Cloudflare Tunnel was previously named Warp during the beta phase. As Warp was added to the Argo product family, Cloudflare changed the name to Argo Tunnel to match. Once Cloudflare decided that there is no longer required users to purchase Argo to create Tunnels, Argo Tunnel has been renamed to Cloudflare Tunnel.
In this post, I am gonna show how you can use Cloudflare Tunnel (free) to access our home lab internal network with a couple of simple steps and also how you can make this access secure.
Double Click to run the installer cloudflared-windows-amd64.msi. The files will be installed under folder: C:\Program Files (x86)\cloudflared. You will not get a prompt the Cloudflared service has been installed successfully this kind of message. As long as you confirmed file from C:\Program Files (x86)\cloudflared folder, you are good to go for next step.
Open Command Prompt or Powershell as Administrator.
Run the following command:
Content Loaded
Outputs:
PS C:\Users\WDAGUtilityAccount> cloudflared.exe service install eyJhIjoiN2YzNjkyNmRlOTI3ZWQ3NmEwYThhOGYyNWFhZjMxOGMiLCJ0IjoiOTkwMmE0ZTQtZWVjZS00ZTdmLWIyODctODgwMzQwMGY1wicyI6Ik9XSXlNR0poTVRFdE1qUTNNUzAwTkRka0xXSmh0T0dNMU9EQTJPR0UwWXpKbCJ9
2023-09-17T13:11:49Z INF Installing cloudflared Windows service
2023-09-17T13:11:49Z INF cloudflared agent service is installed windowsServiceName=Cloudflared
2023-09-17T13:11:49Z INF Agent service for cloudflared installed successfully windowsServiceName=Cloudflared
PS C:\Users\WDAGUtilityAccount>
Enable Authentication on Access to Internal Service (e.g. RDP)
With Cloudflare Zero Trust, users can connect to non-HTTP applications via a public hostname without installing the WARP client. This method requires you to onboard a domain to Cloudflare and install cloudflared on both the server and the user’s device.
Users log in to the application by running acloudflared accesscommand in their terminal.cloudflaredwill launch a browser window and prompt the user to authenticate with your identity provider.
Here is how to configure it:
1. Create a new application from Access menu:
2. Create a policy rule to allow certain email to receive one time code to access this service:
C:\Tools>cloudflared-windows-amd64.exe access rdp --hostname z600.51sec.org --url rdp://localhost:3390
2024-10-20T02:05:42Z INF Start Websocket listener host=localhost:3390
A browser window should have opened at the following URL:
https://z600.51sec.org/cdn-cgi/access/cli?aud=4f3b1843c2425bea184952686df7438990b739bc5a0c46bdb13b88f68dcf2a51&edge_token_transfer=true&redirect_url=https%3A%2F%2Fz600.51sec.org%3Faud%3D4f3b1843c2425bea184952686df7438990b75a0c46bdb13b88f68dcf2a51%26token%3DWl1NvF6JVy2Ixyz_Oizvdm_myhqfCsLuQl_xXKbZcUk%253D&send_org_token=true&token=Wl1NvF6JVy2Ixyz_Oizvdm_myhqfCsLuQl_xXKbZcUk%3D
If the browser failed to open, please visit the URL above directly in your browser.
2024-10-20T02:06:42Z INF Waiting for login...
2024-10-20T18:44:21Z ERR Error on Websocket listener error=”failed to start forwarding server: listen tcp 127.0.0.1:3391: bind: An attempt was made to access a socket in a way forbidden by its access permissions.“
failed to start forwarding server: listen tcp 127.0.0.1:3391: bind: An attempt was made to access a socket in a way forbidden by its access permissions.
C:\Tools>net stop hns
The following services are dependent on the Host Network Service service.
Stopping the Host Network Service service will also stop these services.
Container Manager Service
Do you want to continue this operation? (Y/N) [N]: y
The Container Manager Service service is stopping.
The Container Manager Service service was stopped successfully.
The Host Network Service service is stopping.
The Host Network Service service was stopped successfully.
C:\Tools>net start hns
The Host Network Service service is starting.
The Host Network Service service was started successfully.
C:\Tools>
” ERR failed to connect to origin error=”websocket: bad handshake””
Found some solutions from online:
Try cloudflared update and try the connection again.
Can you check if you have “WebSockets” enabled on your Network tab of your dash.cloudflare.com 247?
Finally I’ve been able to make it work. Thanks for your tip about the websockets disabled in Cloudflare. This is missing from the documentation/tutorial on RDP.
The other thing missing is that the config.yml file should be located at the C:\Users\%USERNAME%\.cloudflared\ folder, not in C:\Windows\System32\config\systemprofile\.cloudflared\ as it is indicated in the docs.
With these two changes, everything worked as expected, finally!
Note: for me, I just need to wait a bit time to reconnect and it works again.
Set Up Google as an IdP (Identity Provider)
You can add other authentication methods such as Google, GitHub as an identity provider.
Visit the Google Cloud Platform console. Create a new project, name the project, and select Create.
On the project home page, go to APIs & Services on the sidebar and select Dashboard.
On the sidebar, go to Credentials and select Configure Consent Screen at the top of the page.
Choose External as the User Type. Since this application is not being created in a Google Workspace account, any user with a Gmail address can login.
Name the application, add a support email, and input contact fields. Google Cloud Platform requires an email in your account.
Return to the APIs & Services page, select Create Credentials > OAuth client ID, and name the application.
Under Authorized JavaScript origins, in the URIs field, enter your team domain.
Under Authorized redirect URIs, in the URIs field, enter your team domain followed by this callback at the end of the path: /cdn-cgi/access/callback. For example:
https://<your-team-name>.
cloudflareaccess.com
/cdn-cgi/access/callback
Google will present the OAuth Client ID and Secret values. The secret field functions like a password and should not be shared. Copy both values.
Windows Sandbox provides a lightweight desktop environment to safely run applications in isolation. Software installed inside the Windows Sandbox environment remains “sandboxed” and runs separately from the host machine. Windows Sandbox does not include WinGet, nor the Microsoft Store app, so you will need to download the latest WinGet package from the WinGet releases page on GitHub.
To install the stable release of WinGet on Windows Sandbox, follow these steps from a Windows PowerShell command prompt:
If you would like a preview or different version of the Package Manager, go to https://github.com/microsoft/winget-cli/releases. Copy the URL of the version you would prefer and update the above Uri.