Cloudflared vs CGNAT Part 4 Using Cloudflare

Published on April 21, 2023 at 11:01 am by LEW

Introduction

This is what it all comes down to, using the Cloudflare tunneling to gain access from the Internet to  your private LAN when you are behind CGNAT.

I am going to take a slightly diffrnet tact than many of the posts I have seen on this subject. I will try to explain what is happening, as I understand it, before discussing the setup. Because frankly the setup does not make much sense unless you know what is happening.

While not strictly necessary, you will probably want to review the previous posts in this series. As the process we are discussing follow on form them.

Cloudflared Tunnel Diagram

The Tunnel

In the above diagram, the tunnel is represented by the green line, running from a computer on our LAN through our NAT router and our ISP NAT router to the Cloudflare server on the internet. The tunnel is a subdomain of the cloudflareaccess.com domain.

The Cloudflared application running on a local computer sends packets to the Clodflare Server. This means that any packets returned by the Cloudflare server is treated as related or established traffic, and passes through the NAT routers.

Our Cloudflare account allows us to add a domain to the Cloudflare network. We can also create sub domains. Within our Cloudflare account, under tunnels, we can attach local IP addressees and ports on our LAN to these subdomains.

Now if we access the subdomain from the Internet, for example typing it in a browser, we are directed to the Cloudflare server. The Server appends the local IP address and port we setup. Because the cloudflared client is keeping a related established connection with the Cloudflare server, the information can now pass through CGNAT and local NAT to our LAN. The cloudflared application then sends the data to the IP address and port on our LAN.

Our application/server will respond to the IP address from which the query came, so they will respond to the computer running the cloudflared client. Which in turn forwards responses to the Cloudflared server, and finally to the Internet device which initiated the transaction.

Prerequisites

Domain Name: There are a few thing you will need to get started. The first is a valid domain name. These can be had for a variety of prices, and how you get one will depend on your need. Older standard domain names ending in extensions like .com, .org. or .net will tend to be more expensive. Newer extensions like .us or .me can tend to be cheaper. However there are a lot of registrars out there and prices will vary widely for the same domain name. Also some sites offer free domain names in a variety of ways.

Two things to remember, domain names have to be renewed, and that generally will cost you something, even if the original was free. And there might be other requirements attached (people rarely do something for nothing, and businesses never do). You can also find additional services offered related to domain names, all costing money. Best advice, do your research. My rule of thumb is no matter what the domain cost initially, it will on average over time end up costing you around one dollar US a month to maintain it over the years. As far as extra services , again do your research and know your needs.

Cloudflare Account: You will need a Cloudflare account. It is fairly easy to signup for one at https://www.cloudflare.com/. If you have singed up for any other on line accounts, you know the routine and what sort of information will be asked for.

At some point you will have the option of setting up a specific type of account. Scroll to the bottom of the page to find the Free Account option.

Setup Cloudflare Zero Trust Tunnel

Name-Servers: You need to transfer name-servers for your domain. This process will vary depending on your registrar. Regardless you will want to change them to the Cloudflare name-servers.

adam.ns.cloudflare.com
mira.ns.cloudflare.com

Note that this change should take an hour or two, but can take up to 24 hours to propagate.

Once done, you can go into your Cloudflare account and, and your domain name should show up on the first page. Click on it to configure.

Once in the configuration page, on the left select DNS -> Records. Make sure it has been populated with DNS records for your domain.

Setup Cloudflared on Local Computer

You will want to setup the cloudflared application on your local computer. Unfortunately how this is done will depend on your local setup. See the CloudFlare documentation for details.

After proper setup you should have a pem certificate and a configuration file on your local computer in the home directory.

Setup Sub Domains

The final piece of the puzzle is to go to the Cloudflare Zero Trust Dashboard (Access -> Launch Zero trust). From here you can setup sub domains and tie them to specific IP addresses and port numbers on your LAN.

Remember that the cloudflared client, where these addresses will be accessed from is on your LAN, so setup the addresses like you would for any other computer on your LAN. This can sometimes be a bit confusing as the Cloudflared tunnel is https. If the service on your LAN is http, for example,  you would use http when defining the service on your LAN, not https.

Conclusion

This has been a high level view about establishing a tunnel from your LAN to the Internet to access application/services. Some areas may appear a little vague, because of the number of options and available configurations.

I do plan on revisiting this subject in the future with a much more detailed explanation for specific configurations.

Cloudflared vs CGNAT Part 1 Packets

Cloudflared vs CGNAT Part 2 NAT Router

Cloudflared vs CGNAT Part 3 CGNAT Greed

Cloudflared vs CGNAT Part 4 Using Cloudflare

SharePin It!

Add New Comment

Your email address will not be published. Required fields are marked *