Add option for udp protocol in argo tunnel

[gerardo-junior]

Hello, I'm looking for products similar to the argo tunnel, but I haven't found one that supports udp. I would like to use mosh on argo but or mosh runs on udp protocol. I think it would be very useful for various types of applications and games.

[gerardo-junior]

is there a plan to implement this? maybe QUIC (http/3) or tcp2udp?

[bjornfro]

quic/udp is supported in cloudflared now. Not sure how/if it works when using SSH and cloudflared?

[nmldiegues]

@gerardo-junior 's request is for proxying UDP packets.

What was announced today is that cloudflared connects to Cloudflare edge using QUIC (and hence relying on UDP).

I.e., it is now possible to establish the Tunnel using QUIC, but what we proxy through that Tunnel is still TCP only. However, proxying UDP through the Tunnel is in our radar. @abelinkinbio can tell you more about it.

[bjornfro]

Yes, and no. Mosh was mentioned which is why I mentioned SSH. Right now SSH is quite unreliable via cloudflared. Multiple disconnects per day. Not sure if carrying SSH(TCP) via Quic and cloudflared is even possible or if it would make SSH more reliable with cloudflared. One potential benefit, of course, is to support IP-roaming, which is the main feature of mosh.

[ChronoBrake]

UDP will be awesome for TeamSpeak or other softwarers

[Spunkie]

Similarly I've been keenly waiting to use tunnels for game servers.

Any updates on this @abelinkinbio? :eyes:

[abelinkinbio]

We're excited as well! We don't have anything to report back at the moment, but will be sure to update this thread as soon as we do 🚀

[ZaxLofful]

Does this apply to TCP connections outside of 80/443?

What about using cloudflare as host/client local host proxy, can I do UDP in that scenario?

[neo-neo1]

I have a dream. One day we will be able to send UDP through Cloudflared tunnels. Here’s hoping.

[nmldiegues]

For zero trust private networking, that dream is coming true: https://blog.cloudflare.com/extending-cloudflares-zero-trust-platform-to-support-udp-and-internal-dns/

[navhits]

The first thing I wanted to try was run wireguard or openvpn, because I had those docker images to quickly launch one. But I can't get this working as expected.

[abelinkinbio]

@navhits what issues are you running into?

[aofei]

I actually thought the OP wanted something like this:

$ # server side
$ cloudflared tunnel --hostname udp.example.com --url udp://localhost:7870

$ # client side
$ cloudflared access udp --hostname udp.example.com --url localhost:9210

Diving into the zero trust private networking you mentioned is too much for this tiny need.

Should I open a new issue to file this FR since this issue has been closed?

[smashah]

I think the issue with implementing this with wiregaurd is the wireguard client requires a port - so udp.example.com by itself isn't going to work

[navhits]

Yes @smashah you're right. Plus I didn't add split tunnel rule since I run into connection problems. @aofei I used warp instead of cloudflared acess on CLI. Its very specific to devices supporting the CLI tool. On android the problem is that you cannot have concurrently multiple VPN connections active. I would also like to connect without warp too. @abelinkinbio this is what's happening. Btw it works when I'm on the same network. But thats not what's needed here

[ReinisV]

So what is the current state of things? Is it possible to tunnel UDP and other types of connections? If not, then why? If yes, is there any documentation for that somewhere I could check out?

I've got a tunnel running with the following content:

and it seems to tunnel the www/http/80 subdomain correctly, but the wireguard/udp/51820 and ssh/ssh/22 are not reachable.

[navhits]

@ReinisV forwarding an internal service requires us to route IP through cloudflared. Once that's done and it's part of warp encryption, we could possibly access it externally. I first did this before realising this, since tunnels still route traffic via TCP afaik. Not sure what happens with quic

[ReinisV]

I dont really get it.

Why do I need WARP? Why can't I tunnel SSH and Wireguard traffic the same way I tunnel HTTP traffic?

[TownLake]

Hi @ReinisV - can you tell us a bit more about what you're trying to do? To your question, on the HTTP side your Tunnel has a public DNS record and your browser can send HTTP requests to the Tunnel after resolving the hostname.

Non-HTTP use cases vary a bit based on what you're trying to do and the client you want to use. How do you want to connect to the two non-HTTP resources you've added?

[ReinisV]

Hi @ReinisV - can you tell us a bit more about what you're trying to do?

My use case is (I think) relatively simple. I've got a RaspberryPi running on my local network. What I want to achieve is being able to VPN into my local network to access other devices, use DNS adblocking on the network, etc..

My provider provides a private NAT IP address, so DDNS is not going to work.

I have Wireguard installed and running via PiVpn on the RaspberryPi.

I want to tunnel the Wireguard packets to the public address the same way I am currently tunneling http packets.

With the configuration I showed in the previous comment, http tunnelling works, but wireguard, which is udp, and ssh tunneling doesnt work.

To connect to wireguard, I am using this config:

To connect to SSH, I am trying to use this config:

Both SSH and wireguard seem to be reaching the host, but do not get responses:

my question is -- is it possible to tunnel these kinds of packets and if yes, could you point me towards some documentation regarding setting it up?

[navhits]

I donot have problems with SSH and VNC. I have SSH on all my machines via cloudflare. What I couldn't achieve is routing internal network and routing wireguard

[Spunkie]

Requiring zero trust or warp is a complete nonstarter for ANY of my use cases as well.

Offering ddos protected game server hosting for example, no one is going to want their players to need to download "some random vpn client", make a cloudflare account, or even verify an email just to join a game. As for pricing, paying per user is obviously not even remotely possible for public game servers.

[navhits]

I'm looking at some alternate options without warp routing. I'll keep this space updated

[A7610605]

Requiring zero trust or warp is a complete nonstarter for ANY of my use cases as well.

Offering ddos protected game server hosting for example, no one is going to want their players to need to download "some random vpn client", make a cloudflare account, or even verify an email just to join a game. As for pricing, paying per user is obviously not even remotely possible for public game servers.

Reverse tunnelling raw TCP/UDP is impossible, even for tcp you need cloudflared as client. If such a product did exist. Who will buy the expensive Cloudflare Spectrum?

[Spunkie]

Reverse tunnelling raw TCP/UDP is impossible, even for tcp you need cloudflared as client.

?

If such a product did exist. Who will buy the expensive Cloudflare Spectrum?

Cloudflare Spectrum is a joke of a product, priced into absolute obscenity, and restricted to only ssh/minecraft. It should sunset in favor of cf tunnels.

[timothystewart6]

I'd love raw TCP/UDP support.

[yalopov]

are there any alternatives to use udp with cloudflare tunnel? i'd like to expose wireguard too

[navhits]

What I understood is that UDP support is yet to come out. Initially this was being tested I assume. Because earlier when I ran cloudflared tunnel run udp://localhost:1234 some-tunnel, the tunnel started but failed to connect on UDP. Later after I updated the CLI I tried this and got an error like UDP is not a supported protocol. I didn't try after that.

[Dima-Kal]

Why is this closed? there is still no UDP support AFAIK

[sudarshan-reddy]

You can use UDP with warp routing to tunnel.

https://blog.cloudflare.com/extending-cloudflares-zero-trust-platform-to-support-udp-and-internal-dns/

[Dima-Kal]

You can use UDP with warp routing to tunnel.

https://blog.cloudflare.com/extending-cloudflares-zero-trust-platform-to-support-udp-and-internal-dns/

Does it require running WARP client + Wireguard client? if so, then what's the point? i don't want WARP client installed its just an extra overhead

[aofei]

i don't want WARP client installed its just an extra overhead

Cloudflare WARP is pretty broken right now. Many problems are waiting to be solved. It's a smart choice to not use it for now.

If you do need to exchange UDP packets through Cloudflare Tunnel, then I recommend you use it with UDPTunnel (old but usable). Or open a new issue for your FR, although it will most likely be marked as a duplicate.

[navhits]

You can possibly use Cloudflare tunnels to serve UDP. But to get it working you need to treat the UDP service as internal. This is why you need warp or cloudflared access. The problem solved here is correct. However the use case most of us are trying is different. We are trying to have a publicly exposed private network which is basically a UDP service. For this Cloudflare tunnel won't help. You need a still public IP. Maybe if CF tunnels support this feature someday you can use it. My experiment of setting up a Wireguard server won't work out with the current CF tunnels.

[eximius313]

I need to do exactly the same thing as @ReinisV described here

HTTP/HTTPS works fine via Tunnel, SSH and TCP works fine as well, but in order Wireguard to work, I need also UDP support. I'd rather not to play with WARP, private networks or tunneling UDP via TCP - this is overkill for such simple use case.

Is adding "UDP" protocol in this dropdown: really impossible?

[n3me5is-git]

Maybe also TCP+UDP would be useful. I have to make a tunnel that use both TCP and UDP on the same port to access/program some IoT devices. I would like to manage everything from the dashboard and then connect with cloudflared access.

[peixotorms]

why is this closed?

[ZaxLofful]

https://github.com/cloudflare/cloudflared/issues/964

They want us to submit it a different way, since this is technically not a bug...Its an unimplemented feature (intentionally). They say they are going to put it on the roadmap, but we should all go submit a new ticket on their website.

feedback channel of community.cloudflare.com.

[teohhanhui]

With WebTransport it will definitely be possible to encapsulate UDP datagrams over HTTP/3 (over QUIC):

https://www.ietf.org/archive/id/draft-ietf-webtrans-http3-09.html

It seems like Cloudflare has not enabled support for that though:

https://community.cloudflare.com/t/unable-to-forward-webtransport-request-via-loadbalancer-to-origin/335218/5

(Unless something has changed in the meantime, but I can't find any indication of that...)

[niceEli]

there is no udp dropdown for selecting the types, there should be so i can run wireguard