[Guide] Push the jail to the internet without public IP with Cloudflare tunnel (TrueNAS core / No VM)

[pureexe]

I just switched from the cloud to the NAS, especially TrueNAS core, and Really love it.

However, I tried to google the method to push a file to the public using Cloudflare tunnel on FreeBSD (Especially TrueNAS), and I found a lot of people struggle with the same problem as me, such as [This], [This] and [This]

One simple solution is to use Linux VM instead (recommended by [This comment]). But as a person with a small ram capacity like me, VM is not a good choice.

Cloudflare also doesn't provide any document on FreeBSD even though its library supports FreeBSD. Here, I write a how-to cloudflared on TrueNAS jail for those who might have the same problem in the future.

TLDR;

Show : Command for TrueNAS

pkg install cloudflared
cloudflared tunnel run --token <your token>

If you are new to FreeBSD (like me), Here I also provide a step-by-step picture guide

Step-by-Step guide

Step 0: Setup you TrueNAS Core and Cloudflare account

I assume that you already have TrueNAS setup. Here is my machine for demostration.

Also, I assume that your Cloudflare is already pointing to the domain. Here, I use ph.in.th for demonstration.

Step 1: Setup a jail

You can use any jail as you want. But for this guide, I will use FAMP. For the less messy, I prefer to use DHCP (make jail to have different IP from the host)

Step 1.1: Mount the dataset to the jail

I will create this jail for sharing my file to the public. You may skip this step if you use other plugins / jails. But if you use FAMP to share files like me. Mount the dataset to /usr/local/www/apache24/data to share across the internet. I prefer to check read-only. It will prevent the jail that exposing to the internet write something back to my dataset.

Also, if you cannot mount because the folder doesn't empty. You have to delete index.html first by opening the jail's shell and using the command "rm /usr/local/www/apache24/data/index.html"

Step 2: Install cloudflared to the jail

In the jail page, you will found the shell button

Then, type: pkg install cloudflared

It will confirm your request, press "y"

Step 3: Setup on the cloudflare website

Under the traffic tab, it will be a Cloudflare tunnel button, click on Lauch Zero Trust Dashboard

In the zero trush dashboard, go to Access > Tunnels, then click "Create a tunnel"

Then, it will ask to name a tunnel, i will set it to "share" but you can use whatever you prefer.

Then it will give you a "<token>". However, there is no instruction for FreeBSD here. So, just keep the token to use in the next step.

At the bottom, it will have "Next" button, which you can click without waiting for the connectors to be connected.

Now, I will set my domain name to "share.ph.in.th". Set it to the domain that you already have. and for service block. "HTTP://localhost" for the FAMP. you may have to change this option if you have a different kind of jail. For example, the "Qbittorrent" jail will use "HTTP://localhost:8080" instead.

Step 4: Setup the jail with the token

The cloudflared service install that shows on Cloudflare's documentation is not working at all on FreeBSD. Here we will make cloudflared run every time that the jail starts instead.

Type the command:

Code:

echo "/usr/local/bin/cloudflared tunnel run --token YOUR-TOKEN >/dev/null 2>/dev/null &" > /etc/rc.local

Don't forgot to replace YOUR-TOKEN with the token from previous step.

Now, Restart the jail! (Go to jail page and click restart)

Step 5: Done!

If everything works as expected, Our tunnel "Share" will show as ACTIVE

Now you can access your jail from anywhere on the internet. I will show accessing share.ph.in.th from Mobile's 5G. And it will show the file inside of the dataset to share with the public.

 

[DmSm]

Hi there,

Thanks for the detailed guide. If I get it right, I will need to install cloudflared in each jail I want to have access from outside. Is that right?

 

[pureexe]

Hi there,

Thanks for the detailed guide. If I get it right, I will need to install cloudflared in each jail I want to have access from outside. Is that right?

It seems like you have to set up cloudflared for each jail.

I'm not sure if it exists an apporch that can share cloudflared binary between each jail.

 

[CapnBio]

This works with Truenas Scale, but I approached it a different way instead of having a jail I used "cloudflared" from truecharts, input my private key and viola worked great after a couple days of troubleshooting and figuring it out.

Just do not use a "path" after the domain, make as many domains as you need and use the proper port number that your app is hosted on. Instead of having "localhost" use your internal ip address (ie. http :// 192.168.1.101:80) to reach your serer directly.

Thank you for writing this guide pureexe.

 

[victort]

@Ralphshep

I think you will find this guide useful.
https://www.truenas.com/community/t...o-tunnel-to-truenas-services-and-jails.99448/

 

[saspus]

I've done something very similar recently—setup for exposing the service running in the FreeBSD jail on TrueNAS Core—but without Cloudflare (due to limitations of the free account on what ports can be forwarded), using always-free instance on oracle VPS, WireGuard, and few iptables rules. I've described it here:

Hosting services behind a restrictive firewall/CG-NAT using DNAT with iptables on a VPS hosted wireguard endpoint

This is a short description of how to host services, using STORJ node as an example, on a host behind CG-NAT, or otherwise restrictive firewall, by forwarding packets through WireGuard endpoint on a relatively fast nearby VPS. This is not specific to Storj, and can be adopted to hosting other...

blog.arrogantrabbit.com

This is not unlike what Cloudflare tunnel does, except DIY with sticks and sap, and you control entire infrastructure. It works well nevertheless, and not limited by ports, protocols, and applications that you can expose. You can still put it behind Cloudflare for e.g., web caching, but it's up to you.

 

[victort]

Does the tunnel auto restart if it fails?

I’ve had a few times where the tunnel went down and I had to restart to get it back up.

 

[pureexe]

Does the tunnel auto restart if it fails?

I’ve had a few times where the tunnel went down and I had to restart to get it back up.

I didn't experience the failed tunnel.

However, It doesn't have any auto restart feature.

If you are familiar with coding, you may make it auto-restart by:
- Every X minute, check if your URL returns with code 200 or not.
- if not code 200, kill the cloudflared process and start another one.

 

[victort]

I didn't experience the failed tunnel.

It might have been because I attempted an update on the cloudflared package…

However, It doesn't have any auto restart feature.

No option in jails for “restart-unless stopped” like in docker?

 

[victort]

It might have been because I attempted an update on the cloudflared package…

No option in jails for “restart-unless stopped” like in docker?

I am now monitoring with Uptime Kuma. Works excellent.

SCALE app of Uptime Kuma is very straightforward to install and configure.

 

[victort]

Ive been monitoring using uptimekuma, which works great, but my tunnel keeps going down. It switched to degraded after about 2 days, then within 2 more days, it goes down and I have to restart the jail.

Cloudflare doesn't seem to have much in the lines of docs describing why a tunnel would go into degraded state.

 

[victort]

What is your tunnel version?

Mine is 2022.12.1

Command to update doesn’t do anything.

 

[nilso.2]

Hi, I tried to use it with the nextcloud plugin. I installed the tunnel in the jail. On cloudflare my tunnel is only showing "healthy" not "active" if i try to reach it, it just shows the error: ERR_TOO_MANY_REDIRECTS in browser.
Do you know how to fix this issue? Thanks!

 

[victort]

Hi, I tried to use it with the nextcloud plugin. I installed the tunnel in the jail. On cloudflare my tunnel is only showing "healthy" not "active" if i try to reach it, it just shows the error: ERR_TOO_MANY_REDIRECTS in browser.
Do you know how to fix this issue? Thanks!

1. What is the port Nextcloud is running on? And did you use that port in Cloudflare?
Also, is your Nextcloud using a self signed cert, or no cert?

2. Did you do HTTP or HTTPS in Cloudflare?

3. Did you specify localhost or your IP in Cloudflare?

Last of all, and according to IXsystems themselves, you should not be using plugins.
If you don’t have a ton of data, I would highly recommend switching to this

Scripted installation of Nextcloud 28 in iocage jail

It seems like there are lot of guides here on installing Nextcloud, and a number of people reporting problems with many of them. So, I figured, why not write another one? The difference between this method and the others is that this method employs a script to create the jail, install all the...

www.truenas.com

 

[victort]

This rc.d file can do everything it needs to. Just be sure to enter your token where is says YOURTOKENHERE

This is just that regular rc.d file that gets installed with the cloudflared pkg with two changes.
- I have changed the cloudflared mode from tunnel to tunnel run
- I have added the token as a variable and appended it to the end of the command tags, and removed the —config and replaced it with —token

Code:

#!/bin/sh

# PROVIDE: cloudflared
# REQUIRE: cleanvar SERVERS
#
# Options to configure cloudflared via /etc/rc.conf:
#
# cloudflared_enable (bool)     Enable service on boot
#                               Default: NO
#
# cloudflared_conf (str)        Config file to use
#                               Default: /usr/local/etc/cloudflared/config.yml
#
# cloudflared_mode (str)        Mode to run cloudflared as (e.g. 'tunnel', 'tunnel run'
#                               or 'proxy-dns'). Should you use the default, a free
#                               tunnel is set up for you.
#                               Default: "tunnel"

. /etc/rc.subr

name="cloudflared"
rcvar="cloudflared_enable"
logfile="/var/log/cloudflared.log"
pidfile="/var/run/cloudflared.pid"
procname="/usr/local/bin/cloudflared"

load_rc_config $name

: ${cloudflared_enable:="NO"}
: ${cloudflared_conf:="/usr/local/etc/cloudflared/config.yml"}
: ${cloudflared_mode:="tunnel run"}
: ${cloudflared_token:="YOURTOKENHERE"}

command="/usr/sbin/daemon"
command_args="-o ${logfile} -p ${pidfile} -f ${procname} ${cloudflared_mode} --token ${cloudflared_token}"

run_rc_command "$1"