Use Cloudflare Argo Tunnel to Expose Internal Web Application to Internet

It is a great tool if you need to expose your internal web application to Internet. Fast, easy, and most important, it is free.

Here is the Announcement from Cloudflare Blog on April 15 2021

"In the past, Argo Tunnel has been priced based on bandwidth consumption as part of Argo Smart Routing, Cloudflare’s traffic acceleration feature. Starting today, we’re excited to announce that any organization can use the secure, outbound-only connection feature of the product at no cost. "

Basically, even with free subscription plan, you can use Argo tunnel to provide secure access to internal Applications from anywhere. Here is the topology diagram for the Argo tunnel traffic flow.

More explaination about how Argo Tunnel works from Clouflare Docs:

"Argo Tunnel runs a lightweight daemon (cloudflared) in your infrastructure that establishes outbound connections (Tunnels) between your service and the Cloudflare edge. When Cloudflare receives a request for your chosen hostname, it proxies the request through those connections to cloudflared. In turn, cloudflared proxies the request to your applications.

This forces any requests to access your applications to go through Cloudflare. This way, you can be sure attack traffic is stopped with Cloudflare’s WAF and Unmetered DDoS mitigation, and authenticated with Access if you’ve enabled those features for your account.

Argo Tunnel can connect HTTP web servers, SSH servers, remote desktops, and other protocols. Additionally, a single connector, the cloudflared daemon, can connect multiple applications of different types."

Step 1. Download and Install Cloudflared

Releases can be found on GitHubOpen external link. Downloads are available as standalone binaries or packages like Debian and RPM.

​

Linux

Type	amd64 / x86-64	x86 (32-bit)	ARMv6	ARM64
Binary	DownloadOpen external link	DownloadOpen external link	DownloadOpen external link	Download from GitHubOpen external link
.deb	DownloadOpen external link	DownloadOpen external link	DownloadOpen external link	-
.rpm	DownloadOpen external link	DownloadOpen external link	DownloadOpen external link	-

​.deb install (Ubuntu, Linux Mint)

Use the deb package manager to install cloudflared on compatable machines. amd64 / x86-64 package in this example.

wget -q https://bin.equinox.io/c/VdrWdbjqyF/cloudflared-stable-linux-amd64.deb
dpkg -i cloudflared-stable-linux-amd64.deb




.rpm install  (CentOS, Fedora, RHEL)

Use the rpm package manager to install cloudflared on compatable machines. amd64 / x86-64 is used in this example.

wget -q https://bin.equinox.io/c/VdrWdbjqyF/cloudflared-stable-linux-amd64.rpm
rpm -ivh cloudflared-stable-linux-amd64.rpm

Docker

A Docker image of cloudflared is available on DockerHubOpen external link.

​

macOS

You can install cloudflared on macOS systems via Homebrew:

$ brew install cloudflare/cloudflare/cloudflared

Alternatively, you can download the latest Darwin amd64 release directly.

​

Windows

Type	32-bit	64-bit
ZIP	DownloadOpen external link	DownloadOpen external link

​

Updating cloudflared

You can update cloudflared by running the following command.

Cloudflared update

The update will cause cloudflared to restart which would impact traffic currently being served. You can perform zero-downtime upgrades by using Cloudflare's Load Balancer product or by using multiple cloudflared instances.

Step 2. Create Tunnel for your Internal Web Application

Assuming your local web application is running on port 9000, such as my portainer web page. 

cloudflared tunnel --url localhost:9000

Here is an output example using local port : 8000

Step 3. Test public url from Internet

Windows installation

1. Download https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-windows-amd64.msi.

2. Run the installer.

3. Open Command Prompt as Administrator.

4. Run the following command:

command

cloudflared.exe service install eyJhI1111111111111111111111mYy11111111111111112ItOTUzNC00O111111111111111111111111dFl6TTNNQzAwT11111111111111J9

After connctor installed successfully, you should be able to see this Connector listing in your CloudFlare page:

Next step:

Save the tunnel. In the tunnels page, you should be able to see a healthy tunnel presenting now:

Connect as a user

1. Install cloudflared on the client machine.

2. Run this command to open an RDP listening port:

   $ cloudflared access rdp --hostname rdp.example.com --url rdp://localhost:3389
   

   This process will need to be configured to stay alive and autostart. If the process is killed, users will not be able to connect.

If the client machine is running Windows, port 3389 may already be consumed locally. Select an alternative port to 3389 that is not being used.

3. While cloudflared access is running, connect from an RDP client such as Microsoft Remote Desktop:
   1. Open Microsoft Remote Desktop and select Add a PC.
   2. For PC name, enter localhost:3389.
   3. For User account, enter your RDP server username and password.
   4. Double-click the newly added PC.
   5. When asked if you want to continue, select Continue.

When the client launches, a browser window will open and prompt the user to authenticate themselves.

Note: https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/use-cases/rdp/

Uninstall

command

PS C:\Users\jo> cloudflared.exe service uninstall
2023-06-06T21:35:48Z INF Uninstalling cloudflared agent service windowsServiceName=Cloudflared
2023-06-06T21:35:48Z INF Stopping cloudflared agent service windowsServiceName=Cloudflared
2023-06-06T21:35:48Z INF Agent service for cloudflared was uninstalled successfully windowsServiceName=Cloudflared
PS C:\Users\jo>

YouTube

Please check this YouTube video for all steps:

References

• Connect applications
• A Boring Announcement: Free Tunnels for Everyone
• A free Argo Tunnel for your next project
• Cloudflare CDN: How to Setup + Purchase Domain + NGINX Proxy Manager on Unraid (2021)