This is possible with Cloudflare Gateway. If you run the WARP client on the connecting devices, you can route private IP ranges through Cloudflare towards your tunnel connector. If you’re talking about devices that you can’t run WARP on and you’re trying a regular orange cloud/proxied configuration within Cloudflare, that won’t work. You can reverse proxy HTTP(S) in this way, but that’s not the same with arbitrary protocols like MQTT.
The only option I’m aware of for this (but haven’t personally used) would be Cloudflare Spectrum - you’ll need the Enterprise tier for TCP/UDP protocols:
HTTP(S) services exposed through Cloudflare Tunnel don’t require client software because Cloudflare can use a single IP for multiple customers. This is possible because HTTP requests include a Host header telling which site the request is intended for.
Most other protocols don’t have a feature like that, so Cloudflare would have to assign separate IP addresses for each application. IPv4 addresses aren’t cheap which is why this isn’t offered.
For arbitrary TCP applications such as MQTT, you have use the client software, as it can act essentially like a VPN.
Took a while to wrap my head around but i think i got it
Device looks up ip trough dns and then connects to ip on a port.
Only way this could be achieved is if Cloudflare could give away ports on a ip. i could then use a custom port for my routing.
Since that is the only information it can get on how to route the traffic after the dns lookup. (when not using http)
My isp has started to give out non public ip addresses to customers.
I now have to pay extra for a public ipv4 address.
For not it is ok but i would like to have alternatives ready for the future.
Have you tried using websockets instead of standard MQTT? Some (Many? Most?) MQTT brokers let you configure a websocket connection - mosquito does, for example. And I know there’s an option to enable websockets in the tunnel config, so maybe you can get that going.
Hey I’m trying to achieve the same, so what are you doing with the separate RPi? some mqtt forwarder to your cloudflare tunnel? how did you configure your access on cloudflare gui?
Thanks in advance!
In Cloudflare ->Zero Trust > Access >Tunels > tunnel name > Public host
-I added a entry of type http with url http://192.168.xxx.xxx:9001 where 9001 is the wss port of mosquitto
In mosquitto.conf add
listener 9001
protocol websockets
To forward topics i use node-red’s mqtt Client
I connect to the Remote pi using wss://sub_dom.domain_name/ with user and password
in node-red i forward only some selected topics to my local mqtt server from the Remote one .
And some selected topics to the Remote mqtt server from my local one
Be carefull so you do not publish the same topics both ways. You will end up in a infinite loop.