Setting Up Cloudflare Argo and Access on a Raspberry Pi

Setting Up Cloudflare Argo and Access on a Raspberry Pi(erdaltoprak.com)

76 points by erdaltoprak 4 years ago | 19 comments

stavros 4 years ago |

(This post should read "Argo tunnel" instead of just "Argo")

I did the same to enable secure access to services via SSO at work. I used Harbormaster[1] to deploy Compose files, but it's otherwise the same setup.

One of the big advantages this has is that the services can't be accessed any other way (not even from the same host, as they only listen inside the Docker network). That makes it hard to forget some port exposed because you listened to 0.0.0.0 instead of localhost.

Cloudflare access is very easy to set up SSO with, as well. I'd recommend this setup if you need it, though for home usage I usually just set up Caddy as a reverse proxy with basic auth, as I'll be the only person using this and I don't want Cloudflare MITMing my personal stuff.

[1]: https://gitlab.com/stavros/harbormaster

graton 4 years ago | |

Actually I think it should just say "Cloudflare Tunnel"

From: https://blog.cloudflare.com/tunnel-for-everyone/

As part of that change (and to reduce confusion), we’re also renaming the product to Cloudflare Tunnel.

anderspitman 4 years ago |

Cloudflare Tunnel (the service used here) is my current recommendation for most people when it comes to tunneling. Nobody wants to pay for tunnels, and it's the best loss-leader product offered by a reputable company that I'm aware of. The DNS integration is particularly nice.

My only concern is if it gets popular enough that a lot of self-hosters start using it for things like Plex and Jellyfin, which I believe is against Cloudflare's TOS, they might crack down on that.

If you prefer a self-hosted tunneling system, I maintain a list here:

https://github.com/anderspitman/awesome-tunneling

jgrahamc 4 years ago |

A related cool thing you can do with Cloudflare and a Raspberry Pi: https://blog.cloudflare.com/ssh-raspberry-pi-400-cloudflare-... (browser-based SSH to a machine connected using Argo Tunnel).

ericcholis 4 years ago |

Another nice alternative is Tailscale

easton 4 years ago | |

I use ZeroTier for this too, although Tailscale would work just as well. To avoid port forwarding out of my local network (irrational fears), I have a $5 droplet running Pomerium (a SSO proxy, similar to self-hosted Cloudflare Access) and it sits on my ZeroTier network along with the boxes at my house, proxying requests (once they are authenticated) through ZeroTier to the boxes on the private network.

It works very well. Pomerium is easy-ish to configure (especially because it takes care of certs for you), and I can log into stuff on my LAN without having to boot up the ZeroTier client which takes a minute to connect on iOS (or from devices that don't have ZeroTier installed). I would've used Cloudflare Access + Argo Tunnel, but at the time they were still charging for tunneled bandwidth (like $10/GB or something outrageous), so this ended up cheaper.

CKMo 4 years ago | | |

Hi there! Pomerium team member here. We are very glad to hear Pomerium is working well for you and that it was easy-ish to setup.

Could you share more with the team and community so we can improve the setup experience for other users going into the future?

Our Slack here! https://slack.pomerium.io/

Or join Discuss and document your thoughts for other users here! https://discuss.pomerium.com/

cyounkins 4 years ago | |

A major difference is that with Tailscale every visitor must install a client. The article's solution should be fully browser-based.

cyounkins 4 years ago |

Cool! I currently do a self-hosted version using nginx, certbot, and vouch-proxy [1]. Nginx checks with vouch for every HTTP request and redirects to Google for SSO if unauthenticated. It works well for humans in browsers, but not so much for robots. I'm sure I could configure nginx to do token-based auth, just haven't had the need.

[1] https://github.com/vouch/vouch-proxy

systemvoltage 4 years ago |

I wonder if this would work to self-host on a crusty old T480 with a broken screen? Can Argo tunnel be used sort of like a dyndns? Although my Google Fiber connection at home has had the same IP, but in order to get a static IP, I need to get a Google Fiber Business connection which is 2.5x times more expensive.

anderspitman 4 years ago | |

Yep it should work great. If you have the expertise and inclination to set up port forwarding and dyndns, you'll get better performance with that, but IMO tunneling is the best solution for self-hosting for most people until IPv6 takes over.

systemvoltage 4 years ago | | |

I do have a firewall at home and I can open up a port and forward that to the laptop. Just that I don't want to spend money on DynDNS services and was trying to find a free solution. Thanks for confirming!

Self-hosting is so so cool. Nothing more satisfying that hosting your own website from scrappy ol equipment :-)

mobilio 4 years ago | |

Yes, will works.

erulabs 4 years ago |

So good to see so many home-hosting posts on HN lately! If you're using Kubernetes at home, we bundle all of this up (remote access, web-forwarding) as part of our service at https://kubesail.com

V41frQo1SccpfHI 4 years ago |

Whats the function of "gluetun" in this setup? Would the VPN-Tunnel then also run via Cloudflare Tunnel?

erdaltoprak 4 years ago | |

Hi,

Gluetun has no link to the actual tunnel setup, but since many people seemed to struggle with a vpn container I just used that as a bonus example!