The use of TCP tunnels TCPTCP (Transmission Control Protocol) is a transport protocol with Cloudflare Tunnel represents an efficient and secure solution for managing remote connections to non-HTTP(s) based services, such as SSH, RDP, and databases like Postgres. This technology allows system administrators and developers to connect to their infrastructures from anywhere in the world through an encrypted and protected channel, without the need to expose services directly to the internet.
Why use TCP tunnels with Cloudflare?
Traditionally, exposing services like databases to the internet poses significant security risks. Conventional methods such as VPNs or using static IPs can lead to complex configurations and potential vulnerabilities. With Cloudflare Tunnel, connections are managed through Cloudflare’s network, providing several key advantages:
- Increased security: There is no need to open ports or expose services directly on the public network.
- Flexible access: Allows connection from any location without the need for a VPNA VPN, short for Virtual Private Network, is a private network.
- Integration with Cloudflare Access: The ability to control and restrict access with multi-factor authentication.
- Simplicity in configuration: Use of simple commands to establish and maintain the connection.
Setting up a TCP tunnel with Cloudflare
Setting up a TCP tunnel with Cloudflare requires the installation and authentication of cloudflared on both the server and the clients that will access the service.
1. Installing cloudflared
The first step is to update the system and install cloudflared:
sudo apt-get update
sudo apt-get -y install cloudflared2. Authentication and creating the tunnel
For the server to initiate the connection with Cloudflare, it is necessary to authenticate cloudflared:
cloudflared tunnel loginWhen this command is executed, a link will open in the browser where you must log in to Cloudflare and authorize access.
Then, the tunnel is created with a unique identifier:
cloudflared tunnel create postgresThis command will generate a UUID that will identify the tunnel in the Cloudflare configuration.
3. Configuring the DNSDNS (Domain Name System) is a domain name system
To ensure that traffic is routed correctly, a DNS record must be configured in Cloudflare:
cloudflared tunnel route dns database..com This creates a CNAME that directs database. to the Cloudflare tunnel.
4. Configuring the tunnel on the server
cloudflared must be configured in the YAML configuration file at ~/.cloudflared/config.yaml:
tunnel:
credentials-file: .jsoningress:
- hostname: database..com
service: tcp://:
- service: http_status:404
This file defines the tunnel and how traffic will be routed to the database or service that needs to be protected.
5. Starting the tunnel as a service
To ensure that the tunnel starts automatically when the system boots, the service is installed on Linux:
sudo cloudflared --config ~/.cloudflared/config.yml service installIf adjustments are necessary, the service configuration file can be edited at /etc/systemd/system/cloudflared.service. Finally, to check that the service is active, run:
systemctl status cloudflared6. Connecting from the client
The client must also have cloudflared installed and authenticated. To establish the connection to the database, run:
cloudflared access tcp --hostname database..com --url 127.0.0.1: This command redirects traffic from the local port (e.g., 5432 for Postgres) to the remote server through the Cloudflare tunnel.
From there, the connection to the database is made as if it were hosted locally:
psql -h 127.0.0.1 -p 5432 -U user -d databaseConclusion
Implementing TCP tunnels with Cloudflare Tunnel provides an efficient and secure alternative for managing remote connections to sensitive services. By eliminating the need to expose ports and reducing reliance on traditional VPNs, this solution simplifies management and enhances the security of IT infrastructure.
Additionally, its integration with Cloudflare Access allows for the establishment of advanced access rules, improving control over who and how internal resources are accessed. For organizations and system administrators looking to optimize their security without compromising accessibility, this technology represents a highly recommended option.
via: Ryan Schachte and CloudFlare