OK... if you want to know the REAL benefit of doing this...
With this method, you effectively turn Cloudflare into a transport, which enables you to get around the limitation of Cloudflare. Say what if you want to transport UDP packets now (for your Wireguard for example)? Cloudflare don't really support that currently, but now it's achievable (albeit, not the best way).
The software used, both websocat, and gost is there to convert/proxy (non-Cloudflare specific) WebSocket connections to arbitrary TCP/UDP (supported by gost). You need to install them on both end of your endpoint through, to enable full conversion (App TCP client -> websocat/gost client -> [Cloudflare via Websocket] -> websocat/gost server -> App TCP server).
Also, you can use Tor network to do similar things, just with .onion service. Tor only supports TCP proxying (if I remembered it correctly), now you can do UDP too.
Cloudflare tunnels have been a blessing for me, as someone locked behind an apartments router trying to host services without the ability to forward ports. The fact that it's free, is the cherry on top.
FWIW you can do the same thing with a cloud server & a couple bucks a month. I use AWS/t4g.nano reserved instance & WireGuard, and I think it runs me less than half a beer a month.
If you're going to pay for AWS, might as well use Oracle's free tier. It is extremely generous. And you have to specifically change a setting to leave the free tier; So you it's not that easy to get accidentally billed for a misconfig.
Yes, yes...I know..."ORACLE"!? choking sounds But at this point, they're no worse a company than Amazon. I've been very happy with their free tier for my home use. There's a bit of learning curve...just like AWS, but they give you a ton of free stuff, including training.
> Idle Always Free compute instances may be reclaimed by Oracle. Oracle will deem virtual machine and bare metal compute instances as idle if, during a 7-day period, the following are true:
> * CPU utilization for the 95th percentile is less than 15%
> * Network utilization is less than 15%
> * Memory utilization is less than 15% (applies to A1 shapes only)
And here's the email that I get whenever they reclaim an instance:
> Oracle Cloud Infrastructure (OCI) has reclaimed idle Always Free compute resources from Always Free customers by stopping the compute instance(s). Reclaiming idle resources allows OCI to efficiently provide services to Always Free customers. Your account had one or more idle compute instances that have been stopped. You can restart your compute instance as long as the associated compute shape is available in your region. Your Boot and Block Volumes remain unchanged and available to you. In the future, you can keep idle compute instances from being stopped by converting your account to Pay As You Go (PAYG). With PAYG, you will not be charged as long as your usage for all OCI resources remains within the Always Free limits.
Yes - so i'm not sure why it doesn't seem to actually happen to me, my instance definitely sits idle like that a lot. All free Oracle accounts must have a payment method, it was mandatory when creating the account.
It's not super random. They email your before at least. Mine has been shut down once in 3 months. Which I think is fair enough considering I run 2 machines with 8gb RAM each and 2 arm cores each. Insane value.
there have been a few reports of oracle randomly terminating services for people who only use the free tier, i’d rather pay a meager fee than get unpredictably evicted
I am not sure this is 100 percent but the Internet says you can upgrade to the paid tier and they won't evict you. You can use the same always free resources. In terms of unexpected fees, if you open a free tier account, let the free trial expire, basically whatever you can then do will also be free when you upgrade.
tbh running a free service on the internet requires unilateral termination of service for "bad citizens". totally different story whether it was justified in specific cases.
I'm not sure. I have my "play" AWS account, for Alexa apps, connected to my Amazon account but I don't really have a single credit card on my Amazon account, it always asks which one to use, so I don't think so.
How have you found it for hosting services? I found it struggled with something as simple as an Apache webserver, though perhaps that's just something to do with my internet itself.
I've had my Plex server behind Cloudflare Tunnels for years, never had any performance or reliability issues.
Another great use case is for SSH to a server quite some distance away. I find that the latency when using a cloudflare tunnel to SSH on average better than whatever route my ISP would normally take.
Unless I'm missing something here, there's no way Cloudflare is allowing that much traffic through tunnels for free. Is this just setting up the initial plex connection through the tunnel and then going p2p?
Nope, 100% of my external users go through CF tunnels. The downside is that the caching results in the entire file being cached immediately if the user is not using transcoding, but most of my users are utilizing transcoding. I put a bandwidth limiter on my Cloudflare tunnel to limit it to 100Mbps
I don't have any actual stats, but there appear to be about 10-20 hours a day of remote streaming, mostly at 3Mbps. So we're only looking at 400-800GB on average per month.
Also, you can use Cloudflare unregistered free tunnels just like the article, but using registered tunnels makes it so you don't have to update the Plex url every time you reconnect. I used unregistered tunnels until Cloudflare made tunnels available on free tier accounts with no bandwidth charges.
Ive been using a tunnel to share my jellyfin server to friends for about a year. Its pretty much a proxy for it (add jellyfin:port to the config, start cloudflared, access on jellyfin.my.domain on cloudflare).
I havent had any issues with bandwidth but it depends on how much you push through it. Ive seen stories throughout the years of people pushing 30-50TB before getting a temp ban from using cloudflare services. Of course DNS still works but you just cant use their proxy/cdn/tunnels/etc
I've pushed quite a lot of traffic over Tunnels with no issues - IME it performs just as well as sending the traffic over Cloudflare without the Tunnel.
the internet is not going to accept bigger packets just because someone wants to add vpn-encapsulation (additional data). you either account for the overhead (mssfix) or your payload gets fragmented and performance goes to shit, deal with it 8)
I see options in my Cloudflare control panel to tunnel things besides HTTP(S) services (including TCP and SSH) via Cloudflare Tunnel. Am I misunderstanding the blog post?
Yeah it supports generic tcp forwarding, I only tried it once when it released but worked without issues. Needs cloudflared on the client as well but so does the method in the blogpost so should be about the same:
I think you're right. I'm using Cloudflare Tunnels with SSH just fine, though I haven't tried anything else yet. They definitely have a direct integration for SSH.
I am not using their solution for SSH authentication, but I am using Cloudflare Tunnels to access SSH normally. I'm actually surprised it can be used this way, but it seems it can.
the audience probably feels more comfortable working with technologies that have a "web" prefix and or can be deployed to a shared webhosting account aka cloud
I wrote something tangentially related, but for single user.
"gofwd" is a cross-platform TCP port forwarder with Duo 2FA and Geographic IP integration. Its use case is to help protect services when using a VPN is not possible. Before a connection is forwarded, the remote IP address is geographically checked against city, region (state), and/or country. Distance (in miles) can also be used. If this condition is satisfied, a Duo 2FA request can then be sent to a mobile device. The connection is only forwarded after Duo has verified the user.
How does ISP get insecure traffic? Your connection to your VPN (and then from there to your bank) should be encrypted and none of inbetween hosts should be able to decrypt it.
I don't know if Corkscrew is still relevant, but if you're maintaining a list, it might have a place there. I forget exactly why, but I used it some years ago.
Hi, I'm the author of Inlets. We've seen a recent rise in users looking to tunnel TCP traffic w/o these kinds of hacks and additional tools.
I wrote up a quick guide back in early May - seems relevant to this article as one of the newest users couldn't get Cloudflare to work with TCP how he wanted.
I've been thinking about using a tunnel like this to host a retro computing website. My idea was to run OpenBSD i386 on an AMD K6-III (1999) host, then use the built-in webserver httpd(8) to render and serve a static site. The machine would be tunneled via Wireguard to a VPS, and the VPS could optionally terminate the TLS (and transmit plain HTTP over WG) to free up some CPU cycles. :)
We’ve been working on something (https://github.com/build-trust/ockam) that enables exactly this, among a whole host of other use cases. If you check out some of the code examples in the docs you’ll see how to setup a tunnel using the CLI.
For other use cases there’s also the programming libraries (only Rust atm, though I was spiking a TypeScript/Node PoC this week) which might provide more flexibility. Personally I’m excited by the idea of being able to move this kind of secure by design connectivity all the way into the application layer though.
Cloudflare tunnel does support SSH on top of the main HTTP offering, but if it didn’t, it would be the kind of use case for this. And generally anything that talks something-over-TCP but not HTTP, so XMPP maybe? Databases, cameras and other IoT stuff?
And if you’re asking why anyone would even do that, like why use Tunnel at all, then well, many people are behind all kinds of NAT or, like me, on a public IP with my ISP’s stateful firewall preventing anyone from talking to me. CF Tunnel allows you to hide all that in a nice outgoing TCP connection and if your firewall allows that (which it probably does), you’re golden.
With this method, you effectively turn Cloudflare into a transport, which enables you to get around the limitation of Cloudflare. Say what if you want to transport UDP packets now (for your Wireguard for example)? Cloudflare don't really support that currently, but now it's achievable (albeit, not the best way).
The software used, both websocat, and gost is there to convert/proxy (non-Cloudflare specific) WebSocket connections to arbitrary TCP/UDP (supported by gost). You need to install them on both end of your endpoint through, to enable full conversion (App TCP client -> websocat/gost client -> [Cloudflare via Websocket] -> websocat/gost server -> App TCP server).
Also, you can use Tor network to do similar things, just with .onion service. Tor only supports TCP proxying (if I remembered it correctly), now you can do UDP too.