Establish Argo Tunnel and combine with Chisel

The free Argo tunnel when used with IPv4 can only be used for HTTP(S) traffic and not directly TCP, since that would require too many unique IPs for each port. Argo tunnel gets around this restriction by using hostnames as part of the HTTP protocol.

I've only tested setting this up on Linux (Ubuntu), but both Cloudflared and Chisel should work on Windows as well.

Long story short: We can still tunnel TCP but by using HTTP. We do this by combining Argo tunnel with Chisel.

Regular web-servers do not require Chisel as Cloudflare can easily forward them directly to their origins.

Set up Argo tunnel

Make sure you point the DNS of a domain to be used with Cloudflare. In my case, I needed to configure it at the nameserver at the registry. Later I can set up subdomains etc. directly in the Cloudflare interface.

Installing cloudflared

Read how to install cloudflared (can be used standalone and to install service later)

Configure tunnels and set up a service daemn

The official guide for setting up a tunnel can be found by clicking here

The official guide for setting up a service can be found by clicking here

cloudflared service install

cloudflared login

cd ~/.cloudflared

sudo cp * /etc/cloudflared/

cd /etc/cloudflared/

sudo touch config.yml

nano config.yml

---

tunnel: myubuntumachine

credentials-file: /etc/cloudflared/232323232-1111-1111-2222-d2232323232.json

logfile: /var/log/cloudflared.log

transport-loglevel: error


ingress:

  - hostname: www.mydomain.dk

    service: http://localhost:8080

  - hostname: ssh.mydomain.dk

    service: ssh://localhost:22

  - service: http_status:404

---






Install Cloudflare on the server and setup tunnels



Testing it out with Chisel

Launch a "test server" on port 8090 (this could be any sort of tcp or http server):

sudo busybox httpd -p 8090


sudo -i

curl https://i.jpillora.com/chisel! | bash

sudo chisel client http://www.mydomain.com 8090



Useful commands that may come in handy

$ cloudflared tunnel list

$ cloudflared tunnel info myubuntumachine

sudo service cloudflared start

sudo cloudflared tunnel --config config.yml run

cloudflared tunnel route dns myubuntumachine www.mydomain.dk

cloudflared tunnel --hostname test.mydomain.dk --url http://localhost:8080 

tail -f /var/log/cloudflared.log


Access restrictions through webportal (not necessary at all)

If you wish to restrict access, you can do so this way:

https://developers.cloudflare.com/access/videos/configuring-access


Windows Chisel

It seems to work, but at the moment Windows detects the file as unsafe, so I only ran it in a sandboxo




Alternatives?

I would recommend Zerotier or Tailscale for most usecases of connecting devices and networks. They both rely on some central components, but so does Cloudflare.

Nebula:

https://github.com/slackhq/nebula

https://theorangeone.net/posts/nebula-intro/


Comments

Post a Comment

Popular posts from this blog

Ruby weirdness

This week I'm trying to learn some Ruby (I want to use Chef or Puppet) and this caught my attention: " If you happen to define a method in your subclass that has the same name as a private method in the superclass, you will have inadvertently overridden the superclass's internal utility method, and this will almost certainly cause unintended behavior." Reference:  http://rubylearning.com/satishtalim/ruby_access_control.html How can they call it encapsulation and object-oriented design? Perhaps I'm misunderstanding something, but how on earth can this be acceptable. Now you have to look through the super class source every time it gets updated to make sure there are no conflicts with THE PRIVATE methods. Or you have to get rid of private methods for super classes and separate them into helper classes instead. Hopefully everyone will forget about inheritance and use composition instead :-)
Read more

Running LXD/LXC on WSL2 with Ubuntu 20.04

Download Ubuntu 20.04 from the Microsoft Store sudo apt-get update sudo apt-get upgrade cd ~ git clone https://github.com/DamionGans/ubuntu-wsl2-systemd-script.git cd ubuntu-wsl2-systemd-script/ bash ubuntu-wsl2-systemd-script.sh sudo apt-get install snap (exit the shell and reopen it) Source: https://github.com/damionGans/ubuntu-wsl2-systemd-script To the IPv6 question I answer "none". $ sudo lxd init 2020/08/01 15:55:13 usbid: failed to load: open /usr/share/misc/usb.ids: no such file or directory Would you like to use LXD clustering? (yes/no) [default=no]: Do you want to configure a new storage pool? (yes/no) [default=yes]: Name of the new storage pool [default=default]: Name of the storage backend to use (ceph, btrfs, dir, lvm) [default=btrfs]: Create a new BTRFS pool? (yes/no) [default=yes]: Would you like to use an existing block device? (yes/no) [default=no]: Size in GB of the new loop device (1GB minimum) [default=50GB]: Would you like to connect to a MAAS server? (
Read more

Installing pikvm on raspberry pi zero 2 w

Image
It turns out that Raspberry Pi Zero 2 W is an excellent platform for PiKVM in the wild. Given the right components, you can just plug in HDMI and USB into a target device, and you will be able to remotely view and control the device through a web interface. No need for external power! Components to buy: - HDMI to CSI-2 (i used the model from Geekworm with SKU: 100202, but site refers to https://www.aliexpress.com/item/4000102166176.html - perhaps it's the same) - microSDXC card (i used SanDisk Ultra microSDXC UHS-I Card 128GB) The HDMI to CSI-2 contained both a printboard with HDMI slot as well as a cable. Follow the steps: 1. Download https://pikvm.org/download/ , select the version named "Raspberry Pi Zero 2 W, v2 platform" 2. Follow the steps at https://docs.pikvm.org/flashing_os/ Which for my setup amounts to: 2.1 Download RPi Imager 2.2 Choose Custom image at the button 3. Then follow the steps here for adding a  3.1 Unplug the SD-card and put it back in. 3.2 Add a f
Read more