Help Configuring Cloudflare Tunnel for FTP/SFTP Access to Synology NAS Behind CG-NAT

Hello Cloudflare Community,

I’ve recently encountered an issue with my new ISP that uses CG-NAT, which has disrupted some of my usual methods of connecting to my Synology NAS, specifically hosting a website on the NAS and enabling FTP backups for data from some cloud-hosted websites. Previously, I had a setup with port forwarding that allowed these use cases to work.

Since port forwarding is not possible (even though I’m using the same router), I’ve successfully deployed cloudflared on my NAS via Docker, guided by a detailed blog post. This setup allowed my NAS-hosted website to be accessible externally, which is great.

However, I’m currently facing challenges with external FTP/SFTP connectivity for backing up multiple websites hosted on Vultr and managed via Runcloud’s panel product. While local connections to the NAS work flawlessly, external connections for FTP/SFTP backup purposes are not successful.

I’ve come across discussions about installing cloudflared on client systems, but I’m unsure how this would work in my scenario, especially considering the environments of my Vultr/Runcloud-hosted websites.

I’m reaching out for advice or suggestions on how to configure Cloudflare Tunnel to facilitate FTP/SFTP access to my Synology NAS. Are there specific configurations or alternate solutions that could help bypass the limitations imposed by CG-NAT for FTP/SFTP access?

Any insights or guidance would be greatly appreciated.

Thank you in advance for your time and help!

There is a very detailed setup guide here:

The simple version:

  1. You install the tunnel on both client and server.

  2. In the Zero Trust dashboard, create a TCP application for your subdomain (or, for SFTP, an SSH application).

  3. Then, on your client, start the tunnel with cloudflared access tcp --hostname sub.example.com --url localhost:xxxx.

  4. On the client, connect your FTP application to localhost:xxxx, on which the tunnel listens. The tunnel will then direct the traffic to sub.example.com

1 Like

Thanks so much for the reply. I’m very much a novice, especially with networking. After following the guidance, it’s still not quite working so I’ll describe what I’ve got so far and perhaps you could point me in the correct direction to look:

NAS FTP

  • When connecting to this locally via IP address as SFTP in FileZilla, I use port 222.

Runcloud/Vultr Web Server

  • I’ve SSHed into this server and installed cloudflared, though it’s possible I may not have set it up correctly.
  • I’m fairly new to SSH so I don’t know my way around as easily as many.
  • I ran cloudflared access tcp --hostname sub.domain.com --url 192.168.1.100:222 and get the following response:

Error on Websocket listener error=“failed to start forwarding server: listen tcp 192.168.1.100:222: bind: cannot assign requested address”

failed to start forwarding server: listen tcp 192.168.1.100:222: bind: cannot assign requested address

  • Same message if I use “localhost” too which Ubuntu translates into 127.0.0.1.

Cloudflare Tunnel

  • I set up a subdomain and set it to SSH as the Service Type, my local IP address and port (196.68.1.100:222)
  • I haven’t changed any other settings under HTTP Settings, Connection, or Access.
  • Cloudflare is saying the tunnel is healthy. I am able to connect into my NAS-hosted website just fine on one subdomain, and the NAS admin screen via a different subdomain.

One Runcloud/Vultr Web Site

  • I’ve put in the Cloudflare-connected subdomain and domain with port 222 into the SFTP details but when I test connection, I still get “Failed: SSH 2 login failed” so no luck.

Any suggestion on where to look next? It’s entirely possible I missed a step but I feel like I’m almost there.

Ok, before we continue:

You want to use SFTP, not FTP? The guide I linked above is for FTP and would require some changes for SFTP.

When I run cloudflared tunnel info xyz against the Tunnel ID from my web server, it’s showing IP addresses for my local network and the web server so at least that’s something. However, obviously there’s something going on with the cloudflared instance on my web server where it can’t bind via the cloudflared access tcp command. I am not sure whether it has something to do with config.yml or the json credentials as that’s the only thing I can’t seem to figure out (aka how to regenerate or download them from Cloudflare’s UI).

When I run sudo systemctl status cloudflared, it gives me this:

Dec 24 06:13:19 vultr cloudflared[2853904]: 2023-12-24T06:13:19Z ERR Request failed error="Unable to reach the origin service. The service may be down or it may not be responding to traffic f>

Dec 24 06:13:23 vultr cloudflared[2853904]: 2023-12-24T06:13:23Z INF Updated to new configuration config="{\"ingress\":[{\"hostname\":\"sub.domain.com\",\"originRequest\":{\"noTLSVerify\">

Dec 24 06:14:19 vultr cloudflared[2853904]: 2023-12-24T06:14:19Z ERR error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflare>

Dec 24 06:14:19 vultr cloudflared[2853904]: 2023-12-24T06:14:19Z ERR Request failed error="Unable to reach the origin service. The service may be down or it may not be responding to traffic f>

Though some of it is cutoff in my Mac’s Terminal viewer.

Ah, yes. I was wanting to use SFTP. However, it still seems like there’s issues with my web server’s cloudflare set up since it’s partially working.

Ok, in your first post, you described that your website was already running using a tunnel. That means you don’t do anything else on your server, all the remaining configuration is in the Zero Trust Dashboard and on your client.

You need to run this command on your client, not your server. Replace tcp with ssh and also use localhost, not your local ip.

cloudflared access ssh --hostname sub.domain.com --url localhost:222

Make sure you have created an SSH optin in the tunnel and also an access SSH application before you do this.

Tunnel config:

Application config:

Run this command on your client:

cloudflared access ssh --hostname tcp.site.com --url localhost:22

(Or 222 in your case).

And then you should be able to establish a connection to localhost:22(2) in your FTP client.

And then when I login:

Thanks so much for all the replies and help on this. I think perhaps I’m not thinking through this the correct way.

I’ve got a Vultr web server (and Runcloud control panel) that is hosting a few Wordpress sites that need to back up regularly to my Synology. I have cloudflared installed directly via SSH on my web server. However, when I try to run cloudflared access ssh --hostname sub.domain.com --url 192.168.1.100:222, it gives me error="failed to start forwarding server: listen tcp 192.168.1.100:222: bind: cannot assign requested address" as a response. When I run cloudflared access ssh --hostname sub.domain.com --url localhost:222, it responds with error="failed to start forwarding server: listen tcp 127.0.0.1:222: bind: permission denied" instead. I’m not sure if I can install cloudflared on each individual Wordpress website, but the Vultr web server and each individual Wordpress site are using the same IP address. When I run cloudflared tunnel info <tunnel ID>, it lists out the IP from my ISP as well as my Vultr server. I also tried setting up the Cloudflare application for the same domain, but I must have set it up wrong because I don’t think it’s helping.

On the other side of this challenge, I’ve connected my Synology NAS into cloudflared using the cloudflare/cloudflared image under Docker. I am able to view my Synology-hosted site using the subdomain defined in the tunnel. However, it appears to be intermittent AND may not work when not connected to my home ISP, so I think I have something wrong with the configurations within the Cloudflare Tunnel interface. Is there a setting within Cloudflare Tunnel that doesn’t restrict access to only the clients with cloudflared set up?

Maybe I’m thinking about this all wrong.

Yes. The product is called Spectrum and is very expensive at 1$ per GB.

You really need to use localhost.

You’ll have to find out why you receive a permissions denied error. Ports below 1024 are restricted to privileged users (root/sudo), are you trying to execute that as an unprivileged user?
Either use a higher port a run as root / with sudo.

Thanks
After two days searching this solution worked fro me

Step i have create sub.domain.com and with tcp type
and use
cloudflared access tcp --hostname sub.domain.com --url localhost:22

and filezilla hostname is sub://localhost and username and password it is working for me