Multiple tunnels

[mnaser]

Hi there,

So, we're slowly becoming heavy users of Argo Tunnel, especially with the SSH features that are coming up and we're slowly realizing there are use cases where we need to run multiple tunnels.

The current configuration assumes that 1 config file contains 1 tunnel only, which can be problematic because at times we want to expose the both the service (HTTP) and SSH via CloudFlare.

There's two ways that we can really do this right now:

systemd templates
This is the way that we're currently working with, it would involve a change here:

cloudflared/cmd/cloudflared/linux_service.go

Lines 43 to 59 in 4191636

	{
	Path: "/etc/systemd/system/cloudflared.service",
	Content: `[Unit]
	Description=Argo Tunnel
	After=network.target
	[Service]
	TimeoutStartSec=0
	Type=notify
	ExecStart={{ .Path }} --config /etc/cloudflared/config.yml --origincert /etc/cloudflared/cert.pem --no-autoupdate
	Restart=on-failure
	RestartSec=5s
	[Install]
	WantedBy=multi-user.target
	`,
	},

Once that section is updated, we can use templated systemd files: https://fedoramagazine.org/systemd-template-unit-files/

This means that you can do something like systemctl start cloudflared@ssh and it will start it up by using the config file in /etc/cloudflared/ssh.yml -- this means that all you need to do is drop a file in /etc/cloudflared and then start up that unit.

config file change
This one is a bit more complex and it might be not backwards compatible but simply having the same executable create multiple tunnels might be super productive and useful. It would obviously imply a lot more work (but I don't know the internal architecture and how easy that might be).

Use-case
I know this is really important especially with pushing Argo as a VPN replacement. In our case, we want a "host" that pretty much does tunnelling for a lot of devices that can't run cloudflared. For example, iDRAC for servers, SSH for switches, etc.

The second solution is obviously way better in terms of scale and memory footprint, especially if you're in an environment where possibly you can be doing this for 200-300 hosts, 200-300 services might be really difficult to manage and a single configuration file might be much easier.

[tanner-bruce]

especially with the SSH features that are coming up

I've been searching around for this and can't find any info. Do you have a link where I could read about this? If it is private I can ask my account rep. Thanks

[mnaser]

Hey @tanner-bruce

It's no secret, this is the blog post at CloudFlare:

https://blog.cloudflare.com/releasing-the-cloudflare-access-feature-that-let-us-smash-a-vpn-on-stage/

[mnaser]

Also, we've worked around it with the following templates that has been working great for us (named [email protected])

[Unit]
Description=Argo Tunnel (%I)
After=network.target

[Service]
TimeoutStartSec=0
Type=notify
ExecStart=/usr/local/bin/cloudflared --config /etc/cloudflared/%i.yml --no-autoupdate
Restart=always
RestartSec=5s

[Install]
WantedBy=multi-user.target

[djeraseit]

SSH is only for enterprise customers

[zackbloom]

That's not the case. Access SSH is available to anyone who uses both Access and Argo.

[c0deright]

Cool idea with %i, just merged multiple systemd service files into one :)

[Rick-McClatchie]

Are there any news on this? Is this something Cloudflare considers to implement?
We would be very interested in the "ssh and http on the same server" use-case without having to mess with systemd template unit files. 🙂

[TownLake]

Thanks for the feedback and sorry for the delay here. We recently launched support for this feature; you can read more about how it works here and a tutorial is available for the original use case here. Let us know if you have any questions.

[serkodev]

@TownLake If i want to install multiple cloudflared service with multiple account? can it done with cloudflared service install command ?

I tested that ingress supports different zone in the same account and I can serve tunnel with different account with --origincert option.

Is create a new service manually (e.g. by adding a *.service file in systemd) the only way to solve?
somthing like

ExecStart=/usr/local/bin/cloudflared --origincert custom_cert.pem --config custom_config.yml --no-autoupdate

[nmldiegues]

Is create a new service manually (e.g. by adding a *.service file in systemd) the only way to solve?

Correct. Our service install is doing 1 cloudflared for the unit file. So a trivial way to have replicas with the service is to copy the unit file and set up N services for N cloudflared replicas.

[UBISOFT-1]

Maybe try visiting the following blog post if your reading this.

https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/configuration/configuration-file/ingress

tunnel: 6ff42ae2-765d-4adf-8112-31c55c1551ef
credentials-file: /root/.cloudflared/6ff42ae2-765d-4adf-8112-31c55c1551ef.json

ingress:
  - hostname: gitlab.widgetcorp.tech
    service: http://localhost:80
  - hostname: gitlab-ssh.widgetcorp.tech
    service: ssh://localhost:22
  - service: http_status:404