eac77ef7b4
Collection of operational skills for VaultMesh infrastructure including: - backup-sovereign: Backup and recovery operations - btc-anchor: Bitcoin anchoring - cloudflare-tunnel-manager: Cloudflare tunnel management - container-registry: Container registry operations - disaster-recovery: Disaster recovery procedures - dns-sovereign: DNS management - eth-anchor: Ethereum anchoring - gitea-bootstrap: Gitea setup and configuration - hetzner-bootstrap: Hetzner server provisioning - merkle-forest: Merkle tree operations - node-hardening: Node security hardening - operator-bootstrap: Operator initialization - proof-verifier: Cryptographic proof verification - rfc3161-anchor: RFC3161 timestamping - secrets-vault: Secrets management 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
3.6 KiB
3.6 KiB
Cloudflare Tunnel Setup Guide
Overview
Cloudflare Tunnels (formerly Argo Tunnels) provide secure, outbound-only connections from your infrastructure to Cloudflare's edge, eliminating the need for public IP addresses or open firewall ports.
Prerequisites
Required
- Cloudflare account (free tier works)
- Domain added to Cloudflare DNS
cloudflaredCLI installed
Installation (Linux)
# Debian/Ubuntu
curl -L https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb -o cloudflared.deb
sudo dpkg -i cloudflared.deb
# Or via package manager (if available)
sudo apt install cloudflared
Installation (Termux/Android)
pkg install cloudflared
Authentication
Before creating tunnels, authenticate with Cloudflare:
cloudflared tunnel login
This opens a browser for authentication and stores a certificate at ~/.cloudflared/cert.pem.
Tunnel Lifecycle
Create Tunnel
cloudflared tunnel create my-tunnel
Creates credentials at ~/.cloudflared/<tunnel-id>.json.
Configure Tunnel
Create ~/.cloudflared/config.yml:
tunnel: my-tunnel
credentials-file: /path/to/credentials.json
ingress:
- hostname: ssh.example.com
service: ssh://localhost:22
- hostname: web.example.com
service: http://localhost:8080
- service: http_status:404
Route DNS
cloudflared tunnel route dns my-tunnel ssh.example.com
Run Tunnel
cloudflared tunnel run my-tunnel
Or with explicit config:
cloudflared tunnel --config ~/.cloudflared/config.yml run
SSH Access via Tunnel
Server Side
Tunnel config includes SSH service:
ingress:
- hostname: ssh.example.com
service: ssh://localhost:22
Client Side
Option 1: Using ProxyCommand:
Host my-server
HostName ssh.example.com
ProxyCommand cloudflared access ssh --hostname %h
Option 2: Using cloudflared access:
cloudflared access ssh --hostname ssh.example.com
Cloudflare Access (Optional)
For additional authentication:
- Go to Cloudflare Zero Trust dashboard
- Create an Access Application
- Define authentication policies (email, SSO, etc.)
- Apply to SSH hostname
systemd Service
User Service
[Unit]
Description=Cloudflare Tunnel
After=network-online.target
[Service]
Type=simple
ExecStart=/usr/bin/cloudflared tunnel --config /path/to/config.yml run
Restart=on-failure
RestartSec=5
[Install]
WantedBy=default.target
Enable:
systemctl --user enable cloudflared-tunnel
systemctl --user start cloudflared-tunnel
System Service
sudo cloudflared service install
Troubleshooting
Check Tunnel Status
cloudflared tunnel info my-tunnel
View Logs
journalctl --user -u cloudflared-tunnel -f
Test Connectivity
curl -v https://ssh.example.com
Common Issues
- Certificate expired: Re-run
cloudflared tunnel login - DNS not resolving: Check Cloudflare DNS for CNAME record
- Connection refused: Verify local service is running
Security Considerations
- Tunnel credentials (
*.json) are sensitive - protect like SSH keys - Use Cloudflare Access for authentication on sensitive services
- Regularly rotate tunnel credentials
- Monitor tunnel connections in Cloudflare dashboard