I’ve created the vpc tunnel and application with security policy, etc. I was able to make SSH work from my browser perfectly. How should I configure wayvnc to work correctly with cloudflared?
I’ve created a cloudflare tunnel and manage it remotely (via Dashboard) as follows:
Furthermore, I have my RPi 4 with Debian 12 running a cloudflared tunnel and then I’ve got an App with public hostname for both SSH and VNC with Browser Rendering working.
My public hostname is bound to the tcp://localhost:5900 under the tunnel settings:
While under the Access, my app is set to Browser rendering VNC as follows:
Wayvnc is running on default port 5900 to IPv6 (somehow by the config file ::).
Truth is, it is not the best and secure way to do it, but since it’s running local and behind Zero Trust, it works fine in Web browser using above config file.
Thanks @fritex for your help! Once I changed enable_auth to false in /etc/wayvnc/config, I was able to access the raspberry pi using vnc on my browser via Cloudflare Zero Trust.
I notice that you can now VNC onto the pi on the local network without any authentication. Is there no way to change that?
Yea, that does the trick. Not quite sure exactly as I don’t remember what was the issue here. Is already year ago when I was dealing with that
I guess it’s the “pop-up” which cannot be shown in the Web browser or something cannot authenticate over TLS connection with the tunnel such as encrypted authentication handshake.
Or we cannot get “login” authentication in Browser based VNC yet, therefrom we can only get the screen to login with a user, and that’s different.
Maybe it’s the certificate. If we’d have a valid one for a device, it might work and won’t be asking for trusting/confirming?
Maybe we need to re-configure something on the tunnel side, such as TLS termination, or use the Cloudflare certificate on the device itself.
Similar issues are with TigerVNC, we also have to disable this authentication in wayvnc config.
I am not quite sure.
Or this is a VNC issue rather, and we should use X11 instead.
Some helpoful information which we could try and test:
Unfortunately yes, that’s the other side of the coin changing that setting.
I’d have to play a bit and troubleshoot further this to see.
Or you could put it, if possible, on a different VLAN?