Connecting to NAS (SMB file share)

Hi - is it possible to connect to either Synology or Asustor local file shares through Clouldflare Access? We’re a small office and with people working from home, this seems like a better and more secure option than a VPN. Everyone is using windows 10. Ideally, I’d like to have the remote drive mounted.

Thank you

You may refer to this documentation:

You might need a small server that actually tunnels the SMB traffic from your NAS to Cloudflare via Argo Tunnel.

1 Like

How about running the Argo Tunnel in a docker container on the NAS?
I found this: https://hub.docker.com/r/cloudflare/cloudflared
I don’t have much experience with docker, though.

If your NAS lets you execute commands inside terminal (and gives you the ability to install Docker Engine and run Docker containers), then you may try that.

Otherwise, setup another server (or virtual machine) and run cloudflared on it - either directly install cloudflared on your machine or using Docker container.

I’m having moderate success and I feel I’m close. I was able to run Debian 10 on my NAS, started cloudflared and opened a tunnel.
However, when I try to connect from my client machine running cloudflared.exe access tcp --hostname MYSITE.site.com --url localhost:8445, nothing happens and I see the terminal on linux prints “Cannot connect to remote: dial tcp [::1]:445 connect: connection refused”

I double-checked that port 445 on the client (Win 10) is open. What am I doing wrong?

What’s your cloudflared configuration? Do you run cloudflared in the same system as your NAS? If not, do you point cloudflared to the correct NAS IP address?

Also, check your firewall and see whether port 445 is allowed in your server/NAS.

Yes, cloudflared is run in the same system as the NAS. Asustor’s ADM OS allows you to install different apps so I installed Debian 10 and tried it.
Also I installed Docker and just tried the configuration and was able to successfully run the hello-world container (docker run cloudflare/cloudflared:2020.7.0 tunnel --no-autoupdate --hello-world) from https://hub.docker.com/r/cloudflare/cloudflared

Next, I tried running docker run -v ~/.cloudflared:/etc/cloudflared cloudflare/cloudflared:latest tunnel --no-autoupdate --hostname example.com --url tcp://localhost:445 and now the issue is the following error:
“You need to specify the origin certificate path by specifying the origincert option in the configuration file, or set TUNNEL_ORIGIN_CERT environment variable.”

I’m not sure why I get this as I have the cert.pem file in ~/.cloudflared of the host.

Basically after this error, the container doesn’t start at all.

So to sum up, I tried opening the tunnel through both the Debian 10 desktop (without docker) and separately through docker with no luck so far.

Most probably the docker container is running as a user (UUID) different than the host, or the cert.pem file is owned by different user, thus it can’t detect/access the cert.pem in /etc/cloudflared.

One thing to note when using Docker container: by default, the networking inside the container is isolated from the host networking. So when you are trying to access port 445 from inside the container, you will get Connection refused - since port 445 is not opened inside the container. I think this explains your previous question. Thus, you need to specify another parameter: --network="host" so that the container can directly talk to the host networking stack.

Also, are you running this command as root? If yes, try adding --user root parameter.
Here’s the final command you need to execute:
docker run -v ~/.cloudflared:/etc/cloudflared --user root --network="host" cloudflare/cloudflared:latest tunnel --no-autoupdate --hostname example.com --url tcp://localhost:445

1 Like

If you still can’t solve the issue, then I guess you need to create a Dockerfile and write COPY commands so that cert.pem can be copied directly to the container itself.

This was VERY helpful! Now the container is up running, thanks to you!

Now Part 2: it’s not very clear to me how to connect to the file share as a client. The box is Win 10 and per the documentation I ran: cloudflare.exe access tcp --hostname myhostname.com --url localhost:8445. The command appears to be running, but nothing printed in the command window. In my browser I opened the host name and I got a “Success” page by Cloudflare (I previously had to give permissions in Access and authenticate).
What do I do now? Do I need a special application to access the drive? I thought it’s mounted to 127.0.0.1, but running that in Windows Explorer opens a browser window with the generic error “this site can’t be reached”.

My end goal to allow a couple of non-tech people to easily connect to the NAS, working from anywhere, without using a VPN (some are using Windows and some are using Mac OS). I still hope that this is the right solution.

1 Like

Great to see that. You’re welcome.

You might need to refer to this documentation:

Basically, every user who needs to access the SMB file share should disable this service in their computer:

Restart Windows after disable the service.

And then, every user should run this command instead: cloudflare.exe access tcp --hostname myhostname.com --url localhost:445. You can wrap this command in a batch file (.bat or .cmd file) and send it to your user, so they can just execute it without typing a long command.

Lastly, your SMB file share will be accessible via localhost in File Explorer. At this point, the Cloudflare Access browser window should pop-up and prompt the user to login.

For me yeah, it’s kinda weird to specify “localhost” in File Explorer in order to access the remote SMB file share. But yeah, this is how it works.

Hmm - I did all that and I’m still getting an error in my browser when I hit localhost in File Explorer:
Screenshot 2020-11-30 015231

I tried running cloudflared.exe with both localhost:445 and localhost:8445.

The Server process is disabled (I restarted after that):
Screenshot 2020-11-30 015310

I also peeked into the docker logs (using Portainer) and there aren’t any errors. This is the last line:

Navigating to the hostname brings this:

Screenshot 2020-11-30 020057

I just tried “\\localhost” (with two backslashes) and I got this:
Screenshot 2020-11-30 020751

1 Like

I guess you only type “localhost” in File Explorer?

Put two backslashes in front of “localhost” instead, like this: \\localhost

image

1 Like

Nice. Just type the username and password of your SMB file share.

1 Like

This finally worked :star_struck:
So I guess I should still create user profiles in the NAS OS for all users who will be connecting, right?
I was actually wondering about permissions and all that and if it should be done from within the docker container or the NAS OS (as if we’re all working from the LAN).

1 Like

Yes. You should configure user profiles with appropriate permissions for each user in the NAS.