Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Search
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor
  • Default (No Skin)
  • No Skin
Collapse
Brand Logo

Cloudron Forum
Apps | Demo | Docs | Install
  1. Cloudron Forum
  2. Discuss
  3. Cloudron + Proxmox + Cloudflare tunnels

Cloudron + Proxmox + Cloudflare tunnels

Scheduled Pinned Locked Moved Discuss
proxmoxcloudflareguides
2 Posts 2 Posters 1.9k Views
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • J Offline
    J Offline
    jdeighton
    wrote on last edited by girish
    #1

    I struggled to find information on how to make Cloudron work behind cloudflare tunnels, so I took a crack at it and figured I'd share my notes in the hope they can save someone else from banging their head on the desk quite as much.

    Goal

    Get Cloudron running with Nextcloud installed as an app, on Proxmox, behind a router that we have no admin control over, and available via a proper domain name. To do this we'll use a Cloudflare tunnel. (This requires your DNS to be managed at Cloudflare.)

    Cloudflare tunnel setup

    Once the Cloudflare tunnel is set up, the Proxmox host will create the tunnel out to the Cloudflare edge servers (avoiding the need to set anything up on the router to allow inbound traffic). The tunnel configuration controls what is allowed into the tunnel, and also what the cloudflared daemon will do with the traffic once it arrives on the proxmox host.

    This setup will allow some traffic to localhost to access the proxmox GUI, and other traffic to be sent to other IP/ports on the local private network, specifically our Cloudron box/VM inside Proxmox.

    1. Starting with a working Proxmox host that has access to the internet, but is on a private IP address behind a router that we do not have admin access to (so cannot set a DMZ computer, or port forwarding etc)
    2. You'll also need a domain (e.g. example.com) to use that is already set up on Cloudflare, with Cloudflare running the DNS.
    3. On Cloudflare, set up "Zero Trust" - you'll need billing info entered, but can select the free plan so the card will not be charged.
    4. In the "Zero Trust" section, go to "Tunnels" and choose "create a tunnel"
    5. Give the tunnel a name (e.g. cloudron-pve), and the select the debian, 64 bit option for the connector installer details.
    6. On the Proxmox host, run the connector installer scripts:
    curl -L --output cloudflared.deb https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb && 

sudo dpkg -i cloudflared.deb && 

sudo cloudflared service install <your token details here>
    1. On the tunnel config, add a public hostname, the hostname will be something to access the proxmox gui, so e.g. proxmox.example.com and then set the type to be "HTTPS" and the URL to be https://localhost8006. Under "Additional application settings" -> "TLS", enable the "No TLS Verify" so that Cloudflare does not freak out about the self signed certificates on Proxmox.

    Cloudron setup

    1. On the Proxmox host, Create a VM (not LXC), install the current LTS Ubuntu server. Ensure the CPU type is set to host so that the AVX support is exposed to the VM (required since Cloudron 7.6 updated the MongoDB version to 5.0).
    2. Set a static IP address for the VM, one that is in the router's network range, but won't be assigned by the router's DHCP assignments if possible - e.g. 192.168.0.201
    3. Install Cloudron on the server (need sudo/root for the last command), from the webpage:
    wget https://cloudron.io/cloudron-setup  
chmod +x ./cloudron-setup  
./cloudron-setup
    1. (If you have a local machine on the same local network as the cloudron VM, use that for the setup steps, if not, install another linux VM with a GUI on the proxmox box and use a browser in the Proxmox console for these steps)
    2. On the Cloudron setup web page, add the domain (example.com), Choose Cloudflare as the DNS provider, set the API token (I use the API token option).
    3. Under "Advanced settings" for the network setup, choose "Network Interface" as the Provider and then add the interface name in the box below (e.g. eth0 or ens18).
    4. Finish the Cloudron setup steps for user details etc.

    Configure tunnel to allow access to Cloudron GUI

    1. Go back to the Cloudflare domain DNS, there should be an A record that has been created for my.example.com - delete this.
    2. On the Cloudflare Zero Access -> Tunnels -> pve-cloudron tunnel, add another public hostname my.example.com, set the type to "HTTPS" and the URL to be https://192.168.0.201, and again set the Advanced -> TLS -> No TLS Verify option.
    3. At this point you should be able to access the cloudron GUI in a web browser from locally or remotely via the https://my.example.com address.

    App installation/setup

    Adding apps via the Cloudflare tunnel has a couple of additional extra steps vs a normal Cloudron app install.

    1. Install the app from the Cloudron App Store as per usual - let it finish installing completely. For testing I installed nextcloud, and gave it the name nc on my domain.
    2. Once the app has finished installing and shows "running" as the status, go to the Cloudflare DNS settings for the example.com domain, and find the newly added A record (nc) which should be pointing at the private IP of the interface you set Cloudron up on (192.168.0.201). Delete that A record.
    3. Go to the Zero Trust -> Tunnels -> pve-cloudron tunnel, and add another public hostname. Set the Type to "HTTPS" and the URL to https://192.168.0.201, and set the Advanced -> TLS -> No TLS Verify option.
    4. you should now be able to access the nextcloud GUI in a web browser from locally or remotely via https://nc.example.com

    Repeat the install -> delete A record -> add public hostname each time you add another app.

    Caveats

    If you re-publish the DNS records, Cloudflare will end up with both an A record pointing to the private IP, and a CNAME record pointing to the tunnel. That's likely to cause problems. I'm uncertain if Cloudflare will prevent the A records being added, or if it'll break in new an interesting ways. Any issues can be resolved by deleting the A records again, and ensuring the tunnel CNAME records are there (re-enter the public hostnames if needed).

    If you want to use a subdomain (e.g. cloudron.example.com) as your base domain, and Cloudflare knows only the top level example.com zone, then you'll need to pay Cloudflare for their advanced TLS option to generate certificates for the sub-subdomain names (e.g. my.cloudron.example.com)

    These notes were brain dumped after I worked though this and finally got it all working. Their accuracy is not guaranteed...

    General reminder - don't expose stuff to the internet unless you know roughly what you are doing. Are you really sure you want your Proxmox GUI out there on the internet? You can limit access to the things in the Cloudflare tunnel using the cloudflare "Access" controls, but this is left as an exercise for the reader.

    1 Reply Last reply
    6
    • nebulonN Offline
      nebulonN Offline
      nebulon Staff
      wrote on last edited by
      #2

      Great write-up thanks for sharing all those insights, this will surely help users down the line 🙂

      1 Reply Last reply
      1

      • Login
      • Don't have an account? Register
      • Login or register to search.
      • First post
        Last post
      0
      • Categories
      • Recent
      • Tags
      • Popular
      • Bookmarks
      • Search