Getting Started

Argo Tunnel offers an easy way to expose web servers securely to the internet, without opening up firewall ports and configuring ACLs. Argo Tunnel also ensures requests route through Cloudflare before reaching the web server so you can be sure attack traffic is stopped with Cloudflare’s WAF and Unmetered DDoS mitigation and authenticated with Access if you’ve enabled those features for your account.

To use Argo Tunnel, you install and run a daemon on the web server that creates a persistent connection out to Cloudflare. Once configured, people often lock the web server down to external requests and only allow connections from Cloudflare over that persistent connection to make contact with the server.

How much does Argo Tunnel cost?

Argo Tunnel is free with the purchase of Argo Smart Routing. Argo Smart Routing can be purchased in the Cloudflare dashboard and costs $5/month plus 10 cents per GB.

Setup

Requirements

Step 1: Enable Argo

Argo Tunnel uses Argo Smart Routing technology to route traffic over the fastest path within the Cloudflare network between the user and the data centers closest to your origin.

If it’s your first time using Argo, navigate to the Traffic tab of the Cloudflare dashboard, click the ‘Enable’ button, and follow the steps on the screen for setting up usage-based billing.

Enterprise customers who have enabled Argo will need to contact their Cloudflare representative to have Smart Routing enabled for their account as it is necessary for Argo Tunnel to work.

Step 2: Install cloudflared

cloudflared is the software that runs Argo Tunnel.

Follow these instructions to install cloudflared

Once installed, verify cloudflared has installed properly by checking the version.

$ cloudflared --version
cloudflared version 2018.6.0 (built 2018-06-05-2106 UTC)

Not working? If you installed a .deb or .rpm package (Linux) or used Homebrew (macOS) it should be in your PATH; otherwise, change to the directory where you extracted cloudflared.

Step 3: Login to your Cloudflare account

The first thing you will need to do is login to your Cloudflare account from cloudflared.

Run the following command and a login page should open in your browser:

$ cloudflared login
A browser window should have opened at the following URL:

https://www.cloudflare.com/a/warp?callback=https%3A%2F%2Flogin.cloudflarewarp.com%2FA5XXPKA6S5N5YWMTOXRKVWPRPE7BHG3MFRCDZES7UBZU7SWQFF4KA4PWMGL5GXJ

If the browser fails to open automatically, copy and paste the URL into your browser’s address bar and press enter.

Once you login, you will see a list of domains associated with your account. Locate the domain you wish to connect a tunnel to and click its name in the table row. Once you select the domain, Cloudflare will issue a certificate which will be downloaded automatically by your browser. This certificate will be used to authenticate your machine to the Cloudflare edge. Using a certificate is more secure than using your username and password since you can revoke it at any time.

Copy and paste the following command to move the certificate to the .cloudflared directory on your system.

$ mv cert.pem ~/.cloudflared/cert.pem

Step 4: (Optional) Hello Tunnel

Argo Tunnel runs a virtual, encrypted tunnel from a locally running web server to the Cloudflare edge. If you do not have a web server running locally and want to try out Tunnel, you can try out the hello world installation with the built-in web server. Just pass the flag –hello-world and replace [hostname] with a hostname in your Cloudflare account. Because Tunnel automatically creates DNS records for you, you can choose a subdomain that doesn’t yet have anything running or configured.

$ cloudflared --hostname [hostname] --hello-world
INFO[0000] Proxying tunnel requests to https://127.0.0.1:62633
INFO[0000] Starting Hello World server at 127.0.0.1:62633
INFO[0000] Starting metrics server                       addr="127.0.0.1:62634"
INFO[0001] Connected to LAX                             
INFO[0019] Connected to SFO                         
INFO[0020] Connected to LAX                             
INFO[0021] Connected to SFO  

Above, you can see Tunnel establishes four long-lived connections between the two closest data centers, which in this case happened to be SFO and SJC. You know the tunnel is ready when you see the message Connected to ….

Argo Tunnel has just created a connection out from your machine to the Cloudflare edge!

If you go visit the domain name at which you created the tunnel (e.g. tunnel.example.com) you will see the request logs directly in the cloudflared output. We call this Tunnel Vision.

INFO[0615] GET https://127.0.0.1:62627/ HTTP/1.1         CF-RAY=4067701b598e8184-LAX
INFO[0615] 200 OK                                        CF-RAY=4067701b598e8184-LAX

If you’re ready to spin up a real tunnel, read on.

Step 5: Establishing the tunnel

With your credentials saved to disk, you can now start Argo Tunnel. Replace [hostname] with the hostname you want associated with your server; this must be the domain or subdomain of a zone added to your Cloudflare account.

The localhost address should point to a locally running web server.

$ cloudflared --hostname [hostname] http://localhost:8000
INFO[0000] Proxying tunnel requests to https://127.0.0.1:8000
INFO[0000] Starting metrics server                       addr="127.0.0.1:62634"
INFO[0001] Connected to LAX                             
INFO[0020] Connected to LAX                             
INFO[0019] Connected to SFO                         
INFO[0021] Connected to SFO

A successful connection gives you the last line Connected to…

If you get the error: ‘Server error: Fail to update CNAME’ it is because there is already a DNS A/AAAA record existing at that hostname. You should either first delete the existing A/AAAA records or create a tunnel on a brand new hostname.

Step 6: Try it out!

Open a web browser and type in your hostname. Access to the tunnel is permitted over both HTTP and HTTPS, though you can easily redirect all HTTP traffic to HTTPS with Cloudflare.

If the connection succeeds, you should see content served from your local webserver—or if you used the built-in Hello World server, you will see a message like this: Hello World server output

Next steps

If you just want to expose your local development environment to share with other people, this is probably all you need to know. For a production environment you probably want to learn more:

Community

If you have any ideas, run into odd behaviors, or want to share what you’re building with Argo Tunnel, the dev team is following the feedback forum here.