Tunnel via Cloudflare to any TCP service | Hacker News https://news.ycombinator.com/item?

id=36007310

Hacker News new | past | comments | ask | show | jobs | submit login

Tunnel via Cloudflare to any TCP service (thc.org)

185 points by sharjeelsayed 1 day ago | hide | past | favorite | 58 comments

add comment

nirui 22 hours ago | next [–]

OK... if you want to know the REAL benefit of doing this...
With this method, you effectively turn Cloudflare into a transport, which enables you to get around the limitation of Cloudflare.
Say what if you want to transport UDP packets now (for your Wireguard for example)? Cloudflare don't really support that
currently, but now it's achievable (albeit, not the best way).
The software used, both websocat, and gost is there to convert/proxy (non-Cloudflare specific) WebSocket connections to
arbitrary TCP/UDP (supported by gost). You need to install them on both end of your endpoint through, to enable full
conversion (App TCP client -> websocat/gost client -> [Cloudflare via Websocket] -> websocat/gost server -> App TCP
server).
Also, you can use Tor network to do similar things, just with .onion service. Tor only supports TCP proxying (if I remembered it
correctly), now you can do UDP too.
reply

rabuse 1 day ago | prev | next [–]

Cloudflare tunnels have been a blessing for me, as someone locked behind an apartments router trying to host services
without the ability to forward ports. The fact that it's free, is the cherry on top.
reply

pnpnp 1 day ago | parent | next [–]

FWIW you can do the same thing with a cloud server & a couple bucks a month. I use AWS/t4g.nano reserved instance
& WireGuard, and I think it runs me less than half a beer a month.
reply

1 of 10 21-05-2023, 15:33
Tunnel via Cloudflare to any TCP service | Hacker News https://news.ycombinator.com/item?id=36007310

depingus 1 day ago | root | parent | next [–]

If you're going to pay for AWS, might as well use Oracle's free tier. It is extremely generous. And you have to
specifically change a setting to leave the free tier; So you it's not that easy to get accidentally billed for a
misconfig.
Yes, yes...I know..."ORACLE"!? choking sounds But at this point, they're no worse a company than Amazon. I've
been very happy with their free tier for my home use. There's a bit of learning curve...just like AWS, but they
give you a ton of free stuff, including training.
reply

nulbyte 1 day ago | root | parent | next [–]

+1 for Oracle. Their free tier for compute is better than Google's: Up to four free ARM VMs and up to two
AMD VMs.
reply

matthewaveryusa 1 day ago | root | parent | next [–]

And the 10TB of free egress. Their proprietary stuff is very generous as well. Also 3000 emails/day
-- really great offering tbh
reply

metadat 1 day ago | root | parent | prev | next [–]

Oracle OCI will randomly shut your instances down, which is super annoying. I stopped bothering to boot
them back up again.
Used to be a huge proponent, it was a good 4 years of freebies. But this too shall pass.
reply

mappu 1 day ago | root | parent | next [–]

Do you know what causes this to happen? Mine's been doing alright with uptime

05:20:09 up 631 days, 23:10, 1 user, load average: 0.01, 0.02, 0.00

on my "Always Free" instance.

reply

Deathmax 20 hours ago | root | parent | next [–]

You might not be on a "Always Free" account then. AFAIK, you're not subject to reclamation
if you add a payment method to the account.
Here's the link to their documentation on reclamation of idle resources:
https://docs.oracle.com/en-us/iaas/Content/FreeTier/freetier...
> Idle Always Free compute instances may be reclaimed by Oracle. Oracle will deem virtual
machine and bare metal compute instances as idle if, during a 7-day period, the following are
true:
> * CPU utilization for the 95th percentile is less than 15%

2 of 10 21-05-2023, 15:33
Tunnel via Cloudflare to any TCP service | Hacker News https://news.ycombinator.com/item?id=36007310

> * Network utilization is less than 15%

> * Memory utilization is less than 15% (applies to A1 shapes only)
And here's the email that I get whenever they reclaim an instance:
> Oracle Cloud Infrastructure (OCI) has reclaimed idle Always Free compute resources from
Always Free customers by stopping the compute instance(s). Reclaiming idle resources allows
OCI to efficiently provide services to Always Free customers. Your account had one or more
idle compute instances that have been stopped. You can restart your compute instance as
long as the associated compute shape is available in your region. Your Boot and Block
Volumes remain unchanged and available to you. In the future, you can keep idle compute
instances from being stopped by converting your account to Pay As You Go (PAYG). With
PAYG, you will not be charged as long as your usage for all OCI resources remains within the
Always Free limits.
reply

mappu 7 hours ago | root | parent | next [–]

Yes - so i'm not sure why it doesn't seem to actually happen to me, my instance
definitely sits idle like that a lot. All free Oracle accounts must have a payment
method, it was mandatory when creating the account.
Screenshot of my "Always Free" banner in the Oracle web interface: https://imgur.com
/a/hTZfkek
reply

gempir 22 hours ago | root | parent | prev | next [–]

It's not super random. They email your before at least. Mine has been shut down once in 3 months.
Which I think is fair enough considering I run 2 machines with 8gb RAM each and 2 arm cores each.
Insane value.
reply

Eldt 1 day ago | root | parent | prev | next [–]

And you won't be able to start up again if they don't have enough capacity for your free instance
reply

ralphc 6 hours ago | root | parent | prev | next [–]

Last I looked they demanded a credit card, even for the free tier, and choked on a gift card credit card,
they wanted a "real" one. Has this changed?
reply

nunez 6 hours ago | root | parent | next [–]

Isn't AWS the same?
reply

asmor 23 hours ago | root | parent | prev | next [–]

there have been a few reports of oracle randomly terminating services for people who only use the free

3 of 10 21-05-2023, 15:33
Tunnel via Cloudflare to any TCP service | Hacker News https://news.ycombinator.com/item?id=36007310

tier, i’d rather pay a meager fee than get unpredictably evicted
reply

dizhn 20 hours ago | root | parent | next [–]

I am not sure this is 100 percent but the Internet says you can upgrade to the paid tier and they
won't evict you. You can use the same always free resources. In terms of unexpected fees, if you
open a free tier account, let the free trial expire, basically whatever you can then do will also be
free when you upgrade.
reply

geraldhh 22 hours ago | root | parent | prev | next [–]

tbh running a free service on the internet requires unilateral termination of service for "bad
citizens". totally different story whether it was justified in specific cases.
reply

lmz 16 hours ago | root | parent | prev | next [–]

They sent sales people to call me after I signed up for their cloud. Only once for me though since they
determined I was just a nobody.
reply

asperous 1 day ago | root | parent | prev | next [–]

I have done this before, which is pretty simple because ssh is basically always available:

ssh -R \*:8080:localhost:80 -N root@example.com

reply

moonchrome 23 hours ago | root | parent | prev | next [–]

Same thing with hetzner and I don't have to worry about an AWS account with my payment info on it.
I've seen too many cloud provider horror stories.
reply

entangledqubit 1 day ago | root | parent | prev | next [–]

I started doing this a year ago and it's been super solid and low maintenance.
reply

rfoo 17 hours ago | root | parent | prev | next [–]

Post it here and I'm sure some random guy are going to make you pay $100 next month.
reply

re-thc 19 hours ago | root | parent | prev | next [–]

> FWIW you can do the same thing with a cloud server & a couple bucks a month.
Until you get hacked or attacked and the bandwidth bill skyrockets. I wouldn't risk it.

4 of 10 21-05-2023, 15:33
Tunnel via Cloudflare to any TCP service | Hacker News https://news.ycombinator.com/item?id=36007310

Cloudflare is bandwidth "included".

reply

datenyan 1 day ago | parent | prev | next [–]

How have you found it for hosting services? I found it struggled with something as simple as an Apache webserver,
though perhaps that's just something to do with my internet itself.
reply

InvaderFizz 1 day ago | root | parent | next [–]

I've had my Plex server behind Cloudflare Tunnels for years, never had any performance or reliability issues.
Another great use case is for SSH to a server quite some distance away. I find that the latency when using a
cloudflare tunnel to SSH on average better than whatever route my ISP would normally take.
reply

Grimburger 16 hours ago | root | parent | next [–]

> Plex server behind Cloudflare Tunnels for years
Unless I'm missing something here, there's no way Cloudflare is allowing that much traffic through tunnels
for free. Is this just setting up the initial plex connection through the tunnel and then going p2p?
reply

InvaderFizz 16 hours ago | root | parent | next [–]

Nope, 100% of my external users go through CF tunnels. The downside is that the caching results
in the entire file being cached immediately if the user is not using transcoding, but most of my
users are utilizing transcoding. I put a bandwidth limiter on my Cloudflare tunnel to limit it to
100Mbps
I don't have any actual stats, but there appear to be about 10-20 hours a day of remote streaming,
mostly at 3Mbps. So we're only looking at 400-800GB on average per month.
Also, you can use Cloudflare unregistered free tunnels just like the article, but using registered
tunnels makes it so you don't have to update the Plex url every time you reconnect. I used
unregistered tunnels until Cloudflare made tunnels available on free tier accounts with no
bandwidth charges.
reply

_a9 15 hours ago | root | parent | prev | next [–]

Ive been using a tunnel to share my jellyfin server to friends for about a year. Its pretty much a
proxy for it (add jellyfin:port to the config, start cloudflared, access on jellyfin.my.domain on
cloudflare).
I havent had any issues with bandwidth but it depends on how much you push through it. Ive seen
stories throughout the years of people pushing 30-50TB before getting a temp ban from using
cloudflare services. Of course DNS still works but you just cant use their proxy/cdn/tunnels/etc
reply

5 of 10 21-05-2023, 15:33
Tunnel via Cloudflare to any TCP service | Hacker News https://news.ycombinator.com/item?id=36007310

detaro 16 hours ago | root | parent | prev | next [–]

> there's no way Cloudflare is allowing that much traffic through tunnels for free
What's the limit?
reply

piperswe 1 day ago | root | parent | prev | next [–]

I've pushed quite a lot of traffic over Tunnels with no issues - IME it performs just as well as sending the traffic
over Cloudflare without the Tunnel.
reply

justsomehnguy 1 day ago | root | parent | prev | next [–]

My $5 is on the MTU mismatch.
reply

geraldhh 22 hours ago | root | parent | next [–]

the internet is not going to accept bigger packets just because someone wants to add vpn-encapsulation
(additional data). you either account for the overhead (mssfix) or your payload gets fragmented and
performance goes to shit, deal with it 8)
reply

SadTrombone 1 day ago | prev | next [–]

I see options in my Cloudflare control panel to tunnel things besides HTTP(S) services (including TCP and SSH) via Cloudflare
Tunnel. Am I misunderstanding the blog post?
reply

rattt 1 day ago | parent | next [–]

Yeah it supports generic tcp forwarding, I only tried it once when it released but worked without issues. Needs
cloudflared on the client as well but so does the method in the blogpost so should be about the same:
https://developers.cloudflare.com/cloudflare-one/application...
reply

jchw 1 day ago | parent | prev | next [–]

I think you're right. I'm using Cloudflare Tunnels with SSH just fine, though I haven't tried anything else yet. They
definitely have a direct integration for SSH.
reply

amluto 1 day ago | root | parent | next [–]

They have an SSH authentication solution, but IMO it’s rather half-baked. Definitely not a top-tier Cloudflare
product.
reply

jchw 13 hours ago | root | parent | next [–]

I am not using their solution for SSH authentication, but I am using Cloudflare Tunnels to access SSH

6 of 10 21-05-2023, 15:33
Tunnel via Cloudflare to any TCP service | Hacker News https://news.ycombinator.com/item?id=36007310

normally. I'm actually surprised it can be used this way, but it seems it can.
reply

adamch 1 day ago | prev | next [–]

You don't need a websocket proxy. CF tunnel supports TCP and UDP just fine.
reply

moontear 1 day ago | parent | next [–]

This is what I was wondering when reading the article.
I do SSH forwarding just fine with a CF tunnel. No extra services needed.
reply

ztgasdf 10 hours ago | parent | prev | next [–]

> Error validating origin URL: Currently Cloudflare Tunnel does not support udp protocol.
You sure?
reply

thegeekpirate 21 hours ago | parent | prev | next [–]

Just wanted to inform you that your HN profile as well as your blog's "About me" need to be updated. Cheers!
reply

geraldhh 22 hours ago | parent | prev | next [–]

good find!
the audience probably feels more comfortable working with technologies that have a "web" prefix and or can be
deployed to a shared webhosting account aka cloud
reply

jftuga 1 day ago | prev | next [–]

I wrote something tangentially related, but for single user.
"gofwd" is a cross-platform TCP port forwarder with Duo 2FA and Geographic IP integration. Its use case is to help protect
services when using a VPN is not possible. Before a connection is forwarded, the remote IP address is geographically checked
against city, region (state), and/or country. Distance (in miles) can also be used. If this condition is satisfied, a Duo 2FA
request can then be sent to a mobile device. The connection is only forwarded after Duo has verified the user.
https://github.com/jftuga/gofwd
reply

boringuser2 22 hours ago | prev | next [–]

Nobody has yet mentioned that they get full unencrypted access to all of your traffic if you do this, so I shall.
reply

dave4420 22 hours ago | parent | next [–]

Just like any VPN.

7 of 10 21-05-2023, 15:33
Tunnel via Cloudflare to any TCP service | Hacker News https://news.ycombinator.com/item?id=36007310

reply

mrAssHat 17 hours ago | root | parent | next [–]

That's why you shouldn't buy VPN services. Buy a hosting instead and host your VPN yourself.
This is bonkers that people so actively discuss this. That's like using 3rd party service to access your bank
account.
reply

Grimburger 16 hours ago | root | parent | next [–]

> Buy a hosting instead and host your VPN yourself.
So the ISP gets access instead of the VPN? All this does is shift trust, not remove it.
reply

zamnos 17 hours ago | root | parent | prev | next [–]

which millions of people do. So many of them that Intuit bought mint.com.
reply

usr1106 21 hours ago | parent | prev | next [–]

The submitted blog post says it.
reply

alexellisuk 17 hours ago | prev | next [–]

Hi, I'm the author of Inlets. We've seen a recent rise in users looking to tunnel TCP traffic w/o these kinds of hacks and
additional tools.
I wrote up a quick guide back in early May - seems relevant to this article as one of the newest users couldn't get Cloudflare
to work with TCP how he wanted.
https://inlets.dev/blog/2023/05/04/expose-local-tcp-ports.ht...
reply

lapinot 19 hours ago | prev | next [–]

I'm quite surprised to read what feels like a cloudflare ad from THC..
reply

anderspitman 17 hours ago | prev | next [–]

Cloudflare Tunnel is a great service, but if you're looking for selfhosted alternatives I maintain a list here:
https://github.com/anderspitman/awesome-tunneling
reply

hotpotamus 16 hours ago | parent | next [–]

I don't know if Corkscrew is still relevant, but if you're maintaining a list, it might have a place there. I forget exactly
why, but I used it some years ago.
https://github.com/bryanpkc/corkscrew

8 of 10 21-05-2023, 15:33
Tunnel via Cloudflare to any TCP service | Hacker News https://news.ycombinator.com/item?id=36007310

reply

efrecon 22 hours ago | prev | next [–]

I wrote something similar to be able to run vscode against any remote machine. This was before vscode's own tunnels.
https://github.com/efrecon/sshd-cloudflared
It automatically runs a dockerised sshd to access your directory. The sshd is configured using your github's keys to protect
access.
reply

accrual 1 day ago | prev | next [–]

I've been thinking about using a tunnel like this to host a retro computing website. My idea was to run OpenBSD i386 on an
AMD K6-III (1999) host, then use the built-in webserver httpd(8) to render and serve a static site. The machine would be
tunneled via Wireguard to a VPS, and the VPS could optionally terminate the TLS (and transmit plain HTTP over WG) to free
up some CPU cycles. :)
reply

glenngillen 1 day ago | parent | next [–]

We’ve been working on something (https://github.com/build-trust/ockam) that enables exactly this, among a whole
host of other use cases. If you check out some of the code examples in the docs you’ll see how to setup a tunnel using
the CLI.
For other use cases there’s also the programming libraries (only Rust atm, though I was spiking a TypeScript/Node PoC
this week) which might provide more flexibility. Personally I’m excited by the idea of being able to move this kind of
secure by design connectivity all the way into the application layer though.
reply

m3kw9 1 day ago | prev [–]

Why would I want to do that? Would certain firewalls setup cause issues?
reply

Toutouxc 1 day ago | parent [–]

Cloudflare tunnel does support SSH on top of the main HTTP offering, but if it didn’t, it would be the kind of use case
for this. And generally anything that talks something-over-TCP but not HTTP, so XMPP maybe? Databases, cameras and
other IoT stuff?
And if you’re asking why anyone would even do that, like why use Tunnel at all, then well, many people are behind all
kinds of NAT or, like me, on a public IP with my ISP’s stateful firewall preventing anyone from talking to me. CF Tunnel
allows you to hide all that in a nice outgoing TCP connection and if your firewall allows that (which it probably does),
you’re golden.
reply

Applications are open for YC Summer 2023

9 of 10 21-05-2023, 15:33
Tunnel via Cloudflare to any TCP service | Hacker News https://news.ycombinator.com/item?id=36007310

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search:

10 of 10 21-05-2023, 15:33