Knowledge Base

Tunnel via Cloudflare to any TCP Service

Tunnel via Cloudflare to any TCP Service

root's photo
root
·

3 min read

Cloudflare's cloudflared tunnels are commonly used to 'publish' a web server that runs behind a firewall (e.g. making the webserver accessible from the Internet). Cloudflare restricts the traffic to HTTP-style traffic: It won't allow the publishing of SSHD for example.

This article explains how to 'publish' any other service (like SSHD) and make it accessible via the cloudflared tunnel. It does so by adding a WebSocket Proxy on either side of the tunnel.

You need websocat, cloudflared and gost.

Example 1:

Configure a tunnel to access SSHD on a server that is behind the firewall (via Cloudflare's cloudflared tunnel).

On the server behind the firewall:

### Start a WS <-> TCP forwarder
websocat -E -b ws-l:127.0.0.1:40008 tcp:127.0.0.1:22 &
### Create a free CF Tunnel:
cloudflared tunnel --url http://localhost:40008 --no-autoupdate

The CF tunnel will show you an URL similar to this one:

On your workstation:

### Start a TCP <-> WS forwarder to above URL
websocat -E -b tcp-l:127.0.0.1:2222 ws://<YourUrlFromAbove>.trycloudflare.com &
### Connect using SSH:
ssh -p 2222 root@127.0.0.1

Example 2:

A more advanced method is to add a Socks5 Proxy to the chain of tunnels. This will allow us to access ANYTHING from our workstation: That's any host within the LAN and any host on the Internet.

The Gost tool supports WS and Socks5 and is used instead of websocat and microsocks.

On the server behind the firewall:

gost -L mws://:40009 &
cloudflared tunnel --url http://localhost:40009 --no-autoupdate

On your workstation:

gost -L :1080 -F 'mwss://<YourUrlFromAbove>.trycloudflare.com:443'

Use some tools via the Socks Tunnel (via Cloudflare/Websocket):

### Access ipinfo.io via this tunnel
curl -x socks5h://0 ipinfo.io

### Create a ProxyChains configuration
echo -e "[ProxyList]\nsocks5 127.0.0.1 1080" >pc.conf
### SSH to 192.168.1.1 via the tunnel
proxychains -f pc.conf -q ssh root@192.168.1.1
### Use NMAP via our tunnel
proxychains -f pc.conf -q nmap -nF -Pn -sT --open scanme.nmap.org

Notes:

  1. Cloudflare's Free Service limits the number of connections. Consider upgrading.

  2. We use mwss and mws to enable TCP multiplexing (channelling) via a single TCP connection in Gost. All TCP connections will go via a single CF tunnel (and a single Websocket-request).

  3. We use wss (with TLS) on the workstation but just ws (without TLS) on the server. This is because Cloudflare is the Edge-Server and the TLS connection stops there. Cloudflare then re-encrypts the data to send it via Cloudflared to our server. A Cloudflare tunnel is never (!) End-2-End encrypted: Use SSH or other encrypted tools if you do not trust CloudFlare (as they can read your data).

All examples from this article were tested on Segfault's Disposable Root Servers.

Thank you to EMX for proofreading.

Like to publish an article? Send us what you got. We will review and help you improve your article and then publish it here.

Join us on Telegram: https://t.me/thcorg

hackingnetworkingcloudflare