Before Argo Tunnels I had the following setup for a particular service running on my local network:
- DNS entry added to point to my home IP address (
443opened in my router (limited to Cloudflare IPs) and point to a Traefik reverse proxy running locally (also on port
- Traefik configured with Let’s Encrypt for a valid
- Traefik is routing the
test.domain.xyzto a service running on
- Cloudflare SSL/TLS encryption mode is set to
- DNS override in my router (with
dnsmasq) to point
test.domain.xyzto the local network IP running the Traefik reverse proxy
test.domain.xyz inside my LAN:
Router DNS resolves
test.domain.xyz to the IP where Traefik is running, Traefik will redirect to the service running on
192.168.0.100:8080. It doesn’t go through Cloudflare at all, everything is working as expected with end-to-end TLS. Great!
test.domain.xyz outside my LAN:
Device DNS resolves
test.domain.xyz ( cloud) to my home IP, the router will forward requests to the Traefik if they come from Cloudflare (otherwise it will drop them), Traefik will redirect to the service running on
192.168.0.100:8080. This goes through Cloudflare network, everything is working as expected with end-ti-end TLS. Great!
But now I’m trying to replace this setup with Argo Tunnels, so I don’t have to deal with open ports on my router, albeit limited to Cloudflare IPs (this requires a script that runs periodically and updates firewall rules for Cloudflare IPs).
The only differences from the setup above to get Argo Tunnels running are:
- DNS entry which pointed to my home IP address was removed
443no longer opened (not even for Cloudflare IPs)
- Everything else stayed exactly the same
What’s the problem then?
Well, I’m trying to access this
test.domain.xyz service through a specific Android application, and when I do while outside my LAN, everything is working as expected (just like before). But when I’m inside my LAN and try to access the
test.domain.xyz service through the same Android application I get the following message saying the certificate of the origin is not trusted and/or is a self-signed certificate (and it doesn’t allow me to connect to the service). Neither is true, the origin certificate comes from Let’s Encrypt.
What’s interesting about this is that if I clear all data and cache from the Android application, configure the app to connect to
test.domain.xyz for the first time while inside my LAN, everything works as expected, I don’t get the message saying the origin certificate is not trusted. But as soon as I connect at least one time outside my LAN and then again inside my LAN, I get the message again and I can’t connect. It feels like the previous connection certificated persisted between connections and there’s a conflict there.
How have I been testing this inside/outside LAN thing?
As I said, this is an Android application and I’ve been switching between Wi-Fi (inside my LAN) and mobile data (outside my LAN). I’ve also been force closing the app between each connection, to be sure that when I switch from/to Wi-Fi/mobile data, the app is starting without a dangling connection on the background or something.
Is this an isolated case? Does it happen with other services/apps?
I have a couple of tunnels, for different services, which can be accessed by different Android applications, and I’ve tested all of them inside and outside my LAN. One app (the one I’ve been talking about so far) completely blocks access saying the origin certificate is invalid. Another app shows a similar message with additional information about the origin certificate (and it’s telling me the Let’s Encrypt certificate is invalid/self-signed), however, it allows me to bypass and connect anyway (the first app doesn’t). A third app, for a third service/tunnel, doesn’t care, doesn’t give me a message, doesn’t block access, it just works.
Conclusion, what now?
The obvious solution is to remove
test.domain.xyz from my local DNS resolver, forcing the upstream DNS servers (Cloudflare’s in my case, of course) to resolve that for me. In other words, access these services always (inside and outside my LAN) through Cloudflare. I whish I didn’t have to though… If I’m on my local LAN, I think it makes much more sense to access the services directly. But right now that’s not possible, for one service/application in particular.
It also feels like this is an issue with the specific Android applications and there’s nothing that I can do on the Argo Tunnel configuration or reverse proxy configuration to mitigate the problem. Is there? I couldn’t find anything in the
cloudflared options that could help me. In fact, while running the tunnel in debug mode, and when I tried to connect to the tunnel inside my LAN and got the message saying the certificate is not trusted, the
cloudflared logs didn’t register a connection at all. In other words, it’s failing before reaching the Argo Tunnel, the error message comes from a validation on the app itself and has nothing to do with the Cloudflare. Right?
Still, I have to ask, does anybody can think of a possible workaround for this?