Hello to everyone.
I'd like to install Cloudflared on my Pi so that no matter which wifi connection I use I can access the dashboard via my domain.
I've managed to get a Cloudflared tunnel working briefly but I'm unsure how to make it permanent.
I managed to get a Cloudflared version that would install on the Pi, which was fine, I had to mess with the firewall to allow outgoing as default then I started the cloudflared service using my token. I could access my page via my domain which would now route automatically no matter which wifi network I connect to.
This is all great until I restart and lose all connectivity to the Pi, I have to start fresh by reflashing the microsd. If I had a micro HDMI I could probably diagnose further but I am stuck.
Does anyone know of a way to successfully get a Cloudflared tunnel working from the Pi that survives restarts and plays nice with the firewall?
Many thanks,
73s
Cloudflared tunnel running the Pi?
Re: Cloudflared tunnel running the Pi?
Hi! I'm new to pi-star and also wanted remote access through Cloudflare. There are several forum posts pointing to a non-existent(?) wiki for adding iptables rules, but context clues from a few related posts led me to the answer and I wanted to share it for future generations.
To get Cloudflared working on pi-star:
First, you need a rule in iptables (what Pi-Star / Raspbian is using for a firewall).
Make sure the filesystem is set to RW.
Save that file and exit.
pistar-firewall | grep 7844 to verify the rule was processed correctly. If you don't get a line ending with "tcp dpt:7844" you typo'd something in the ipv4.fw file. Do it again, but less wrong.
Next, you need to allow larger cookies into the nginx buffer
Make sure your file system is still RW
As root:
Edit the following lines:
Next, do the normal Cloudflared tunnel install:
I'm assuming you've already got a cloudflare account set up and ready to go.
Give your Tunnel a Public Hostname in Cloudflare
You should also create an Access Application in Cloudflare for your /admin page, if not the entire thing, to keep internet randos from doing security research on your pistar.
The iptables bit tripped me up because normally you'd just write the command to IPTables and be done with it. Pi-star requires that file (/root/ipv4.fw) to be manually populated with any iptables rules. If you add iptables rules the normal way they do not persist through a reboot.
Anyway, I hope that helps someone else have secure remote access to your Pi-Star!
73
NG5P
To get Cloudflared working on pi-star:
First, you need a rule in iptables (what Pi-Star / Raspbian is using for a firewall).
Make sure the filesystem is set to RW.
Code: Select all
sudo su
nano /root/ipv4.fw
iptables -A OUTPUT -p tcp --dport 7844 -j ACCEPT
pistar-firewall | grep 7844 to verify the rule was processed correctly. If you don't get a line ending with "tcp dpt:7844" you typo'd something in the ipv4.fw file. Do it again, but less wrong.
Next, you need to allow larger cookies into the nginx buffer
Make sure your file system is still RW
As root:
Code: Select all
nano /etc/nginx/default.d/security.conf
Code: Select all
client_header_buffer_size 16k # I changed this from 1k to 16k. No idea how much is needed, but 16k has worked.
large_client_header_buffers 2 16k # same here. If you run into performance issues you may want to optimize this.
I'm assuming you've already got a cloudflare account set up and ready to go.
Code: Select all
curl -L --output cloudflared.deb https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-arm.deb
sudo dpkg -i cloudflared.deb
sudo cloudflared service install <your tunnel key goes here>
You should also create an Access Application in Cloudflare for your /admin page, if not the entire thing, to keep internet randos from doing security research on your pistar.
The iptables bit tripped me up because normally you'd just write the command to IPTables and be done with it. Pi-star requires that file (/root/ipv4.fw) to be manually populated with any iptables rules. If you add iptables rules the normal way they do not persist through a reboot.
Anyway, I hope that helps someone else have secure remote access to your Pi-Star!
73
NG5P