mirror of
https://github.com/ksyasuda/dotfiles.git
synced 2026-03-21 06:11:27 -07:00
3.9 KiB
3.9 KiB
Tunnel Networking
Connectivity Requirements
Outbound Ports
Cloudflared requires outbound access on:
| Port | Protocol | Purpose | Required |
|---|---|---|---|
| 7844 | TCP/UDP | Primary tunnel protocol (QUIC) | Yes |
| 443 | TCP | Fallback (HTTP/2) | Yes |
Network path:
cloudflared → edge.argotunnel.com:7844 (preferred)
cloudflared → region.argotunnel.com:443 (fallback)
Firewall Rules
Minimal (Production)
# Outbound only
ALLOW tcp/udp 7844 to *.argotunnel.com
ALLOW tcp 443 to *.argotunnel.com
Full (Recommended)
# Tunnel connectivity
ALLOW tcp/udp 7844 to *.argotunnel.com
ALLOW tcp 443 to *.argotunnel.com
# API access (for token-based tunnels)
ALLOW tcp 443 to api.cloudflare.com
# Updates (optional)
ALLOW tcp 443 to github.com
ALLOW tcp 443 to objects.githubusercontent.com
IP Ranges
Cloudflare Anycast IPs (tunnel endpoints):
# IPv4
198.41.192.0/24
198.41.200.0/24
# IPv6
2606:4700::/32
Note: Use DNS resolution for *.argotunnel.com rather than hardcoding IPs. Cloudflare may add edge locations.
Pre-Flight Check
Test connectivity before deploying:
# Test DNS resolution
dig edge.argotunnel.com +short
# Test port 7844 (QUIC/UDP)
nc -zvu edge.argotunnel.com 7844
# Test port 443 (HTTP/2 fallback)
nc -zv edge.argotunnel.com 443
# Test with cloudflared
cloudflared tunnel --loglevel debug run my-tunnel
# Look for "Registered tunnel connection"
Common Connectivity Errors
| Error | Cause | Solution |
|---|---|---|
| "no such host" | DNS blocked | Allow port 53 UDP/TCP |
| "context deadline exceeded" | Port 7844 blocked | Allow UDP/TCP 7844 |
| "TLS handshake timeout" | Port 443 blocked | Allow TCP 443, disable SSL inspection |
Protocol Selection
Cloudflared automatically selects protocol:
| Protocol | Port | Priority | Use Case |
|---|---|---|---|
| QUIC | 7844 UDP | 1st (preferred) | Low latency, best performance |
| HTTP/2 | 443 TCP | 2nd (fallback) | QUIC blocked by firewall |
Force HTTP/2 fallback:
cloudflared tunnel --protocol http2 run my-tunnel
Verify active protocol:
cloudflared tunnel info my-tunnel
# Shows "connections" with protocol type
Private Network Routing
WARP Client Requirements
Users accessing private IPs via WARP need:
# Outbound (WARP client)
ALLOW udp 500,4500 to 162.159.*.* (IPsec)
ALLOW udp 2408 to 162.159.*.* (WireGuard)
ALLOW tcp 443 to *.cloudflareclient.com
Split Tunnel Configuration
Route only private networks through tunnel:
# warp-routing config
warp-routing:
enabled: true
# Add specific routes
cloudflared tunnel route ip add 10.0.0.0/8 my-tunnel
cloudflared tunnel route ip add 172.16.0.0/12 my-tunnel
cloudflared tunnel route ip add 192.168.0.0/16 my-tunnel
WARP users can access these IPs without VPN.
Network Diagnostics
Connection Diagnostics
# Check edge selection and connection health
cloudflared tunnel info my-tunnel --output json | jq '.connections[]'
# Enable metrics endpoint
cloudflared tunnel --metrics localhost:9090 run my-tunnel
curl localhost:9090/metrics | grep cloudflared_tunnel
# Test latency
curl -w "time_total: %{time_total}\n" -o /dev/null https://myapp.example.com
Corporate Network Considerations
Cloudflared honors proxy environment variables (HTTP_PROXY, HTTPS_PROXY, NO_PROXY).
If corporate proxy intercepts TLS, add corporate root CA to system trust store.
Bandwidth and Rate Limits
| Limit | Value | Notes |
|---|---|---|
| Request size | 100 MB | Single HTTP request |
| Upload speed | No hard limit | Governed by network/plan |
| Concurrent connections | 1000 per tunnel | Across all replicas |
| Requests per second | No limit | Subject to DDoS detection |
Large file transfers: Use R2 or Workers with chunked uploads instead of streaming through tunnel.