1016 errors w/ tunnel - ingress rules ignored

I’m unsure where to start since I’ve been working on this all week.

Goal

I aim to configure a tunnel for my domain and configure routes using the ingress rules. Sounds simple.

Sanity check

First I try to create a tunnel from the zero trust console. That works fine: I can connect a tunnel using the token and route traffic to an application. :white_check_mark:

First attempt

Second, I want to create a tunnel from my server. I create a tunnel using a domain certificate downloaded by calling cloudflared login.

$ sudo cloudflared tunnel --origincert /etc/nixos/certs/interleaved.io.pem create --cred-file /etc/nixos/cloudflared/hyperion-interleaved.io.json hyperion-interleaved.io

I configure it…

{"credentials-file":"/nix/store/lgdgwck545vxvl3fq67gcpzlmk816xav-hyperion-interleaved.io.json","ingress":[{"hostname":"*.interleaved.io","service":"hello_world"},{"service":"http_status:404"}],"origincert":"/nix/store/w9nkzb6vdnddxvxggvln5a8bj1hgnajw-interleaved.io.pem","tunnel":"hyperion-interleaved.io","warp-routing":{"enabled":false}}

(yes, it looks strange, but it is valid yaml. I tried “normal” yaml and got the same result. those are the correct filenames)

I configure a systemd service unit and run it. The tunnel connects.

Finally, I configure a CNAME entry and point to <tunnel-uuid>.interleaved.io and…

No dice. Error 1016.

Second attempt

It’s not clear from the documentation if I need warp installed, and if I need the configuration detailed in the private-hostnames-ips section of documenation*. No big deal.

I install warp, register, teams-enroll, and enable-always-on. This works, and I have a warp connection.

Two caveats. First, it wasn’t that simple (look at nixpkgs PR #168092).* Second, I tried this two ways: with

warp=plus
gateway=off

and

warp=on
gateway=on

Eventually, the warp tunnel works. The logfile is noisy, but it works.

I enable warp-routing in the tunnel config and things seem to be going well

Aug 22 00:37:34 hyperion cloudflared[18674]: 2022-08-22T05:37:34Z INF Initial protocol quic
Aug 22 00:37:34 hyperion cloudflared[18674]: 2022-08-22T05:37:34Z INF Warp-routing is enabled
Aug 22 00:37:34 hyperion cloudflared[18674]: 2022-08-22T05:37:34Z INF Starting Hello World server at 127.0.0.1:42727

The tunnel doesn’t want to connect at first but eventually, it connects. I’m not sure what I changed, if anything. :slightly_frowning_face:

So, with the tunnel connected and CNAME entry, I attempt to hit the hello_world application and…

1016 again.

Where I’m at now

I’m about to give up this approach since it’s kicked my butt for a week and I have nothing to show for it. But, please: If you think you know where I went wrong then please let me know.

  • I would link to relevant topics but the forum rules prevent me.

It would help if someone clarified a few things for me.

  • Is warp required for this kind of routing to work?
  • When I configure a tunnel this way, should the Routes column be populated in the Zero Trust Console, or remain empty? (Access → Tunnels)

I believe the CNAME needs to be pointed to tunnel-uuid>-<cloudflare domain>

I pointed the CNAME entry for * to <tunnel-uuid>-interleaved.io and got a 1016 when hitting https://test.interleaved.io.

dang. it works now. it was the tunnel route. it needs <tunnel-uuid>.cfargotunnel.com.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.