Unlocking Remote Access: My Journey with Cloudflare Tunnel and Proxmox

Project Goal

Establish secure remote access to Proxmox VE web interface via public subdomain (proxmox.olyhome.site) using Cloudflare Tunnel, eliminating the need to expose ports directly to the internet.

Why Cloudflare Tunnel?

Traditional Remote Access Problems

Port Forwarding Approach: - ❌ Exposes services directly to internet - ❌ Requires static IP or dynamic DNS - ❌ Vulnerable to port scanning attacks - ❌ Complex firewall management

Cloudflare Tunnel Advantages: - ✅ No ports exposed on firewall - ✅ Built-in DDoS protection - ✅ Free SSL certificates - ✅ Works with dynamic IPs - ✅ Access control via Cloudflare Zero Trust

Infrastructure Overview

Internet Users
    ↓
Cloudflare Edge Network
    ↓
Cloudflare Tunnel (cloudflared)
    ↓
Proxmox Host (192.168.11.254:8006)

Setup Process

Step 1: Prerequisites

Requirements: - Domain name (e.g., olyhome.site) - Cloudflare account (free tier sufficient) - Proxmox VE installed and accessible on LAN - Linux system for running cloudflared

Step 2: Configure Domain in Cloudflare

  1. Add Site to Cloudflare:
    • Login to Cloudflare dashboard
    • Click “Add a Site”
    • Enter domain: olyhome.site
    • Choose Free plan
  2. Update Nameservers:
    • Copy Cloudflare nameservers
    • Update at domain registrar (Hostinger, Namecheap, etc.)
    • Wait for propagation (up to 24 hours)

Step 3: Create Cloudflare Tunnel

Via Cloudflare Dashboard:

  1. Navigate to Zero TrustAccessTunnels
  2. Click “Create a tunnel”
  3. Select Cloudflared
  4. Tunnel name: proxmox-tunnel
  5. Click Save tunnel

Copy the tunnel token - needed for cloudflared installation.

Step 4: Install cloudflared on Proxmox Host

# Download cloudflared
wget https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb

# Install
sudo dpkg -i cloudflared-linux-amd64.deb

# Verify installation
cloudflared --version

Step 5: Configure Tunnel

Create configuration file:

# Create config directory
sudo mkdir -p /etc/cloudflared

# Create config file
sudo nano /etc/cloudflared/config.yml

Configuration (config.yml):

tunnel: <TUNNEL_ID>
credentials-file: /etc/cloudflared/<TUNNEL_ID>.json

ingress:
  - hostname: proxmox.olyhome.site
    service: https://localhost:8006
    originRequest:
      noTLSVerify: true  # Required for self-signed Proxmox cert
  - service: http_status:404

Save tunnel credentials:

# Create credentials file from Cloudflare dashboard
sudo nano /etc/cloudflared/<TUNNEL_ID>.json

# Paste JSON credentials from Cloudflare
# Set proper permissions
sudo chmod 600 /etc/cloudflared/<TUNNEL_ID>.json

Step 6: Configure Public Hostname in Cloudflare

  1. In Cloudflare dashboard, go to tunnel configuration
  2. Click Public Hostnames tab
  3. Click Add a public hostname:
    • Subdomain: proxmox
    • Domain: olyhome.site
    • Service: https://localhost:8006
  4. Click Save

Step 7: Start Cloudflare Tunnel

# Test configuration
sudo cloudflared tunnel --config /etc/cloudflared/config.yml run

# If successful, install as service
sudo cloudflared service install

# Enable auto-start
sudo systemctl enable cloudflared

# Start service
sudo systemctl start cloudflared

# Check status
sudo systemctl status cloudflared

Step 8: Configure SSL for Proxmox (Optional)

For proper SSL without warnings, obtain Let’s Encrypt certificate:

  1. In Proxmox UI:
    • Navigate to DatacenterACME
    • Add Account: Let’s Encrypt
    • Add DNS Challenge plugin (Cloudflare)
  2. Add Cloudflare API Token:
    • Token needs Zone:DNS:Edit permission
    • Add to Proxmox ACME configuration
  3. Request Certificate:
    • Node → System → Certificates
    • Add: ACME
    • Domain: proxmox.olyhome.site
    • Challenge: DNS
    • Order certificate

Issues Encountered and Solutions

Issue 1: Tunnel Shows “DOWN” Status

Problem: Cloudflare dashboard shows tunnel status as DOWN with Error 1033.

Cause: Tunnel not properly connected to Cloudflare edge.

Solution:

# Check cloudflared service status
sudo systemctl status cloudflared

# View logs
sudo journalctl -u cloudflared -f

# Restart service
sudo systemctl restart cloudflared

# Verify tunnel ID matches config
cloudflared tunnel list

Issue 2: 502 Bad Gateway Error

Problem: Accessing https://proxmox.olyhome.site returns 502 error.

Causes: 1. Proxmox service not running 2. Wrong service URL in config 3. TLS verification issues

Solutions:

# 1. Verify Proxmox is running
systemctl status pveproxy

# 2. Test local access
curl -k https://localhost:8006

# 3. Update config.yml with noTLSVerify
originRequest:
  noTLSVerify: true

# 4. Restart cloudflared
sudo systemctl restart cloudflared

Issue 3: Network Connectivity Lost After Reboot

Problem: Proxmox loses network connectivity after system reboot, ping fails.

Cause: Gateway not applied properly from /etc/network/interfaces.

Solution:

# Manually add default route
ip route add default via 192.168.11.1 dev vmbr0

# Verify connectivity
ping 8.8.8.8

# To make permanent, ensure /etc/network/interfaces contains:
auto vmbr0
iface vmbr0 inet static
    address 192.168.11.254/24
    gateway 192.168.11.1
    bridge-ports enp3s0
    bridge-stp off
    bridge-fd 0

Issue 4: cloudflared Not Starting Automatically

Problem: Tunnel works when run manually but doesn’t start on boot.

Cause: Service was launched with --token instead of --config.

Solution:

# Uninstall existing service
sudo cloudflared service uninstall

# Reinstall with proper config
sudo cloudflared service install

# Ensure systemd service uses config file
sudo nano /etc/systemd/system/cloudflared.service

# Verify ExecStart line:
ExecStart=/usr/bin/cloudflared --config /etc/cloudflared/config.yml tunnel run

# Reload systemd and restart
sudo systemctl daemon-reload
sudo systemctl enable cloudflared
sudo systemctl restart cloudflared

Issue 5: TLS Strict Mode Blocking Access

Problem: Cloudflare SSL/TLS mode set to “Full (Strict)” blocks access due to self-signed certificate.

Solution:

Option A: Change Cloudflare SSL Mode (Quick Fix): 1. Cloudflare Dashboard → SSL/TLS 2. Change mode from Full (Strict) to Full 3. This allows self-signed certificates

Option B: Install Valid Certificate (Proper Fix): 1. Use Proxmox ACME with Cloudflare DNS challenge 2. Obtain Let’s Encrypt certificate 3. Keep Full (Strict) mode for better security

Verification and Testing

Test External Access

# From external network (mobile data, different ISP)
curl -I https://proxmox.olyhome.site

# Expected: 200 OK response

# Access in browser
https://proxmox.olyhome.site

# Should show Proxmox login page

Verify Tunnel Health

# Check tunnel status
cloudflared tunnel info <TUNNEL_ID>

# View real-time logs
sudo journalctl -u cloudflared -f

# Test connectivity
cloudflared tunnel cleanup <TUNNEL_ID>

Monitor Cloudflare Dashboard

  1. Zero Trust → Access → Tunnels
  2. Verify tunnel shows “Healthy” status
  3. Check Metrics for traffic stats

Security Considerations

1. Enable Cloudflare Access Policies

Add authentication layer:

  1. Zero TrustAccessApplications
  2. Create application: proxmox.olyhome.site
  3. Add policy:
    • Rule: Email
    • Value: your-email@domain.com
  4. Now requires login before accessing Proxmox

2. Restrict Access by Location

Policy Rules:
├── Include: Country is Morocco (or your country)
├── Exclude: Known VPN IP ranges
└── Require: Email verification

3. Enable Audit Logs

Track all access attempts: - Zero Trust → Logs → Access - Review login attempts - Monitor for suspicious activity

4. Use Strong Proxmox Authentication

# Enable 2FA in Proxmox
# Datacenter → Permissions → Users
# Edit user → Add TFA

Performance Optimization

Reduce Latency

# In config.yml, add:
originRequest:
  noTLSVerify: true
  connectTimeout: 10s
  httpHostHeader: proxmox.olyhome.site

Enable HTTP/2

Cloudflare automatically uses HTTP/2 between client and edge, improving performance.

Monitoring and Maintenance

Regular Health Checks

# Create monitoring script
#!/bin/bash
# check-tunnel.sh

if systemctl is-active --quiet cloudflared; then
    echo "✅ Tunnel is running"
else
    echo "❌ Tunnel is down, restarting..."
    systemctl restart cloudflared
fi

# Add to crontab
crontab -e
# */5 * * * * /root/check-tunnel.sh

Backup Configuration

# Backup tunnel config
sudo tar czf cloudflared-backup-$(date +%Y%m%d).tar.gz \
    /etc/cloudflared/

# Store offsite (Dropbox, Google Drive, etc.)

Alternative: Twingate for Zero Trust Access

For even better security, consider Twingate:

Advantages over Cloudflare Tunnel:
├── True zero-trust architecture
├── Per-application access control
├── No public DNS records needed
├── Client-side encryption
└── Better for multiple services

Conclusion

Cloudflare Tunnel provides secure, zero-config remote access to Proxmox without exposing ports. The setup requires initial configuration but results in a robust, production-ready solution.

Final Results: - ✅ Secure access to https://proxmox.olyhome.site - ✅ No ports exposed on firewall - ✅ Free SSL certificates - ✅ Automatic tunnel restart on boot - ✅ DDoS protection included

Next Steps: - Add more services to tunnel (n8n, databases, etc.) - Implement Cloudflare Access for authentication - Set up monitoring and alerting - Document disaster recovery procedures

Report generated: 2025-10-27 14:35