This post describes the steps to set up Cloudflare Tunnel with Proxmox. Bobcares, as a part of our Proxmox Support Services, offers solutions to every query that comes our way.

Set up Cloudflare Tunnel with Proxmox

The steps to set up Cloudflare Tunnel using Proxmox are as follows:

• Cloudflared installation
• Config.yml file creation
• CNAME request creation
• Tunnel execution
• Cloudflare access config
• Spice config

Let’s look into the details of each step.

Cloudflared installation

1. First, we must connect to the Proxmox server via SSH and download the Cloudflared deb package.

wget -q https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb && dpkg -i cloudflared-linux-amd64.deb

2. Then we will log in using the account.

cloudflared tunnel login

3. When we run this command, we will be given a link that we must copy and paste into the web browser. Now we must create a tunnel.

cloudflared tunnel create <NAME>

4. Then we must also save the generated UUID as we need it later. We can also select the name of our choice for the tunnel.

Config.yml file creation

1. In order to create a config.yml file, we can use the below code:

nano ~/.cloudflared/config.yml

2. This file will most likely be blank, so we need to set it up manually. Then we must add the blow and replace the sections in <> without the brackets.

tunnel: <UUID>
credentials-file: /root/.cloudflared/<UUID>.json

ingress:
- hostname: <domain>
service: https://localhost:8006
originRequest:
disableChunkedEncoding: true
noTLSVerify: true
- service: http_status:404

CNAME request creation

Now we’ve to create a CNAME request for the tunnel using the below code:

cloudflared tunnel route dns <UUID> <hostname>

Tunnel execution

In order to run the Tunnel, use the below code:

cloudflared tunnel run <UUID>

Cloudflare access config

Cloudflare access is great for creating an identity control process to allow access, but what prevents someone from simply finding the public IP address and entering it directly into the browser? To address this, we can create firewall rules that restrict access to only the Cloudflare IP ranges.

The best way to do this is to use the blocks in the router firewall. However, this needs a more advanced router than a standard SOHO router. We should block all inbound traffic from everything and then allow only Cloudflare IPs.

Spice config

This is a completely optional step. Everything should be fine up to this point. We should be able to use the admin page, start/stop/create VMs, and load a VM via noVNC. However, we will not be able to use SPICE over the internet. Connecting to the internal IP address will still work, but connecting to SPICE via the internet will fail.

We can fix this by changing the SPICE port in the Proxmox config files to something Cloudflare will proxy, such as port 8880. We must also modify the TLS auth-port so that SPICE can create a secure connection. If we want to do this, we must change the following files and lines:

/usr/share/perl5/PVE/HTTPServer.pm: my $remport = $remip ? 3128 : $spiceport;
/usr/share/perl5/PVE/AccessControl.pm: proxy => "http://$proxy:3128",
/usr/share/perl5/PVE/Service/spiceproxy.pm: my $socket = $self->create_reusable_socket(3128, undef, $family);
/usr/share/perl5/PVE/Service/spiceproxy.pm:SPICE proxy server for Proxmox VE. Listens on port 3128.
/usr/share/perl5/PVE/API2Tools.pm: my $port = $uri->port || 3128;

Although the SPICE connection is encrypted, the initial connection attempt is not.

[Looking for a solution to another query? We are just a click away.]

Conclusion

The article provides the steps to set up Cloudflare Tunnel with Proxmox, along with the SPICE configuration.