Hi - is it possible to connect to either Synology or Asustor local file shares through Clouldflare Access? We’re a small office and with people working from home, this seems like a better and more secure option than a VPN. Everyone is using windows 10. Ideally, I’d like to have the remote drive mounted.
I’m having moderate success and I feel I’m close. I was able to run Debian 10 on my NAS, started cloudflared and opened a tunnel.
However, when I try to connect from my client machine running cloudflared.exe access tcp --hostname MYSITE.site.com --url localhost:8445, nothing happens and I see the terminal on linux prints “Cannot connect to remote: dial tcp [::1]:445 connect: connection refused”
I double-checked that port 445 on the client (Win 10) is open. What am I doing wrong?
Yes, cloudflared is run in the same system as the NAS. Asustor’s ADM OS allows you to install different apps so I installed Debian 10 and tried it.
Also I installed Docker and just tried the configuration and was able to successfully run the hello-world container (docker run cloudflare/cloudflared:2020.7.0 tunnel --no-autoupdate --hello-world) from https://hub.docker.com/r/cloudflare/cloudflared
Next, I tried running docker run -v ~/.cloudflared:/etc/cloudflared cloudflare/cloudflared:latest tunnel --no-autoupdate --hostname example.com --url tcp://localhost:445 and now the issue is the following error:
“You need to specify the origin certificate path by specifying the origincert option in the configuration file, or set TUNNEL_ORIGIN_CERT environment variable.”
I’m not sure why I get this as I have the cert.pem file in ~/.cloudflared of the host.
Basically after this error, the container doesn’t start at all.
So to sum up, I tried opening the tunnel through both the Debian 10 desktop (without docker) and separately through docker with no luck so far.
Most probably the docker container is running as a user (UUID) different than the host, or the cert.pem file is owned by different user, thus it can’t detect/access the cert.pem in /etc/cloudflared.
One thing to note when using Docker container: by default, the networking inside the container is isolated from the host networking. So when you are trying to access port 445 from inside the container, you will get Connection refused - since port 445 is not opened inside the container. I think this explains your previous question. Thus, you need to specify another parameter: --network="host" so that the container can directly talk to the host networking stack.
Also, are you running this command as root? If yes, try adding --user root parameter.
Here’s the final command you need to execute: docker run -v ~/.cloudflared:/etc/cloudflared --user root --network="host" cloudflare/cloudflared:latest tunnel --no-autoupdate --hostname example.com --url tcp://localhost:445
This was VERY helpful! Now the container is up running, thanks to you!
Now Part 2: it’s not very clear to me how to connect to the file share as a client. The box is Win 10 and per the documentation I ran: cloudflare.exe access tcp --hostname myhostname.com --url localhost:8445. The command appears to be running, but nothing printed in the command window. In my browser I opened the host name and I got a “Success” page by Cloudflare (I previously had to give permissions in Access and authenticate).
What do I do now? Do I need a special application to access the drive? I thought it’s mounted to 127.0.0.1, but running that in Windows Explorer opens a browser window with the generic error “this site can’t be reached”.
My end goal to allow a couple of non-tech people to easily connect to the NAS, working from anywhere, without using a VPN (some are using Windows and some are using Mac OS). I still hope that this is the right solution.
And then, every user should run this command instead: cloudflare.exe access tcp --hostname myhostname.com --url localhost:445. You can wrap this command in a batch file (.bat or .cmd file) and send it to your user, so they can just execute it without typing a long command.
Lastly, your SMB file share will be accessible via localhost in File Explorer. At this point, the Cloudflare Access browser window should pop-up and prompt the user to login.
This finally worked
So I guess I should still create user profiles in the NAS OS for all users who will be connecting, right?
I was actually wondering about permissions and all that and if it should be done from within the docker container or the NAS OS (as if we’re all working from the LAN).