Cloudflare Tunnel with NAS - Need some help

I have a cloudflare tunnel set up on my NAS and i’m trying to use the ssh protocol to sftp into the shared folder via filezilla. i can’t seem to get any other protocol to work really, just http. besides that point, i’ll just focus on ssh.

when i try to log in via filezilla i get, ERR failed to connect to origin error=“websocket: bad handshake”

the debug log on the tunnel itself shows

{"level":"error","event":1,"connIndex":0,"originService":"ssh://localhost:22","ingressRule":0,"destAddr":"ssh://localhost:22","error":"dial tcp [::1]:22: connect: connection refused","time":"2024-02-27T09:08:24Z"}
{"level":"error","event":0,"ip":"xxx.xx.xxx.xx","connIndex":0,"error":"dial tcp [::1]:22: connect: connection refused","type":"ws","dest":"https://nas.pshomevault.net/","time":"2024-02-27T09:08:24Z","message":"Request failed"}

my tunnel is as follows:

i have :

SSL/TLS encryption to full
Bot Fight Mode turned off
WebSockets turned on
correct CNAME DNS entry for nas (subdomain) pointing to tunnel id on a proxied status
correct CNAME DNS entry for * pointing to my domain on a proxied status
no application created so bind http cookie is turned off

please don’t refer me to cloudflare’s docs nor other posts on here. i’ve been staring at them for two days now.

Does the SSH daemon on your NAS listen on localhost?

i’m not 100% sure what that is but i have all the protocols turned off except for quick connect. i had the impression those would only need to be turned on if i was using them the old fashion way by port forwarding

http:localhost:8080 seemed to work fine for me though.

i did try out ssh via terminal and used my user@local ip on port 22. seemed to work okay i turned that off after i was done using it.

In your screenshot, it looks like SFTP is disabled. If you want to use SFTP, you should probably enable it.

1 Like

true, thanks for telling me that.

what about SMB? which was my initial goal. i can’t seem to connect to it externally. any insight? i’ll continue researching i suppose

i know that some windows services are utilizing port 445 so i used 8445.

C:\cloudflared>cloudflared access smb --hostname nas.pshomevault.net --url localhost:8445 --loglevel debug
2024-02-27T11:16:25Z INF Start Websocket listener host=localhost:8445
ingress:
  - hostname: nas.pshomevault.net
    service: smb://localhost:8445
  - service: http_status:404

i tried \localhost\user , \local ip\user \the name of my nas\user

You can’t just make up a port for your ingress rule. The ingress Rule tells Cloudflared where to send packets that arrive on your NAS. If nothing is listening on port 8445, it won’t do anything.

Also, what you’re trying to do is problematic due to how cloudflared works.

If you read the part about Windows-specific requirements in the documentation, you’ll see that it probably is more trouble than it’s worth, as you’d have to disable some Windows Services that block port 445.

It’s probably a better idea to try this with Warp and Private Networks (also explained in the docs).

“If nothing is listening on port 8445, it won’t do anything.”

so how do i make the nas listen to 8445? this is the question i’m asking myself. i’m looking for a box to enter the port into. do i have to port forward in my router for this?

the cloudflaredocs say use port 445 for ingress but then use 8445 for the client then proceeds to say that 445 is blocked by windows services. so why not skip 445 altogether and use port 8445 on both the ingress and the client.

the cloudflare docs state using Warp and Private Networks is not a requirement. besides the point that warp and private networks are “more secure”, can we just run through this exercise and see that it actually works? then maybe i’ll try out the warp

i click on “open your SMB client” and it directs me to

You don’t. You use port 445 in the ingress Rule, because that’s what the NAS is using. There’s no reason to change this.

From your screenshot, I assume that you want to use Windows as your SMB client. Port 445 is hardcoded there, so you can’t change it. If you want to use Cloudflared to listen on port 445, you first need to disable the Windows service that is listening on that port, because Cloudflared needs to listen on localhost.

Warp is different in that you can use a different IP to connect to instead of using localhost.

i’ll keep rereading this and maybe my brain will understand.

i got smb with warp working but unfortunately might not be the best option here if i’m not running a business. i can see my exact location in the user logs when i log in. the strangers i work with probably don’t want that. thanks for the help.

Both Warp and Cloudflared are not meant to be used by strangers but by your own organization.

If you need something other than http to be publicly accessible via Cloudflare, you need Spectrum Enterprise.

As you’re not running a business, Spectrum Enterprise is probably a bit pricey. Cloudflare Tunnel might just not be a good fit for you if you want to expose an SMB interface to the public.

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.