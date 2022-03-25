Ports and IPs
Users can implement a positive security model with Cloudflare Tunnel by restricting traffic originating from
cloudflared. The parameters below can be configured for egress traffic inside of a firewall.
- TCP/UDP port 7844 (for
h2mux/
http2and
quic)
- IPs are those behind
region1.argotunnel.comand
region2.argotunnel.com*
- IPs are those behind
- TCP port 443 (HTTPS)
- IPs are those behind
api.cloudflare.comand
update.cloudflare.com*
- IPs are those behind
Below the output of
dig commands towards the above hostnames:
$ dig region1.argotunnel.com...;; ANSWER SECTION:region1.argotunnel.com. 86400 IN A 198.41.192.7region1.argotunnel.com. 86400 IN A 198.41.192.47region1.argotunnel.com. 86400 IN A 198.41.192.107region1.argotunnel.com. 86400 IN A 198.41.192.167region1.argotunnel.com. 86400 IN A 198.41.192.227...
$ dig region2.argotunnel.com...;; ANSWER SECTION:region2.argotunnel.com. 300 IN A 198.41.200.193region2.argotunnel.com. 300 IN A 198.41.200.233region2.argotunnel.com. 300 IN A 198.41.200.13region2.argotunnel.com. 300 IN A 198.41.200.53region2.argotunnel.com. 300 IN A 198.41.200.113...
$ dig api.cloudflare.com...;; ANSWER SECTION:api.cloudflare.com. 41 IN A 104.19.193.29api.cloudflare.com. 41 IN A 104.19.192.29...
On Windows, you can use PowerShell commands if dig is not available.
To test DNS:
PS C:\Windows\system32> Resolve-DnsName -Name _origintunneld._tcp.argotunnel.com SRV
Name Type TTL Section NameTarget Priority Weight Port
---- ---- --- ------- ---------- -------- ------ ----
_origintunneld._tcp.argotunnel.com SRV 112 Answer region2.argotunnel.com 2 1 7844
_origintunneld._tcp.argotunnel.com SRV 112 Answer region1.argotunnel.com 1 1 7844
To test ports:
PS C:\Cloudflared\bin> tnc region1.argotunnel.com -port 443
ComputerName : region1.argotunnel.com
RemoteAddress : 198.41.192.227
RemotePort : 443
InterfaceAlias : Ethernet
SourceAddress : 10.0.2.15
TcpTestSucceeded : True
PS C:\Cloudflared\bin> tnc region1.argotunnel.com -port 7844
ComputerName : region1.argotunnel.com
RemoteAddress : 198.41.192.227
RemotePort : 7844
InterfaceAlias : Ethernet
SourceAddress : 10.0.2.15
TcpTestSucceeded : True
* These IP addresses are unlikely to change but in the event that they do, Cloudflare will update the information here.