AMS originService=:
Still need help!
Another awesome video! First few times of running this on my openmediavault using the docker compose script in portainer did not work. I had to do a couple of mods to the compose file such as changing the version number from 3.8 down to 3.3. Also had to remove the word "data" from the volume path. Lastly, I was looking at both your instructions and the instructions from aeleos and named config.yml in the compose file but had actually created a config.yaml instead. renaming the file to config.yml solved that. Last thing I had to do was use one of the valid subdomains in the ingress section and voila! Again, thank you for putting so much time into these videos!!! HUGE THANKS IBRACORP!!!!!!
P.S. -- The latest tag now seems to work just fine
Thank you so much for this video, it really helps me since I was behind cgnat. To access my local network, i was using Tailscale.
am getting stuck at the tunnel creation step. the command runs but the UUID is never given!
and when i try to run the list tunnels command it gives "Error listing tunnels: failed to decode response: json: cannot unmarshal object into Go value of type []tunnelstore.Tunnel"
when i try to recreate the tunnel it says tunnel exists....
EDIT: I had to download cloudflared in windows then via powershell run the tunnel list command, got the uuid from there then completed the steps.
the json file was created as ".json" so with no filename just the extension, i renamed it manually and set the filename part to the UUID and it worked!
but i had to add noTLSVerify: true line to the originRequest: section of the YAML file, now it all works!
i hope you add those 2 issues to the tutorial (also the github).
Thanks!
Fantastic stuff...... and done..... This and the CF/NPM stuff is the best thing I've done for my server..... The foundation on which everything else is built.....
Glad you enjoyed it Paul! It really is great stuff to set up
In the video you mention to build this over Nginx. However, the way I understand it, which correct me if I'm wrong, once that's setup, Nginx becomes redondant and useless, no? Personally, Nginx is giving me issues. Even by adding the custom CF Cert, Nginx still pushes a letsencrypt cert. And then CF don't wanna give me my server on my domain, because it's not a recognized and valid cert (error 526). I been looking for a way to hide my network, without going the reverse proxy route and to cut down on processes along the route. If I understand it correctly, NextCloud, CF Tunnel, CF cert on my NextCloud and I'm good and protected all around with that? Thanks
best content on YT
Cheers Floose, thanks for your great RL videos!
This has been working great for the past year or so, all of a sudden I am getting a bad gateway error from cloudlfare now. Any ideas what could have caused it?
error parsing YAML in config file at /home/nonroot/.cloudflared/config.yml: yaml: line 3: could not find expected ':'
I was very careful copying it over.
The file name IS config.yml.
I pasted all the correct info.
I changed the version to cloudflare/cloudflared:latest and the problem is still happening.
IDK what is causing this.
Just found your channel and it's a gem!
Thank you! Glad to have you
Tremendously great! excellent job, and super useful!
Cheers!
Finally done, thank you. I tried cloudflare zero trust network but i feell that authelia it’s much better, going to install it tomorrow
Hi Abderrahmane S, thank you for watching!
Im not sure if you check this but I just followed many of your tutorials and I arrived at using cloudflare tunnel. The tunnel is healthy but I get a Bad gateway error when trying to load overseer. Did I miss something simple that broke this? My config worked when I just had cloudflare pointing to my network IP directly.
This is so helpful. Wondering how you have you internal DNS setup for your self hosted services? Assume on your LAN you have DNS resolving to Nginx Proxy Manager so your not having to go out to the Internet and back in via the tunnel to reach these applications? Also, are you still doing letsencrypt certs on NPM in addition to the cloudflare certs?
There on your guide you say add privileges for the folder 755, but that does not allow store the ssl certs, I had to do chmod 777
thank youuu, since my isp blocking my 80/443 port. i just make a tunnel and solve all the problem. thank you sooo muchh!!
You're very welcome thanks for watching Zarif
I get a permission denied error after clicking the website?
I just did this today, and my proxy was working previously, but now I get this when I try to go to the proxy.... Not sure what to do.
status":"OK","version":{"major":2,"minor":10,"revision":2
It worked fine for about a year, since today i get "ERR error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: EOF"" anyone else?
Any thoughts on this?At 11:30 in the video you are writing to a JSON file, and it returns a JSON with an ID. When I do so, I don't get an error, but the ID is blank and the json file that is written is blank. Any thoughts?
INFO[2021-07-26T15:13:00Z] Writing tunnel credentials to /home/nonroot/.cloudflared/.json. cloudflared chose this file based on where your origin certificate was found.
INFO[2021-07-26T15:13:00Z] Keep this file secret. To revoke these credentials, delete the tunnel.
INFO[2021-07-26T15:13:00Z] Created tunnel with id
same
and i get this when i try to list and delete them
docker run -it --rm -v /mnt/user/appdata/cloudflared:/home/nonroot/.cloudflared/ cloudflare/cloudflared tunnel list
Error listing tunnels: failed to decode response: json: cannot unmarshal object into Go value of type []tunnelstore.Tunnel
I have the same problem blank id and when I try to list the tunnel is says can't decode json files
It's a known issue on the latest version I believe mate. Check our docs
Good video but nowadays many ISPs are giving IPv6 and you can use it to host services as IPv6 has no NAT im using all my services this way (as my ipv4 address is NATed) only difference you need to do is instead of a AA record in cloudflare you add AAAA record of the ipv6 address of the homeserver. Best part is that your IP wont change unless you reboot your router manually. Making a video on IPv6 would be really helpful for those behind CG-NAT as IPv6 is a new technology and there are no youtube videos about it.
Great tips thanks Chandra! These are good points and hopefully IPv6 starts ramping up
amazing I didn't know this
Are yo from India? If yes, then which isp are you using for ipv6?
ive just started with this, followed everything to the letter, cloudflare says the tunnel is active, however i get 502 error when trying to access the page. any ideas?
Sorry to ask again, but what about using Plex? As far as I understand Plex still "need" to have a port forward. Adding this to a Dynamic IP, how you manage it with this tunnel?
As far as my network voodoo let me understand, the tunnel will only manage the communication for an ingress trough the subdomain.domain.tld configured in CF and communicating to the NPM docker. Any direct use of any of this dockers trough local IP:port won't use this tunnel, neither any communication of the server.
Example if I have deluge.domain.tld pointing to the deluge docker, using that URL I can access from outside my server LAN to the Web UI and that will be done trough the tunnel, but the deluge itself (also with a VPN) won't download or upload anything trough that tunnel.
As you explain, the config in the CF have @ -> UUID, and deluge -> @, but if I have plex also, I have make the config like that? That won't try to communicate trough the tunnel? I won't be need for plex to maintain the right IP with CF DDNS and a port forward?
Sorry too long of an explanation.
Thanks for this great guide. Just one question, since we're tagging the versions, does that mean we have to manually update each time new versions release? Is it not possible to have updating automated?
Yeah, he even mentions "dont forget to come back and change it".
If i remember correctly there is a dockername:latest tag (latest instead of version) but i have no idea if it is the same as having it untagged.
Latest tag won't work unfortunately still a manual process of picking the version
Hi!
If i wanted to delete my entire setup of Argo tunnel and then remove every single trace of it, and then start over… what exactly do I need to do?
thank you very much i am searching for this for so many months thank you very much
Wonderful video! I got it all complete, but when I try to test it I get an Error 1014 from Cloudflare. I noticed that you use a CNAME for the tunnel instead of an A record. The error seems to point to the fact that I'm also using a CNAME instead of the expected A. How did you get around this?
FYI Cloudflare now call the free service 'Zero Trust Tunnels' or just 'Tunnels'. 'Argo' is now their very pricey Smart Routing product! :D
Good tip!
@@IBRACORP Hey mate! Given this, does this mean that with the new free option, this gives no routing benefit as shown in your diagram? At that point, the difference between using the free tunnel vs simply having orange subdomains would be just the portability, no port forwarding, and ISP port block bypass factors?
I don't have ISP issues nor do I need portability and I'm pretty ok having some ports open, so would this mean there'd be no real benefit for me if everything is already currently orange? I'm mainly thinking from a user standpoint so I was really after the routing stuff!
You get all the above without opening any ports
@@IBRACORP Including the better routing too on the free tunnel? Or did they lock that behind the now paid Argo? Thanks dude. Also, go to bed 🤣
Hi Great work! But I didn‘t Getränke the Plex Thing. Actually I have a Setup in unraid and nginx Reverse Proxy Manager an Plex connected via subdomain in cloudflare With the opened Plex Port on my router . Is This against Their rules or just the tunneling oft Plex streams?
Tunnel working flawlessly, but I experience an issue regarding Nextcloud. When my android phones are connected to local network (same as unraid/nextcloud), they can't connect to nextcloud using nextcloud app (for auto upload for example), just switching to mobile data and it works. Working on outside networks too. Don't know what to do or configure ?...
Thanks for the video!! I am getting the 502 error, you've said in some comments, to update the config.yaml to use a valid subdomain...I have used a subdomain that points to my main domain (I am behind a CGNAT) should that still work or should I point the CNAME for the subdomain to something else? I still can't get it to work. Damn CGNATs...
How are you setting up NGinx Proxy Manager with CGNAT??
after setting this sup does one still need to port forward NPM or wireguard ports on the router? What about the previous Cloudflare DDNS setup. Is that still needed or can that be deleted? Amazing videos btw. i completely revamped my server using your guides. Thank you!
Nope the beauty of this setup is that those ports can now be closed as they are now via the tunnel.
Same goes for DDNS since the CloudFlare DNS entry points to the tunnel and not an IP address :)
@@IBRACORP awesome, thank you.
@@IBRACORP Sorry to ask again, but what about using Plex? As far as I understand Plex still "need" to have a port forward. Adding this to a Dynamic IP, how you manage it with this tunnel?
As far as my network voodoo let me understand, the tunnel will only manage the communication for an ingress trough the subdomain.domain.tld configured in CF and communicating to the NPM docker. Any direct use of any of this dockers trough local IP:port won't use this tunnel, neither any communication of the server.
Example if I have deluge.domain.tld pointing to the deluge docker, using that URL I can access from outside my server LAN to the Web UI and that will be done trough the tunnel, but the deluge itself (also with a VPN) won't download or upload anything trough that tunnel.
As you explain, the config in the CF have @ -> UUID, and deluge -> @, but if I have plex also, I have make the config like that? That won't try to communicate trough the tunnel? I won't be need for plex to maintain the right IP with CF DDNS and a port forward?
Sorry too long of an explanation.
what to do if it local zone is not part of your account or you do not have access to it
Question: Is there anyway to get a NAT reflection like function to work with this when you are local with the Tunneled site? I have terribly slow internet and this makes even my local connections slow as well. Possible workaround maybe? I use PFSense with HA Proxy but soon I won't have a public IP anymore. Can this also be used to get a VPN through a Double NAT?
Good question Aaron. I haven't tested this myself but off the top of my head I can probably assume yes, I use both Tailscale and the tunnel together. Both we covered in videos
@@IBRACORP Awesome, thanks. I'll take a look. Just found you today and like what I'm seeing. Great job!
Not sure if you're still replying to comments here but just in case. I am running into an error at the very beginning where after I type the initial docker run in and I authorize my domain all I get is "waiting for login" in my unraid terminal. Any idea what is going on?
So once you have got the tunnel up and running can you close the all ports that you have open on your router or do they have to remain open? i have 80, 443, 1880 and 4431 open for NPM and Heimdall.. can i delete the port forwarding info on my router for them once this tunnel up? Love this content, thank you.
Yes that's correct! Exceptions are anything that is not allowed via the tunnel. I.e Plex
@@IBRACORP how does one find out what is and isn’t allowed via the tunnel?
Thank you btw.
You can refer to CloudFlares official terms of service, specifically section 2.8 here:
www.cloudflare.com/en-gb/terms/
@@IBRACORP brilliant. Thank you 🙏
With my limited understanding of networking, I have a question. Don't you achieve similar results when using one of those xyz-vpn docker containers and connect all the services through that network. Sure, the basics http and https ports need to be open if using exposed services via a reverse proxy, but other than that it is very similar?
Well, you could. But you usually need to pay for them. Further, not exposing or needing ports 80 and 443 is a huge seller to a lot of people who don't have access to use those ports by greedy ISPs. Further again, Cloudflare's CDN boasts great reach and performance, all for free.
Plenty of other things, too. But I'm not saying everyone needs to go for it - I am saying they should.
when I set this up and point it at jellyfin, it works fine in browsers, but not in the app. Anyone know why?
I recently played with this on my Pi 4 but can't set it up as a service as I'm currently running Cloudflare DoH for Pi-hole. I can't find how to set them up side by side, not an easy thing to Google haha.
after the first command i already get an error, Unable to find image 'cloudflare/cloudflared:latest' locally
Can we created multiple site with just one cloudflared connection?
If I'm understanding correctly then if I leave port forwarding for plex then it will try to route plex traffic through the port first before trying to route through the tunnel?
That's correct
Do you have a video for reactive resume?
Also can this work with wireguard?
Still not 100% certain on Wireguard. We are currently testing an alternative that goes via Cloudlfare WARP but no luck yet
Fuck I can't wait for this one
This a great solution! Is their a way to take advantage of the SSL and not go out to the internet. For example, my laptop hitting my domain pointed at my local nginx proxy manager, which then forwards that to a server in homelab. Would the tunnel route all that traffic to internet?
I believe yes it will Cristian
A couple of ways you can do this. Either setup internal DNS and point the name resolution for your domains to the reverse proxy, or setup a NAT Loopbackrule on your firewall (if it supports it obviously) to redirect internal traffic back internally to the reverse proxy. The latter is the method I use with CF tunnel and traefik reverse proxy.
I really need help, i followed the tutorial but when i try to open for example sonarr trought nginx i get a error 502 bad gateway, when i look at the logs from cloudflared i get this error:
ERR error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: x509: certificate is not valid for any names, but wanted to match my.domain"
Already tried changing from my.domain to host.my.domain by adding a Cname host pointing to my.domain but its still not working.
Im almost sure everything is OK but its been close to 5 hours smacking my head against the wall and i have to idea how to fix this.
Thanks
bro i found how to fix it
@@ardenswirl7361 In the end i decided to setup nginx proxy manager and use the cloudflare ddns docker to update the ip on cloudflare.
Had to open some ports but overall really secure.
Just had the idea of using some pentesting tools and try to test the most common security issues on one of my websites.
I am hitting the same thing. double checked and reimplemented several times. No luck.
@@dmichaelchuk yes bro same issue idk what the issue is even tried with subdomain dosent work wish some one would help over teamviver
bro it wont work i have the same issue so i cantacted isp they have blocked ports and they say to open ports u need to buy static ip and i said i will if you let me try first and they let me try for 15 mins everything was working in that 15 mins they jsut want to earn more money by looting customers port forwaring wont work for you change isp
Any issues with setting this up for the vault warden (previously bitwarden). Or nextcloud?
From our testing, no Bitwarden seems to be working OK
Was there anything specific you had to do for them ?
@@Aceriz I haven't set it up myself, but Hawks has. He's in our Discord if you'd like to know more
Everything works exactly the same as before. The only difference is how you connect to Cloudflare from your server. I have mine working with my previous Authelia set up too so everything is protected just the same as before.
How would i do this when i currently have my own website?
Went through this tutorial and I cant get it to work. Getting a 502 error. You mention other videos at the end...which ones?
Hi Brian, if you head into our discord you will find a very active community of people who may be able to help. Let us know how you get on!
Allegedly, /home/nonroot/.cloudflared doesn't exist even though if I try to regenerate the login it says it will be overwritten because the .pem file already exists. But in terminal, the /home dir is completely empty (logged in as root). Any ideas?
Hey jacob, try running the following command first before the docker run command from your unraid terminal "mkdir -p /mnt/user/appdata/cloudflared/ && chmod -R 777 /mnt/user/appdata/cloudflared/"
Great tutorial. Worked a treat for me. Thank you :)
Thanks for watching Malcolm 🙂
Great video, thanks so much, I am having one problem. I keep getting 502 errors. The only way I can get through to my sites is to add "noTLSVerify: true" to the config. Any idea why this is happening? Also is it safe to have this setting enabled? Any help would be greatly appreciated.
Try changing yourdomain.com to host.yourdomain.com, where host is a valid subdomain that you have a DNS record for. Despite this being a specific hostname, cloudflared should be able this name to verify certificates for your other subdomains as they pass through the tunnel.
This is in reference to the config.yaml
@@IBRACORP sorry I am really new to this. Would that be adding a cname and then updating the config with that as the subdomain?
I’m assuming you can only make a tunnel for HTTP traffic correct? For example you couldn’t route in Minecraft service traffic via the tunnel since Cloudflare proxy only supports HTTP protocol.
Correct, as far as I'm aware
Can't connect to nginx over SSL. "Unable to reach the origin service." Works over http. any idea what I might have wrong?
"Try changing yourdomain.com to host.yourdomain.com, where host is a valid subdomain that you have a DNS record for. Despite this being a specific hostname, cloudflared should be able this name to verify certificates for your other subdomains as they pass through the tunnel."
This refers to the config.yaml
Thank you Brandon
Wouldn't have found the answer if I didn't have the same problem myself
Yeah a few people did but it makes me happy to see everyone help with solutions
@@BrandonBillig thanks, also worked for me
Can you also post the docker container for people without unraid? I would like to implement this on Ubuntu Server.
Unraid only uses a template to read from Docker Hub. So the container is the same and can be found on Docker Hub by CloudFlare :)
hub.docker.com/r/cloudflare/cloudflared
@@IBRACORP Sorry I should have been more clear, I mend the template (variables) that you guys added.
Here you go: raw.githubusercontent.com/aeleos/cloudflared/main/cloudflared.xml
I keep getting error writing cert to /home/no root/.cloudflared/cert.pem
Same.
@@xPsIXx hope there's a fix for this. Seems like it might be a permission thing but I'm not sure.
What's the proper error log?
@@IBRACORP Im getting the same error as they describe : 'error writing cert to /home/nonroot/.cloudflared/cert.pem: open /home/nonroot/.cloudflared/cert.pem: permission denied'
@@IBRACORP same here. Error exactly as described by @Vatoe
Great one! Thanks for sharing!
I set this up and it’s running smoothly. Now how do I get my WireGuard running? Do I need to still port forward? Or change the settings in some way?
Still port forwarding at this stage mate
Is it possible to set this up for multiple domains? I currently have two separate domains running through CF CDN > NPM > Unraid. I thought based on the docs I might be able to do it through the ingress section of the yml file, but the part at around 9:50 where you authorize to a specific domain threw me off.
Actually I think you answered my question at 20:17. I must have missed it the first time through. Awesome guide vids, keep up the good work!
We're currently still testing this Mike but I personally have multiple domains in CF but on separate servers (one live and one test). So I'll let you know, plenty of discussion in the Discord too
@@IBRACORP So I basically created a folder for each domain under /mnt/user/appdata/cloudflared and edited the docker commands to create the tunnels for each domain in their respective folders. I then created two yaml files and two argo containers, 1 for each domain. Not sure if this is the best way, but it's working.
@fimak I think your comment got deleted. I got a notification but can't see the comment. The notification cuts off right before the config. @IBRACORP are you able to approve the comment or see it and post the config?
It's not me sorry mate, I think it's UA-cam antispam. Try drop it in pastebin and paste a division URL
There is a way to use with a wireguard?
Or do I need a dynamic ip for it?/example duckdns or wireguard dynamic
You mean for your public IP? Cloudflare can be used as a ddns I think, I'm assuming you would have to uncheck Proxied though.
Neat, now i can take my rpi WordPress server anywhere i want
once i run the login command and authenticate it seems to create a second origin cert (I created one following your previous cloudflare video)
It should just creates a cert for this tunnelled connection
So the issue with Cloudflare and Plex is the caching aspect that Cloudflare discourages right? So isn't the simple fix to just go to "Rules" and add your Plex subdomain and turn off Rocket Loader, and set Cache Level Bypass? Or is there more to it then what I have been told?
Look that might but I hope you understand the position I'm in means I cannot guarantee that. And I don't want to be responsible for any action taken on your account. So what you choose to do is up to you. Are you catching my drift?
@@IBRACORP Ok, I understand your point now, hopefully someone can eventually confirm if it is 100% safe. I been doing it this way for about 2 years now and if they do decide to take action hopefuly they atleast give out a warning.
hey, how it's been working for you so far?@@pcmv6832
Great video once again, would this work for using a vpn. I currently have a subdomain not proxied through cloudflare but it exposes my public ip
Still testing this scenario at the moment
Hi @ibracorp, when I do this, it's not printing out an ID (obviously this is critical) in the terminal for some reason, any ideas? it prints created tunnel with id nothing here
Hi mate join our Discord and supply some logs so we can try to help 🙂discord.gg/VWAG7rZ
@@IBRACORP very helpful your discord community, thank you!
i tried the first command but i get an error: permission denied. Perhaps it is because of the new unraid version idk.
Somebody got a fix for this?
The solution is replace 755 from folder to 777
mkdir -p /mnt/user/appdata/cloudflared/ && chmod -R 777 /mnt/user/appdata/cloudflared/
Great video. Almost everything worked flawlessly.
The only problem that I ran into was Emby, which is set to DNS Only. It will not connect at all in this configuration.
When I proxy that subdomain, it connects without a problem but I can't run Emby through CF like that per the rules... right?
Correct, you will be banned so best off just port forwarding for Emby as usual
Can/Should I set this up before I have implemented a reverse proxy?
You can do that yeah. Just keep in mind this points to a reverse proxy, so until you put one in it won't be doing much
Great Video. Finally a good solution for a year long problem. Despite the security benefits, how is the privacy?
When the traffic gets encrypted who holds the keys cloudflare or my services? Is a End to end Encryption with the Tunnel possible? So can cloudflare see unencrypted traffic?
Would be nice if someone has more experience with that then me and could help me.
Do you think this would help with my nextcloud? I set up the origin cert as you had in previous videos. But now I have issues uploading large files to Nextckoud. I think it has to do with cloudflare's limit on traffic/bandwidth?
Yeah that is a limitation of Cloudflare and sadly this won't really help with that
@@IBRACORP do you know what the limiation actually is? Does it have to do with caching or is it just related to bandwidth restrictions?
There's varying answer. I use it myself fine but don't store large files.
You might have to bypass cache and use DNS only from what I've seen
@@teh_don The limit for a free user is 100MB, up to 200 for business+ and up to 500 for enterprise
It's surprising they don't have an unlimited option. The setting is under 'Network'
Thanks for the update Rory
Great demonstration!
Works on Starlink :) Thank you.
You're welcome!
I cannot get the container to run the tunnel the log reports: use cloudflared tunnel run to start tunnel uuid any advice?
Please make sure you followed the video and our docs at docs.ibracorp.io
@@IBRACORP thanks for the response yes definitely did step by step. I’m going to start from the top again
I got it on the second try i think it may be related to the releases discrepancies, the commands reference 2021.6.0 but i swapped for the Aug. update but didn't change the commands there after, either way thanks a bunch new subscriber here loving your videos they are very helpful!
My pleasure mate glad it worked out thanks for sharing your solution
Hi, really awesome, but nginx does not work how you described. I can open nginx (with my root domain entry in config.yml), but when I add a new entry in nginx (and a new cname in Cloudflare dashboard, which points to my root-domain) it opens the nginx site again (with subdomain entry in the url)?!? I don´t know what´s wrong. Maybe you can explain it in some more details? That would be great.
do you have still the certificates in your npm-apps and do you still have the possibility to create and auto-update the certificates? I do not have this possibility and I don´t understand how you realise this with npm through cloudflared. It would be nice, if you could explain this a little bit deeper, so that it can easier be build. Thanks a lot.
I love cloudflared, because I don´t have a public IP (cgnat!). With cloudflared I have a fantastic solution for my cgnat-problem, but I need authelia, because most apps need 2fa. So the question is, how could this be configured? I already know how to work with npm and authelia and I am able to use cloudflared, but I don´t know how to combine both?!? If you know, please explain, thanks :-)
Ok, I got it working perfectly with Cloudflare Zero Trust Applications - no further need of nginx proxy manager 😎😁👍
Something intestering,
after running these commands that I copied from the GitHub page it didn't list a UUID in the terminal.. so I checked the appdata folder to cloudflared and it's not in the file name. I only have (.json). If I try to create a new tunnel with the same name it says it already exists and if I try to see what tunnels I have previously created it shows nothing there. What happened?
it's as if the tunnel is there but I can't get the UUID or delete/use it. I deleted the appdata folder, installed cloudflared, uninstalled remove appdata folders. started over from scratch and it says the tunnel still exists..
Hi mate are you using our docs at docs.ibrscorp.io?
They are most up to date
@@IBRACORP I was following this video and the GitHub page link provided in the description.
@@IBRACORP Do you how the tunnels are left behind after removing the appdata folder?
I followed the video to a "T", but i'm getting an error 502 bad gateway. Any ideas how to resolve?
Try changing yourdomain.com to host.yourdomain.com, where host is a valid subdomain that you have a DNS record for. Despite this being a specific hostname, cloudflared should be able this name to verify certificates for your other subdomains as they pass through the tunnel.
This is in reference to the config.yaml
@@IBRACORP Thank you so much. I just did it and it worked!!!
If using the Cloudflare Argo Tunnel, is there any point in setting up GeoIP blocking?
Two different things really. Do you want specific places around the world blocked from reaching your domain?
@@IBRACORP I really just want my own country to be allowed and everything else blocked.
Them I would suggest you still use geoip blocking on the CloudFlare level 🙂
@@IBRACORP Thanks. As of now, I still get many hits on my firewall, either from within my home country or from direct IP address. I have the GeoIP block from Cloudflare already, so if I understand correctly, setting up an Argo Tunnel will stop the hits from within my home country via my domain since they are the only thing allowed as of now?
As always your the man. I am however getting a 502 gateway error
Cheers Marvin!
Try changing yourdomain.com to host.yourdomain.com, where host is a valid subdomain that you have a DNS record for. Despite this being a specific hostname, cloudflared should be able this name to verify certificates for your other subdomains as they pass through the tunnel.
This is in reference to the config.yaml
@@IBRACORP I also get this error "ERR error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: x509: certificate is not valid for any names, but wanted to match host.al"
Did you try the above?
Figured it out. Again my friend you are an Angel from IT heaven I was getting over 500 alerts on unifi.
@@elcoyote189 How did you fix it?
i am having this error when i fired up cloudflared "error parsing YAML in config file at /home/nonroot/.cloudflared/config.yaml: yaml: line 6: did not find expected '-' indicator". Hope that you will be able to advise what i did wrong. :)
Hi Rong, I believe you will have added an extra space or the formatting is incorrect. YAML is very particular. Suggest you copy our template and edit to suit
When I run the initial tunnel list command I get - Error locating origin cert: Client didn't specify origincert path when running from terminal - is there an initial setup step I missed?
Have you followed our other CloudFlare video to set up an origin certificate?
I found the problem, perhaps you could add the login line to the commands list
@@mrunsuitable716 what was the problem, help some of us that haven't got it working
Please do share
@Mr Unsuitable can you please share what you mean by this. I am having the same problem.
It is not working for when I set the config.yaml to https it fails when it set to http it say this is not https traffic does npm need to running https as mine is http?
That's not possible. You should have two ports to NPM. One being HTTP and one being HTTPS. In this case we are only forwarding https traffic one whatever port you have configured to NPM (in my case 18443). We also need to set https in the url on the yaml
Wonderful video again! I think I followed every step carefully, tried again and again, but still receive “ Error 1033, Argo tunnel error”. What I am doing wrong?
The 1033 error means your tunnel wasn’t connected to our network at the time. You can run 'cloudflared tunnel' list to see the list of connections from your tunnel.
@@IBRACORP Thanks for the fast response at first! You mean to run it as command is the container console or in unraid terminal?
Correct mate in your unraid console you can check the tunnel. Here's the written stuff to help you: github.com/aeleos/cloudflared
how would all this work if you wanted to have a wireguard VPN?
Check out our latest video in Tailscale
Any chance you could do a video on getting fail2ban set up with NPM? Seems like it'd add a nice extra level of security on top of authelia, and Argo tunnels.
It's not really worth it with NPM tbh. But Authelia has this built in by default already 🙂
Can this work with Swag as well?
Yes
How come you don't have an A record?
I blindly followed and added my domain as a CNAME and deleted the A record thinking all would work fine (I also didn't note down my public IP to put back in)
Now I can't open anything forwarded from NGINX
Because you don't need an A record. That's kind of the point.
You can always Google What's my IP.
@@IBRACORP I keep getting a 502 error and the logs say it is unable to reach the origin service. Not sure where I can start to troubleshoot.
Found my IP so I can always revert if I can't get this working..
See my other replies mate it's the same issue. Just add a valid subdomain to your YAML file
@@IBRACORP Sorry, I completely missed those. Tried adding various subdomains, but now I get "error passing YAML in config file" referencing the line with the added subdomain.
My browser then gives me a 1033 error
It means you have a space or tab or the file is configured wrong.
YAML is very sensitive to formatting, double check it for extra spaces