r/CloudFlare: Help! Unable to expose my UNRAID server to the internet using Tunnel GUI

💡
This article archives a conversation, which took place in a subreddit post (original source linked below) and to which I contributed a solution or answer (with the u/MasterofSynapse handle), in a Q&A format.

Original Reddit post: https://www.reddit.com/r/CloudFlare/comments/yjd2xw/help_unable_to_expose_my_unraid_server_to_the/

Question

Hello. I'm very new to running a server and I am stuck. I want to start by exposing Vaultwarden to the internet via the Cloudflare tunnel GUI. But I cannot get it to work. I always get a Bad Gateway error 502.

I have my domain name registered and linked to my cloudflare account. It is currently the only DNS record i have in my list "CNAME _domainconnect connect.domains.google.com"

I downloaded the Vaultwarden docker.

I created a new tunnel for vaultwarden, selected docker as my environment. Copied the command and pasted it into the command line in unraid and the connectors list populated in cloudflare tunnel GUI.

Then I created the public hostname. with my subdomain.mydomain.net. I selected https and the localhost url as 192.168.1.17:4743 and saved.

Now there is a new CNAME dns entry with the new subdomain populated

Now my tunnel list is populated and shows that it is "active." I'm not really sure where to go from here. Do I need to update DNS records? Do I even need a cloudflared docker? I'm not really sure. I'm really new to this and am trying to learn. But all the video and text tutorials have so much variance between them all. I'm just trying to find a fresh simple unraid method for this. I'm sure once i get this running, then getting other services running should be more straight forward.

Any help is greatly appreciated!

Answer

Multiple things to troubleshoot here:

  1. You configured the public hostname to point to 192.168.1.17:4743, and with https. Have you configured Vaultwarden to be able to use HTTPS? By default, as far as I know from my customers, Vaultwarden, without further config, is only able to use HTTP. So the missing certificate is the reason for the 502 error.
  2. You said you posted the command for the cloudflared Tunnel directly to the UnRaid command line, but that is not the place it should be run. You will notice the next time you reboot your UnRaid machine that your Tunnel will be down, since the service is not running anymore. The best way to tackle this is to either use the "official" cloudflared Tunnel from the UnRaid apps and configure that with your token or create a new KVM VM with Ubuntu and run the cloudflared Tunnel there. In the past, I have had a more stable experience running cloudflared within a dedicated VM.
  3. Generally, you should use public hostnames if you want to access the app you are publishing from any PC that has internet. In case of your password manager which is Vaultwarden, you would only want to use the app from your own trusted devices, so a public hostname is a bad idea. On top of that, public hostnames are only for web-based traffic, which Vaultwarden doesn't use. So even if you get the app to work and it displays a web page for you, the browser extensions will not be able to connect. So you have to switch to using the WARP for Teams client and connecting with that, completely ignoring the public hostname function.

Comment 1 on Answer

  1. Http definitely solved that.
  2. Interesting. The tutorials I see on YouTube seem to be all over the place. Maybe due to software and cloudflare changing a lot over the past year? I watched one of ibracorps gui videos and no mention of cloudflared docker, but they weren't using unraid as their example platform so maybe that threw me off. Trying to find the right tutorials to fit my scenarios and limited knowledge is proving difficult.
  3. Hmm interesting. When I was looking at older tutorials from ibracorp and spaceimvader one. They used ngm. Is using that reverse proxy a way that allowed them to reliably use a publichost? Cuz from what I get from it, they are using their public host to use it?

Looks like I still have a lot to learn. I appreciate your help!

My response to comment 1

The tutorials I see on YouTube seem to be all over the place. Maybe due to software and cloudflare changing a lot over the past year?

There can be multiple reasons as to why tutorials on the internet do not help. The most common one is the person doing the explaining had little chance to thoroughly learn what they are teaching and therefore are leaving out important information. Another thing is that some tutorial creators are not structured thinkers, so they do not go through the process of portraying how a guide should look so everyone can cohesively understand it.

Is using that reverse proxy a way that allowed them to reliably use a publichost? Cuz from what I get from it, they are using their public host to use it?

Cloudflare itself, if you are proxying your DNS records, is a reverse proxy. And you are doing that because you are using Cloudflare One (the platform the cloudflared Tunnel is based on). Maybe ngm is modifying the traffic from Vaultwarden to let it pass as web traffic and then the extensions are able to work with it?

But a whole other problem with public hostnames is, as it is right in the name, everyone calling it can access it (I could create an account on your instance and use it right now), so only your login in Vaultwarden is protecting your instance. That is bad if the app should not be used by everyone, more so for a critical piece of infrastructure like a password manager. You can create Access Application rules to protect the public hostnames with a login prompt, but then the extensions will definitely not work since they can't interactively sign in.

So overall, using the WARP client for the communication with the Vaultwarden instance is the best way forward since you don't expose anything to the WWW. WARP clients are only able to access your app if they are authenticated by you, therefore making them trusted.