Cloudflare UDP tunnel setup error


Recently I tried to set up a UDP tunnel through CLI. Everything works fine for my ssh access, but when it comes to connecting to UDP applications (such as TeamSpeak) it seems it always refuses my connection.
I want my applications running on my server protected by Gateway to be accessible only from users who have WARP enrolled correctly in my team (to be precise, my gaming network).
I followed this link to set up the tunnel: Via the command line · Cloudflare Zero Trust docs (I can’t paste it, but it’s the Cloudflare docs); the ssh it’s accessible only by using WARP + cloudflared on my local PC to establish the tunnel between my client and server.
For my TeamSpeak server, I started configuring a private network over my existing tunnel with this configs:

Immagine 2022-10-10 222640

Besides is not listed as a default ingress rule, the UDP session is correct by cloudflared.
In the end, I created as suggested a local fallback domain that would point the tunnel CNAME to my public IP address.
Of course, I also routed traffic from my tunnel to the public IP of my server using “cloudflared tunnel route ip add <IP/CIDR> ” and created a CNAME record to connect every connection from TeamSpeak CNAME to my tunnel.
When the tunnel starts, it works fine, but when I try to connect over the TeamSpeak service, it starts to show me multiple errors like this: “ERR Failed to send session payload from destination to transport error=“read udp server_ip:58476->server_ip:53: read: connection refused” connIndex=2”.
I tried to add the standard UDP port that Cloudflare use to my FirewallD config but it doesn’t work; I even tried to disable FirewallD and set SELinux in Permissive mode but it doesn’t work at all.
Does any of you have any clue what I’m missing?
Thanks anyway

PS: If you need a cloudflared debug log, tell me and I’ll find a way to share it with you without exposing too much of my personal data

So I’ve never played with udp over cloudflared (didn’t know it was even out of beta…), but this error seems to indicate there’s some redirect to UDP53 (DNS) in play before the connection is refused. That’s obviously not right for TeamSpeak but I’m not sure it’s a cloudflared config thing either.

Does that help your troubleshooting at all? Got any captive DNS stuff going on etc?

Well, the only DNS settings I have are the ones on Cloudflare. My VPS does not have any DNS server installed. I can only think about the local domain fallback on Cloudflare, but that should not interfere with it.
I even tried to test cloudflared if would have the ability to establish a UDP connection to use the tunnel as I do for ssh (of course, it doesn’t). The rest is up to FirewallD and SELinux, which seems to not have anything to do with my config…
I tried multiple solutions but at this point, I don’t know if it’s a possible thing to do. Everything should work fine and I don’t see what the problem is.

Oh, Gateway does not have any DNS, Network or HTTP rules at the moment, so it cannot be that.
The only strange thing that I’ve observed is that when I use WARP over Zero Trust on my PC it almost blocks any other software to run correctly (TeamSpeak always says in the log that the auth servers are not reachable). Still, I think that it has nothing to do with it (also because after changing from “exclude” to “include” mode now WARP is not blocking other apps).

@cloonan no UDP?

Hey there @ryan81

Could I please double check regarding this, that you’ve put the quic protocol within your config file for this? You can have a look at this here: Private hostnames and IPs · Cloudflare Zero Trust docs

Please let us know if you have any further questions

Hello @Joeito Thanks so much for your attention!!!
Yes quic protocol definitely confirmed!

Any other thoughts?

Just posting here because I have the same problem. Did you ever find a solution?