I have written before about how I have used Tailscale, a magical tool to set up Wireguard tunnels to create an overlay network called Tailnets. I have also written about how I host all of my services to be publically accessible using Cloudflare Tunnels (fka Argo Tunnels). But I recently discovered that the ~20MiB binary of cloudflared can do a lot more than just run tunnels. Here is how I used most of the newly discovered features.
Configuration
Once you install cloudflared following their documentation
, the next step would be to run it as a service. Here is the base configuration file /etc/cloudflared/config.yml sample:
| |
And the service would look something like this:
| |
Tunnels
Goes without saying, I use this feature to expose all the services from my local network to the internet. Hands down, the best and main feature of this tool. Here is how the configuration sample would look like:
| |
You can see how this allows us to proxy both HTTP/S and TCP/UDP traffic from the local network to the internet. Beautiful!
VPN
Recently, I discovered that you could tunnel whole network segments through Cloudflare. How brilliant is that! That would be what I needed to replace or have an alternative for Tailscale. There is some initial setup involved, which is well worth the effort, in my opinion. Here is the complete documentation and configuration needed for this to work:
| |
That’s it! Two lines of configuration can now tunnel anything that you would like. But where do you specify what you want to allow? Two places. One, you need to configure the tunnel to route the subnets. Two, you need to make WARP accept the traffic to those ranges as out of the box, Cloudflare WARP blocks all private IP subnets/CIDRs from traveling through the tunnel.
For the first one, it is as simple as running the below command:
| |
For the second, in the Cloudflare for Teams dashboard , make sure the Proxy is enabled for TCP under Settings > Network > Firewall. Then, under Split Tunnels, you want to make sure that the network you want to tunnel does not get excluded. If the mode is Exclude IPs, delete the IP range if it is present. If the mode is Include IPs, make sure the network is a part of that list.
Now, installing and enabling Cloudflare WARP client on the client devices and logging into the Teams section, you get access to the network you published to your tunnel. Access resources at your home from anywhere with this free VPN!
DNS over HTTPS (DoH)
The same cloudflared binary can also act as a DoH client to provide secure DNS capability for all devices. As I have outlined before, I use a highly available Pi-hole setup for DNS services on my network. I had set the upstream for Pi-hole to 1.1.1.1 before, which sends DNS queries in cleartext on port 53 for everyone in the routing path to see. Now, with the below configuration, I can point Pi-hole to 127.0.0.1#5053 to use cloudflared, which in turn, uses DNS over HTTPS and securely makes DNS queries and returns the response.
| |
With that, the one binary is performing an impressively good task of three different services put together. With the service command set as shown, it auto upgrades without any disconnections too. A mighty little binary, one might say!