search

cloudflare / cloudflared

Cloudflare Tunnel client (formerly Argo Tunnel)
https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/tunnel-guide
Apache License 2.0
8.85k stars 778 forks source link

🐛 Unable to establish tunnel connection with an OVH VPS if Edge Network Firewall is enabled #1223

Closed fastily closed 5 months ago

fastily commented 5 months ago

Describe the bug I'm unable to setup or use cloudflared on an OVH VPS if I have also enabled the OVH Edge Network Firewall.

To Reproduce Steps to reproduce the behavior:

  1. Setup a new ubuntu VPS from OVH
  2. Enable the Edge Network Firewall (instructions) and create the Authorize ICMP, Refuse IPv4, and Authorize TCP rules in the example.
  3. Create a new Cloudflare tunnel using the Zero Trust dashboard
  4. Install cloudflared (either with the deb or with the apt repo) on the VPS
  5. Run the sudo cloudflared service install <YOUR_TOKEN> command generated by the dashboard when you created your Cloudflare tunnel.
  6. Observe that the aforementioned command hangs indefinitely.

If it's an issue with Cloudflare Tunnel:

  1. Tunnel ID : n/a
  2. cloudflared config: n/a

Expected behavior cloudflared service install should successfully configure the tunnel and exit

Environment and versions

Logs and errors None, because the above command hangs

Additional context Workaround is to disable the OVH Edge Network Firewall when setting up the Cloudflare tunnel service for the first time. Once the command exits, edit /etc/systemd/system/cloudflared.service so that the ExecStart line includes the --protocol http2 argument when starting cloudflared. Example line with the changes:

ExecStart=/usr/bin/cloudflared --no-autoupdate tunnel --protocol http2 run --token <YOUR_TOKEN>

Be sure to reload the daemon (sudo systemctl daemon-reload) and restart the systemd cloudflared service after making this change.

jcsf commented 5 months ago

Hi, The issue you are describing seems to be related with the OVH Edge Firewall blocking the requests of cloudflared to Cloudflare API's. There is probably some rule that you need to add to the firewall to allow the traffic to passthrough. Most of the discussions you linked are reaching the same conclusion. Since this isn't a bug with cloudflared I will close the issue. If you discover the solution, feel free to share it with the community.

fastily commented 5 months ago

If you discover the solution

@jcsf I guess I should clarify. The solution is already known: run cloudflare tunnel with --protocol http2. I'm not interested in opening up more ports on my firewall; that's not great for security, increases my maintenance overhead, and isn't necessary to get a working tunnel anyways.

Based on the docs, it seems like cloudflared defaults to QUIC, but falls back to http2 if QUIC isn't working. This automatic fallback behavior doesn't seem to be working on OVH hosts and I was hoping you could investigate. Thanks

l0ukai commented 2 weeks ago

Hello, If you're using OVH’s Edge Network Firewall, you may want to add or allow Cloudflare’s IPv4 address list. You can find the list of Cloudflare IP addresses here: https://www.cloudflare.com/ips/ Hope this helps!