Argo Tunnel, arbitrary TCP service, clients without cloudflared

From this comment in the discussion from Reverse tunnelling raw TCP/UDP it seems it’s not possible to use Argo to serve arbitrary TCP service from on-prem to standard Internet TCP clients.

Feedback to Argo Tunnel team: I’ve just spent 2 hours (and $5 for 1mo of Argo, which I then disabled) trying to do exactly that (plus trying to understand why I need to use Argo Teams when I don’t want to have any auth or “features” except Argo Tunnel serving as DNS to my on-prem TCP service). This could be better explained on the service/product page to save people some time. The docs for Argo Tunnel - perhaps because it can’t support generic TCP for open Internet - are intermixed with Argo and Teams, which is very confusing.

So while it’s unlikely that I’ll use Argo Tunnel, I still have a question: here it says:

Named Tunnels can be routed via DNS records, in which case we use CNAME records to point to the <UUID>.cfargotunnel.com

Does that can mean may, as in “you may route via DNS records from <uuid>.cfargotunnel.com, but you can also use a CNAME aliased to Tunnel UUID to get <cname>.yourdomain.com?”
Because I think I configured the latter just fine without cfargotunnel.com`.

My second question would be is there any other service that we can use for this?
CF free DNS and Reverse Proxy can’t be used for non-Web content, and that’s fine. But what is the commercial proxy for Reverse Proxy for generic TCP service with open client access?
I don’t need advanced features like auth, anti-scraping, anti-DoS, firewall, etc. - I just want to use the CF network to get better global latency and routing for my TCP service.

Too late, but Argo Tunnels is actually free of charge now. It’s the more efficient routing part that is still a paid service, but that isn’t only about speeding up the tunneling feature. So Argo Smart Routing (paid) used to be bundled with Tunnels, but they are now separated and the latter doesn’t require a subscription.

You don’t necessarily need Cloudflare for Teams. You can set up a tunnel without Teams and Cloudflare Access (part of Teams).

Tunnel information was recently added to the Teams dahsboard though, which added to the confusion when I tested it out myself. But you don’t need Teams at all. In short, you just configure and run the cloudflared application on the server and add a DNS record pointing to the tunnel. The client does not need any special setup in the web application use case.

When you step into other use cases, there will however be a need to use cloudflared on the client side as well. In my case I’ve tested with SSH. It was not reachable without using cloudflared on the client. No extra authentication or subscription was required, though. But if installing cloudflared on all clients is an issue, it will be a problem for your use case.

More like “must”. The tunnel can only be accessed through DNS names in your Cloudflare account. So if you have the domain example.com and add a tunnel.example.com record CNAME’d to uuid.cfargotunnel.com, then anyone can talk to tunnel.example.com. But I can’t get directly to your uuid.cfargotunnel.com or CNAME to it successfully from my account.

There are alternatives though in the form of Cloudflare load balancing tunnel integration and some way to connect through Kubernetes, but I don’t think it changes anything in your case.

Potentially Cloudflare Spectrum on the Enterprise plan. Not sure if/how it integrates with Tunnels, though.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.