Reverse tunnelling raw TCP/UDP

The existing Argo tunnelling feature is great for security! We use it quite a lot and has worked flawlessly.

We’re now interested in doing a very similar thing, but for raw TCP/UDP sockets. Using any combination of Cloudflare products, is this possible?

Detailed scenario

An instance of a VPN server lives inside a Kubernetes cluster. The VPN server hosts OpenVPN on port 1337 (TCP/UDP… doesn’t matter). As part of the Deployment, there is a cloudflared service running as a side-car that creates a tunnel between Cloudflare and port 1337 on the VPN Pod.

cloudflared automatically creates a DNS entry like

Users point their VPN client to connect to and are seamlessly connected to the VPN (through Cloudflare).

The above scenario is possible with HTTPS, but is it possible with other protocols on other ports? I’m thinking if Spectrum and Argo can talk to each other, this may be possible?



It’s not as frictionless as you described but it does allow Cloudflare Tunnel to do raw TCP (UDP is not currently supported, which might mean a slower openvpn connection).

Thanks @Judge! That is actually my current closest solution.

Most of it is spot on for what I need, however is it possible to do that without the client running cloudflared access tcp? I don’t actually need Cloudflare to do any authentication in this scenario.


At the moment, no. A cloudflared TCP client doesn’t actually connect via TCP, it opens a port (eg. listening on localhost) on the computer that runs cloudflared access and forwards packets to Cloudflare over a websocket connection. I’m also interested in basically a “Cloudflare Tunnel but for Spectrum” product and I asked about that here.

Yep! Understand that.

I’ve commented in that thread also asking for this feature. :slight_smile:


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.