Cloudflare/Argo Tunnel: Difference between revisions

From Chorke Wiki
Jump to navigation Jump to search
← Older edit
VisualWikitext
 
(42 intermediate revisions by the same user not shown)
Line 1: Line 1:
==Argo Tunnel==
==Argo Tunnel==
{|
{|
| valign="top" |
<syntaxhighlight lang="bash">
sudo su
cd /root/.cloudflared/
cloudflared tunnel login
mv cert.pem ./certs/chorke.com.pem
</syntaxhighlight>
| valign="top" |
<syntaxhighlight lang="bash">
sudo su
cd /root/.cloudflared/
cloudflared tunnel login
mv cert.pem ./certs/chorke.org.pem
</syntaxhighlight>
| valign="top" |
<syntaxhighlight lang="bash">
sudo su
cd /root/.cloudflared/
cloudflared tunnel login
mv cert.pem ./certs/shahed.biz.pem
</syntaxhighlight>
|-
| colspan="3" |
| colspan="3" |
----
|-
| valign="top" |
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
cloudflared --origincert=\
cat << EXE | sudo bash
/root/.cloudflared/certs/chorke.com.pem \
mkdir -p /home/system/
tunnel create aa-chorke-com
SYS_USERS='chorke-com-argo chorke-org-argo shahed-biz-argo'
</syntaxhighlight>
for SYS_USER in \${SYS_USERS};do
  SYS_GROUP="\${SYS_USER}"
  if ! id -g \${SYS_USER} &>/dev/null;then addgroup --quiet --system \${SYS_GROUP};fi
  if ! id -u \${SYS_USER} &>/dev/null;then
    adduser --quiet --system  --ingroup \${SYS_GROUP} --home /home/system/\${SYS_USER} --shell /bin/bash --disabled-password \${SYS_USER}
    chage -m 99999 -M 99999 -E -1 -I -1 \${SYS_USER}


| valign="top" |
    mkdir /home/system/\${SYS_USER}/.ssh
<syntaxhighlight lang="bash">
    touch /home/system/\${SYS_USER}/.ssh/config
cloudflared --origincert=\
    touch /home/system/\${SYS_USER}/.ssh/authorized_keys
/root/.cloudflared/certs/chorke.org.pem \
tunnel create aa-chorke-org
</syntaxhighlight>


| valign="top" |
    chown -R \${SYS_USER}:\${SYS_GROUP} /home/system/\${SYS_USER}/
<syntaxhighlight lang="bash">
    chmod 600 /home/system/\${SYS_USER}/.ssh/authorized_keys
cloudflared --origincert=\
    chmod 600 /home/system/\${SYS_USER}/.ssh/config
/root/.cloudflared/certs/shahed.biz.pem \
    chmod 700 /home/system/\${SYS_USER}/.ssh
tunnel create aa-shahed-biz
  fi
</syntaxhighlight>
done


|-
echo && ls -alh /home/system/*/.ssh/*
| colspan="3" |
echo && cat /etc/passwd|awk -F : '\$3 >= 120 && \$3 < 900 {printf("%-6s » %s\n", \$3, \$1)}'|sort -h
----
echo && cat /etc/group |awk -F : '\$3 >= 120 && \$3 < 900 {printf("%-6s » %s\n", \$3, \$1)}'|sort -h && echo
|-
EXE
| valign="top" |
<syntaxhighlight lang="bash">
mv certs/ccc2684a-*.json \
./auths/chorke.com.json
</syntaxhighlight>
 
| valign="top" |
<syntaxhighlight lang="bash">
mv certs/621edb67-*.json \
./auths/chorke.org.json
</syntaxhighlight>
 
| valign="top" |
<syntaxhighlight lang="bash">
mv certs/249a5a7c-*.json \
./auths/shahed.biz.json
</syntaxhighlight>
</syntaxhighlight>


Line 78: Line 36:
| valign="top" |
| valign="top" |
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
cloudflared --origincert=\
cat << EXE | sudo bash
/root/.cloudflared/certs/chorke.com.pem \
mkdir -p /var/log/cloudflared/chorke.com
tunnel list --output=json|jq -r '.[].name'
chown  chorke-com-argo:chorke-com-argo \
      -R /var/log/cloudflared/chorke.com
EXE
</syntaxhighlight>
</syntaxhighlight>


| valign="top" |
| valign="top" |
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
cloudflared --origincert=\
cat << EXE | sudo bash
/root/.cloudflared/certs/chorke.org.pem \
mkdir -p /var/log/cloudflared/chorke.org
tunnel list --output=json|jq -r '.[].name'
chown  chorke-org-argo:chorke-org-argo \
      -R /var/log/cloudflared/chorke.org
EXE
</syntaxhighlight>
</syntaxhighlight>


| valign="top" |
| valign="top" |
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
cloudflared --origincert=\
cat << EXE | sudo bash
/root/.cloudflared/certs/shahed.biz.pem \
mkdir -p /var/log/cloudflared/shahed.biz
tunnel list --output=json|jq -r '.[].name'
chown  shahed-biz-argo:shahed-biz-argo \
      -R /var/log/cloudflared/shahed.biz
EXE
</syntaxhighlight>
</syntaxhighlight>


Line 103: Line 67:
| valign="top" |
| valign="top" |
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
cloudflared --origincert=\
sudo -i -u chorke-com-argo
/root/.cloudflared/certs/chorke.com.pem \
LOGGER_BASE=/var/log/cloudflared/chorke.com
tunnel route dns aa-chorke-com aa
</syntaxhighlight>
</syntaxhighlight>


| valign="top" |
| valign="top" |
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
cloudflared --origincert=\
sudo -i -u chorke-org-argo
/root/.cloudflared/certs/chorke.org.pem \
LOGGER_BASE=/var/log/cloudflared/chorke.org
tunnel route dns aa-chorke-org aa
</syntaxhighlight>
</syntaxhighlight>


| valign="top" |
| valign="top" |
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
cloudflared --origincert=\
sudo -i -u shahed-biz-argo
/root/.cloudflared/certs/shahed.biz.pem \
LOGGER_BASE=/var/log/cloudflared/shahed.biz
tunnel route dns aa-shahed-biz aa
</syntaxhighlight>
</syntaxhighlight>


Line 128: Line 89:
| colspan="3" |
| colspan="3" |
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
CONFIG_BASE=/etc/cloudflared
CONFIG_BASE=${HOME}/.cloudflared
LOGGER_BASE=/var/log/cloudflared
AUTHNZ_BASE=${HOME}/.cloudflared
AUTHNZ_BASE=/root/.cloudflared/auths
CONFIG_FILE=${CONFIG_BASE}/argo.yml
LOGGER_FILE=${LOGGER_BASE}/argo.log
AUTHNZ_FILE=${AUTHNZ_BASE}/argo.json


cat << EXE | sudo bash
cloudflared tunnel login
mkdir -p ${CONFIG_BASE}/
cd ~/.cloudflared/
mkdir -p ${LOGGER_BASE}/
 
mkdir -p /root/.cloudflared/{cert,auth}s/
cloudflared tunnel create shahed-aa-${USER}
EXE
cloudflared tunnel list --output=json|jq -r '.[].name'
ln -s ${CONFIG_BASE}/3d1105e6-e8f4-403e-9b2d-3367947e0a9e.json ${AUTHNZ_FILE}
cloudflared tunnel route dns shahed-aa-${USER} aa
</syntaxhighlight>
</syntaxhighlight>


Line 145: Line 110:
| valign="top" |
| valign="top" |
<syntaxhighlight lang="yaml">
<syntaxhighlight lang="yaml">
LOGGER_FILE=${LOGGER_BASE}/chorke.com.log
cat << YML | tee ${CONFIG_FILE} >/dev/null
AUTHNZ_FILE=${AUTHNZ_BASE}/chorke.com.json
CONFIG_FILE=${CONFIG_BASE}/chorke.com-config.yml
 
cat << YML | sudo tee ${CONFIG_FILE} >/dev/null
---
---
tunnel: aa-chorke-com
tunnel: shahed-aa-${USER}
credentials-file: ${AUTHNZ_FILE}
credentials-file: ${AUTHNZ_FILE}


ingress:
ingress:
   - service: http://localhost
   - service: http://localhost
    hostname: aa.chorke.com
    path: /*
  - service: ssh://localhost:22
    hostname: aa.chorke.com
  - service: tcp://localhost:3306
    hostname: aa.chorke.com
  - service: tcp://localhost:5432
     hostname: aa.chorke.com
     hostname: aa.chorke.com
   - service: http_status:404
   - service: http_status:404


warp-routing:
warp-routing:
   enabled: true
   enabled: false
 
# icmpv4-src: 10.19.83.68


private_network:
private_network:
Line 189: Line 145:


| valign="top" |
| valign="top" |
<syntaxhighlight lang="yaml">
<syntaxhighlight lang="yaml" line>
LOGGER_FILE=${LOGGER_BASE}/chorke.org.log
cat << YML | tee ${CONFIG_FILE} >/dev/null
AUTHNZ_FILE=${AUTHNZ_BASE}/chorke.org.json
CONFIG_FILE=${CONFIG_BASE}/chorke.org-config.yml
 
cat << YML | sudo tee ${CONFIG_FILE} >/dev/null
---
---
tunnel: aa-chorke-org
tunnel: shahed-aa-${USER}
credentials-file: ${AUTHNZ_FILE}
credentials-file: ${AUTHNZ_FILE}


ingress:
ingress:
   - service: http://localhost
   - service: http://localhost
    hostname: aa.chorke.org
    path: /*
  - service: ssh://localhost:22
    hostname: aa.chorke.org
  - service: tcp://localhost:3306
    hostname: aa.chorke.org
  - service: tcp://localhost:5432
     hostname: aa.chorke.org
     hostname: aa.chorke.org
   - service: http_status:404
   - service: http_status:404


warp-routing:
warp-routing:
   enabled: true
   enabled: false
 
# icmpv4-src: 10.19.83.68


private_network:
private_network:
Line 235: Line 182:
| valign="top" |
| valign="top" |
<syntaxhighlight lang="yaml">
<syntaxhighlight lang="yaml">
LOGGER_FILE=${LOGGER_BASE}/shahed-biz.log
cat << YML | tee ${CONFIG_FILE} >/dev/null
AUTHNZ_FILE=${AUTHNZ_BASE}/shahed.biz.json
CONFIG_FILE=${CONFIG_BASE}/shahed.biz-config.yml
 
cat << YML | sudo tee ${CONFIG_FILE} >/dev/null
---
---
tunnel: aa-shahed-biz
tunnel: shahed-aa-${USER}
credentials-file: ${AUTHNZ_FILE}
credentials-file: ${AUTHNZ_FILE}


ingress:
ingress:
   - service: http://localhost
   - service: http://localhost
    hostname: aa.shahed.biz
    path: /*
  - service: ssh://localhost:22
    hostname: aa.shahed.biz
  - service: tcp://localhost:3306
    hostname: aa.shahed.biz
  - service: tcp://localhost:5432
     hostname: aa.shahed.biz
     hostname: aa.shahed.biz
   - service: http_status:404
   - service: http_status:404
Line 258: Line 194:
warp-routing:
warp-routing:
   enabled: true
   enabled: true
# icmpv4-src: 10.19.83.68


private_network:
private_network:
Line 282: Line 220:
----
----
|-
|-
| valign="top" |
| colspan="3" |
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
sudo cloudflared tunnel \
cat <<'ENV'|tee -a ${HOME}/.bashrc >/dev/null
--config /etc/cloudflared/chorke.com-config.yml \
# cloudflare tunnel config
run aa-chorke-com
export CLOUDFLARED_CONFIG=${HOME}/.cloudflared/argo.yml
</syntaxhighlight>
ENV


| valign="top" |
cat <<'ENV'|tee -a ${HOME}/.profile >/dev/null
<syntaxhighlight lang="bash">
if [ -f ${HOME}/.bashrc ]; then
sudo cloudflared tunnel \
    . ${HOME}/.bashrc
--config /etc/cloudflared/chorke.org-config.yml \
fi
run aa-chorke-org
ENV
</syntaxhighlight>


| valign="top" |
source ~/.profile
<syntaxhighlight lang="bash">
  cat ~/.cloudflared/argo.yml
sudo cloudflared tunnel \
cloudflared tunnel run shahed-aa-${USER}
--config /etc/cloudflared/shahed.biz-config.yml \
exit
run aa-shahed-biz
</syntaxhighlight>
</syntaxhighlight>


Line 319: Line 255:


[Service]
[Service]
Group=chorke-com-argo
User=chorke-com-argo
TimeoutStartSec=0
TimeoutStartSec=0
Type=notify
Type=notify
ExecStart=/usr/bin/cloudflared --no-autoupdate \
ExecStart=/usr/bin/cloudflared --no-autoupdate \
--config /etc/cloudflared/chorke.com-config.yml \
--config /home/system/chorke-com-argo/\
tunnel run
.cloudflared/argo.yml tunnel run
Restart=on-failure
Restart=on-failure
RestartSec=5s
RestartSec=5s
Line 333: Line 271:


| valign="top" |
| valign="top" |
<syntaxhighlight lang="ini">
<syntaxhighlight lang="ini" line>
SYSTEM_FILE=cloudflared@chorke.org.service
SYSTEM_FILE=cloudflared@chorke.org.service
SYSTEM_PATH=/etc/systemd/system/${SYSTEM_FILE}
SYSTEM_PATH=/etc/systemd/system/${SYSTEM_FILE}
Line 344: Line 282:


[Service]
[Service]
Group=chorke-org-argo
User=chorke-org-argo
TimeoutStartSec=0
TimeoutStartSec=0
Type=notify
Type=notify
ExecStart=/usr/bin/cloudflared --no-autoupdate \
ExecStart=/usr/bin/cloudflared --no-autoupdate \
--config /etc/cloudflared/chorke.org-config.yml \
--config /home/system/chorke-org-argo/\
tunnel run
.cloudflared/argo.yml tunnel run
Restart=on-failure
Restart=on-failure
RestartSec=5s
RestartSec=5s
Line 369: Line 309:


[Service]
[Service]
Group=shahed-biz-argo
User=shahed-biz-argo
TimeoutStartSec=0
TimeoutStartSec=0
Type=notify
Type=notify
ExecStart=/usr/bin/cloudflared --no-autoupdate \
ExecStart=/usr/bin/cloudflared --no-autoupdate \
--config /etc/cloudflared/shahed.biz-config.yml \
--config /home/system/shahed-biz-argo/\
tunnel run
.cloudflared/argo.yml tunnel run
Restart=on-failure
Restart=on-failure
RestartSec=5s
RestartSec=5s
Line 423: Line 365:
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
tail -n100 \
tail -n100 \
-f /var/log/cloudflared/chorke.com.log
-f /var/log/cloudflared/chorke.com/argo.log
journalctl -xeu cloudflared@chorke.com.service
journalctl -xeu cloudflared@chorke.com.service
</syntaxhighlight>
</syntaxhighlight>
Line 430: Line 372:
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
tail -n100 \
tail -n100 \
-f /var/log/cloudflared/chorke.org.log
-f /var/log/cloudflared/chorke.org/argo.log
journalctl -xeu cloudflared@chorke.org.service
journalctl -xeu cloudflared@chorke.org.service
</syntaxhighlight>
</syntaxhighlight>
Line 437: Line 379:
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
tail -n100 \
tail -n100 \
-f /var/log/cloudflared/shahed-biz.log
-f /var/log/cloudflared/shahed.biz/argo.log
journalctl -xeu cloudflared@shahed.biz.service
journalctl -xeu cloudflared@shahed.biz.service
</syntaxhighlight>
</syntaxhighlight>
|}
==WARP Routing==
{|
| colspan="3" |
[[Cloudflare/Argo_Tunnel#Argo Tunnel|Skipped » Find More » 👆]]


|-
|-
Line 454: Line 389:
| valign="top" |
| valign="top" |
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
cloudflared --origincert=\
cat << EXE | sudo bash
/root/.cloudflared/certs/chorke.com.pem \
systemctl daemon-reload
tunnel create ab-chorke-com
systemctl disable cloudflared@chorke.com.service
systemctl stop    cloudflared@chorke.com.service
systemctl status  cloudflared@chorke.com.service
EXE
</syntaxhighlight>
</syntaxhighlight>


| valign="top" |
| valign="top" |
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
cloudflared --origincert=\
cat << EXE | sudo bash
/root/.cloudflared/certs/chorke.org.pem \
systemctl daemon-reload
tunnel create ab-chorke-org
systemctl disable cloudflared@chorke.org.service
systemctl stop    cloudflared@chorke.org.service
systemctl status  cloudflared@chorke.org.service
EXE
</syntaxhighlight>
</syntaxhighlight>


| valign="top" |
| valign="top" |
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
cloudflared --origincert=\
cat << EXE | sudo bash
/root/.cloudflared/certs/shahed.biz.pem \
systemctl daemon-reload
tunnel create ab-shahed-biz
systemctl disable cloudflared@shahed.biz.service
systemctl stop    cloudflared@shahed.biz.service
systemctl status  cloudflared@shahed.biz.service
EXE
</syntaxhighlight>
</syntaxhighlight>


|-
|}
| colspan="3" |
----
|-
| valign="top" |
<syntaxhighlight lang="bash">
mv certs/56f034e2-*.json \
./auths/chorke.com.json
</syntaxhighlight>


| valign="top" |
==WARP Routing==
<syntaxhighlight lang="bash">
{|
mv certs/472fe18e-*.json \
./auths/chorke.org.json
</syntaxhighlight>
 
| valign="top" |
<syntaxhighlight lang="bash">
mv certs/030320f3-*.json \
./auths/shahed.biz.json
</syntaxhighlight>
 
|-
| colspan="3" |
| colspan="3" |
----
[[Cloudflare/Argo_Tunnel#Argo Tunnel|Skipped » Find More » 👆]]
|-
| valign="top" |
<syntaxhighlight lang="bash">
cloudflared --origincert=\
/root/.cloudflared/certs/chorke.com.pem \
tunnel list --output=json|jq -r '.[].name'
</syntaxhighlight>
 
| valign="top" |
<syntaxhighlight lang="bash">
cloudflared --origincert=\
/root/.cloudflared/certs/chorke.org.pem \
tunnel list --output=json|jq -r '.[].name'
</syntaxhighlight>
 
| valign="top" |
<syntaxhighlight lang="bash">
cloudflared --origincert=\
/root/.cloudflared/certs/shahed.biz.pem \
tunnel list --output=json|jq -r '.[].name'
</syntaxhighlight>


|-
|-
Line 526: Line 430:
| colspan="3" |
| colspan="3" |
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
CONFIG_BASE=/etc/cloudflared
cloudflared tunnel create shahed-aa-${USER}
LOGGER_BASE=/var/log/cloudflared
cloudflared tunnel list --output=json|jq -r '.[].name'
AUTHNZ_BASE=/root/.cloudflared/auths
ln -s ${CONFIG_BASE}/56f034e2-7fc7-4423-8db3-1e9db8a24ca3.json ${AUTHNZ_FILE}
 
cat << EXE | sudo bash
mkdir -p ${CONFIG_BASE}/
mkdir -p ${LOGGER_BASE}/
mkdir -p /root/.cloudflared/{cert,auth}s/
EXE
</syntaxhighlight>
</syntaxhighlight>


Line 541: Line 439:
----
----
|-
|-
| valign="top" |
| colspan="3" |
<syntaxhighlight lang="yaml">
<syntaxhighlight lang="yaml">
LOGGER_FILE=${LOGGER_BASE}/chorke.com.log
cat << YML | tee ${CONFIG_FILE} >/dev/null
AUTHNZ_FILE=${AUTHNZ_BASE}/chorke.com.json
CONFIG_FILE=${CONFIG_BASE}/chorke.com-config.yml
 
cat << YML | sudo tee ${CONFIG_FILE} >/dev/null
---
---
tunnel: ab-chorke-com
tunnel: shahed-aa-${USER}
credentials-file: ${AUTHNZ_FILE}
credentials-file: ${AUTHNZ_FILE}


Line 566: Line 460:
</syntaxhighlight>
</syntaxhighlight>


| valign="top" |
|-
<syntaxhighlight lang="yaml">
| colspan="3" |
LOGGER_FILE=${LOGGER_BASE}/chorke.org.log
----
AUTHNZ_FILE=${AUTHNZ_BASE}/chorke.org.json
|-
CONFIG_FILE=${CONFIG_BASE}/chorke.org-config.yml
| colspan="3" |
<syntaxhighlight lang="bash">
cat <<'ENV'|tee -a ${HOME}/.bashrc >/dev/null
# cloudflare tunnel config
export CLOUDFLARED_CONFIG=${HOME}/.cloudflared/argo.yml
ENV


cat << YML | sudo tee ${CONFIG_FILE} >/dev/null
cat <<'ENV'|tee -a ${HOME}/.profile >/dev/null
---
if [ -f ${HOME}/.bashrc ]; then
tunnel: ab-chorke-org
    . ${HOME}/.bashrc
credentials-file: ${AUTHNZ_FILE}
fi
ENV


warp-routing:
source ~/.profile
  enabled: true
  cat ~/.cloudflared/argo.yml
cloudflared tunnel run shahed-aa-${USER}
exit
</syntaxhighlight>


loglevel: info
|-
logfile: ${LOGGER_FILE}
| colspan="3" |
----
|-
| colspan="3" |
[[Cloudflare/Argo_Tunnel#Argo Tunnel|Skipped » Find More » 👆]]


heartbeat:
|}
  interval: 10s
  max_retries: 3


restart: true
==VIRT Routing==
YML
{|
</syntaxhighlight>
| colspan="3" |
[[Cloudflare/Argo_Tunnel#Argo Tunnel|Skipped » Find More » 👆]]


| valign="top" |
|-
<syntaxhighlight lang="yaml">
| colspan="3" |
LOGGER_FILE=${LOGGER_BASE}/shahed-biz.log
----
AUTHNZ_FILE=${AUTHNZ_BASE}/shahed.biz.json
|-
CONFIG_FILE=${CONFIG_BASE}/shahed.biz-config.yml
| colspan="3" |
<syntaxhighlight lang="ini">
cat << INI | sudo tee /etc/systemd/system/warp0.service >/dev/null
[Unit]
Description=Cloudflared WARP Routing Virtual Interface
After=network.target


cat << YML | sudo tee ${CONFIG_FILE} >/dev/null
[Service]
---
Type=oneshot
tunnel: ab-shahed-biz
ExecStart=/usr/sbin/ip link add warp0 type dummy
credentials-file: ${AUTHNZ_FILE}
ExecStartPost=/usr/sbin/ip addr add 10.20.40.1/32 dev warp0
ExecStartPost=/usr/sbin/ip link set warp0 up
ExecStop=/usr/sbin/ip link delete warp0
RemainAfterExit=yes


warp-routing:
[Install]
  enabled: true
WantedBy=multi-user.target


loglevel: info
INI
logfile: ${LOGGER_FILE}
</syntaxhighlight>


heartbeat:
|-
   interval: 10s
| colspan="3" |
  max_retries: 3
----
|-
| colspan="3" |
<syntaxhighlight lang="bash">
cat << EXE | sudo bash
systemctl enable  warp0.service
systemctl start   warp0.service
systemctl status  warp0.service
EXE


restart: true
sudo systemctl enable  --now warp0.service
YML
sudo systemctl disable --now warp0.service
</syntaxhighlight>
</syntaxhighlight>


|-
| colspan="3" |
----
|-
| valign="top" |
| valign="top" |
| valign="top" |
<syntaxhighlight lang="bash">
cloudflared tunnel route \
ip add 10.20.40.1/32 shahed-aa-shahed-biz-argo
</syntaxhighlight>
|-
|-
| colspan="3" |
| colspan="3" |
Line 622: Line 557:
| valign="top" |
| valign="top" |
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
sudo cloudflared tunnel \
# ping interval
--config /etc/cloudflared/chorke.com-config.yml \
ping 10.20.40.1 -i 10
run ab-chorke-com
</syntaxhighlight>
</syntaxhighlight>


| valign="top" |
| valign="top" |
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
sudo cloudflared tunnel \
# ping interval & times
--config /etc/cloudflared/chorke.org-config.yml \
ping 10.20.40.1 -i 10 -c 6
run ab-chorke-org
</syntaxhighlight>
</syntaxhighlight>


| valign="top" |
| valign="top" |
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
sudo cloudflared tunnel \
# ssh through warp routing
--config /etc/cloudflared/shahed.biz-config.yml \
ssh -qt chorke@10.20.40.1 bash
run ab-shahed-biz
</syntaxhighlight>
</syntaxhighlight>


Line 696: Line 628:
/etc/cloudflared/config.yml
/etc/cloudflared/config.yml
ls -lah /etc/cloudflared/
ls -lah /etc/cloudflared/
</syntaxhighlight>
|-
| colspan="3" |
----
|-
| valign="top" |
<syntaxhighlight lang="bash">
cloudflared access \
ssh-config --hostname aa.chorke.com
</syntaxhighlight>
| valign="top" |
<syntaxhighlight lang="bash">
ssh-keygen -t ed25519 -C "argo@chorke.org" \
-f ~/.ssh/argo.chorke.org_ed25519
</syntaxhighlight>
| valign="top" |
<syntaxhighlight lang="bash">
echo 'id  -g'|sudo -i -u ${USER} bash
echo 'id -ng'|sudo -i -u ${USER} bash
</syntaxhighlight>
|-
| colspan="3" |
----
|-
| valign="top" |
<syntaxhighlight lang="bash">
cat /proc/sys/net/ipv4/ping_group_range
sysctl net.ipv4.ping_group_range
</syntaxhighlight>
| valign="top" |
<syntaxhighlight lang="bash">
echo '0 10000'|\
sudo tee /proc/sys/net/ipv4/ping_group_range
</syntaxhighlight>
| valign="top" |
<syntaxhighlight lang="bash">
cat /etc/sysctl.conf
sudo sysctl -p
</syntaxhighlight>
|-
| colspan="3" |
----
|-
| valign="top" |
<syntaxhighlight lang="bash">
warp-cli disconnect
warp-cli connect
warp-cli status
</syntaxhighlight>
| valign="top" |
<syntaxhighlight lang="bash">
telnet 10.19.83.68 5432
telnet 10.19.83.68 3306
telnet 10.19.83.68 22
</syntaxhighlight>
| valign="top" |
<syntaxhighlight lang="bash">
nmap 10.19.83.68 --reason -Pn -p22,3306,5432
nmap 10.19.83.68 --reason -Pn --top 20
tail -n100 -f /var/log/kern.log
</syntaxhighlight>
|-
| colspan="3" |
----
|-
| valign="top" |
<syntaxhighlight lang="bash">
hostname
hostnamectl
nmcli general hostname
sudo hostnamectl set-hostname chorke-aa
sudo systemctl restart systemd-hostnamed
</syntaxhighlight>
| valign="top" |
<syntaxhighlight lang="bash">
# shahed-ab » avoid conflict own ip
sudo warp-cli add-exclude 10.20.40.2
# hetzner-aa » avoid conflict own ip
sudo warp-cli add-exclude 10.20.41.1
</syntaxhighlight>
| valign="top" |
<syntaxhighlight lang="bash">
</syntaxhighlight>
</syntaxhighlight>


Line 711: Line 739:
* [https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/use-cases/smb/ Cloudflare » Zero Trust » SMB]
* [https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/use-cases/smb/ Cloudflare » Zero Trust » SMB]
* [https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/use-cases/ssh/ Cloudflare » Zero Trust » SSH]
* [https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/use-cases/ssh/ Cloudflare » Zero Trust » SSH]
* [https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/ Cloudflare » Tunnel]
* [https://www.cloudflare.com/learning/access-management/what-is-ssh/ Cloudflare » SSH]
|valign="top"|
* [https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/private-net/cloudflared/ Cloudflare » Zero Trust » Connect private networks]
* [https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access/ Cloudflare » Zero Trust » SSH » Access for Infra]
* [https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/agentless/ Cloudflare » Zero Trust » Devices » Agentless]
* [https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/ Cloudflare » Zero Trust » Devices » WARP]
* [https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-warp-to-tunnel/ Cloudflare » Zero Trust » SSH » Connect]
|valign="top"|
|-
|colspan="3"|
----
|-
|valign="top"|
* [https://dash.cloudflare.com/profile/api-tokens Cloudflare » Profile » API Tokens]
* [[Cloudflare/WARP Connector|Cloudflare » WARP Connector]]
* [[Cloudflare/WARP Connector|Cloudflare » WARP Connector]]
* [https://chorke.cloudflareaccess.com Cloudflare » Access » Chorke]
* [[Cloudflare/WARP Host|Cloudflare » WARP Host]]
* [[Cloudflare]]
* [[Cloudflare]]


|valign="top"|
|valign="top"|
* [https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/agentless/ Cloudflare » Zero Trust » Devices » Agentless]
* [https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/ Cloudflare » Zero Trust » Devices » WARP]
* [https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/ Cloudflare » Tunnel]
* [https://www.cloudflare.com/learning/access-management/what-is-ssh/ Cloudflare » SSH]


|valign="top"|
|valign="top"|
Line 752: Line 796:
|valign="top"|
|valign="top"|
* [https://serverfault.com/questions/901364/ CIDR » Restrict access to single IP]
* [https://serverfault.com/questions/901364/ CIDR » Restrict access to single IP]
* [[SSH/Public Key Authentication|SSH » Public Key Authentication]]
* [[SSH Port Forwarding|SSH » Port Forwarding]]
* [https://www.calculator.net/ip-subnet-calculator.html?cclass=any&csubnet=32&cip=10.20.40.1&ctype=ipv4&x=Calculate CIDR » 10.20.40.1/32]
* [https://www.calculator.net/ip-subnet-calculator.html?cclass=any&csubnet=32&cip=10.20.40.1&ctype=ipv4&x=Calculate CIDR » 10.20.40.1/32]
* [https://www.calculator.net/ip-subnet-calculator.html?cclass=any&csubnet=24&cip=10.20.40.1&ctype=ipv4&x=Calculate CIDR » 10.20.40.1/24]
* [https://www.calculator.net/ip-subnet-calculator.html?cclass=any&csubnet=24&cip=10.20.40.1&ctype=ipv4&x=Calculate CIDR » 10.20.40.1/24]
* [https://www.calculator.net/ip-subnet-calculator.html?cclass=any&csubnet=32&cip=10.19.83.1&ctype=ipv4&x=Calculate CIDR » 10.19.83.1/32]
* [https://www.calculator.net/ip-subnet-calculator.html?cclass=any&csubnet=32&cip=10.19.83.1&ctype=ipv4&x=Calculate CIDR » 10.19.83.1/32]
* [https://www.calculator.net/ip-subnet-calculator.html?cclass=any&csubnet=24&cip=10.19.83.1&ctype=ipv4&x=Calculate CIDR » 10.19.83.1/24]
* [https://www.calculator.net/ip-subnet-calculator.html?cclass=any&csubnet=24&cip=10.19.83.1&ctype=ipv4&x=Calculate CIDR » 10.19.83.1/24]
* [[Linux User Creation]]


|}
|}

Latest revision as of 03:22, 24 February 2025

Argo Tunnel

cat << EXE | sudo bash
mkdir -p /home/system/
SYS_USERS='chorke-com-argo chorke-org-argo shahed-biz-argo'
for SYS_USER in \${SYS_USERS};do
  SYS_GROUP="\${SYS_USER}"
  if ! id -g \${SYS_USER} &>/dev/null;then addgroup --quiet --system \${SYS_GROUP};fi
  if ! id -u \${SYS_USER} &>/dev/null;then
    adduser --quiet --system  --ingroup \${SYS_GROUP} --home /home/system/\${SYS_USER} --shell /bin/bash --disabled-password \${SYS_USER}
    chage -m 99999 -M 99999 -E -1 -I -1 \${SYS_USER}

    mkdir /home/system/\${SYS_USER}/.ssh
    touch /home/system/\${SYS_USER}/.ssh/config
    touch /home/system/\${SYS_USER}/.ssh/authorized_keys

    chown -R \${SYS_USER}:\${SYS_GROUP} /home/system/\${SYS_USER}/
    chmod 600 /home/system/\${SYS_USER}/.ssh/authorized_keys
    chmod 600 /home/system/\${SYS_USER}/.ssh/config
    chmod 700 /home/system/\${SYS_USER}/.ssh
  fi
done

echo && ls -alh /home/system/*/.ssh/*
echo && cat /etc/passwd|awk -F : '\$3 >= 120 && \$3 < 900 {printf("%-6s » %s\n", \$3, \$1)}'|sort -h
echo && cat /etc/group |awk -F : '\$3 >= 120 && \$3 < 900 {printf("%-6s » %s\n", \$3, \$1)}'|sort -h && echo
EXE

cat << EXE | sudo bash
mkdir -p /var/log/cloudflared/chorke.com
chown  chorke-com-argo:chorke-com-argo \
      -R /var/log/cloudflared/chorke.com
EXE

cat << EXE | sudo bash
mkdir -p /var/log/cloudflared/chorke.org
chown  chorke-org-argo:chorke-org-argo \
      -R /var/log/cloudflared/chorke.org
EXE

cat << EXE | sudo bash
mkdir -p /var/log/cloudflared/shahed.biz
chown  shahed-biz-argo:shahed-biz-argo \
      -R /var/log/cloudflared/shahed.biz
EXE

sudo -i -u chorke-com-argo
LOGGER_BASE=/var/log/cloudflared/chorke.com

sudo -i -u chorke-org-argo
LOGGER_BASE=/var/log/cloudflared/chorke.org

sudo -i -u shahed-biz-argo
LOGGER_BASE=/var/log/cloudflared/shahed.biz

CONFIG_BASE=${HOME}/.cloudflared
AUTHNZ_BASE=${HOME}/.cloudflared
CONFIG_FILE=${CONFIG_BASE}/argo.yml
LOGGER_FILE=${LOGGER_BASE}/argo.log
AUTHNZ_FILE=${AUTHNZ_BASE}/argo.json

cloudflared tunnel login
cd ~/.cloudflared/

cloudflared tunnel create shahed-aa-${USER}
cloudflared tunnel list --output=json|jq -r '.[].name'
ln -s ${CONFIG_BASE}/3d1105e6-e8f4-403e-9b2d-3367947e0a9e.json ${AUTHNZ_FILE}
cloudflared tunnel route dns shahed-aa-${USER} aa

cat << YML | tee ${CONFIG_FILE} >/dev/null
---
tunnel: shahed-aa-${USER}
credentials-file: ${AUTHNZ_FILE}

ingress:
  - service: http://localhost
    hostname: aa.chorke.com
  - service: http_status:404

warp-routing:
  enabled: false

# icmpv4-src: 10.19.83.68

private_network:
  - 10.19.83.0/24

dns:
  - 1.1.1.1
  - 8.8.8.8
  - 10.19.83.100

loglevel: info
logfile: ${LOGGER_FILE}

heartbeat:
  interval: 10s
  max_retries: 3

restart: true
YML

cat << YML | tee ${CONFIG_FILE} >/dev/null
---
tunnel: shahed-aa-${USER}
credentials-file: ${AUTHNZ_FILE}

ingress:
  - service: http://localhost
    hostname: aa.chorke.org
  - service: http_status:404

warp-routing:
  enabled: false

# icmpv4-src: 10.19.83.68

private_network:
  - 10.19.83.0/24

dns:
  - 1.1.1.1
  - 8.8.8.8
  - 10.19.83.100

loglevel: info
logfile: ${LOGGER_FILE}

heartbeat:
  interval: 10s
  max_retries: 3

restart: true
YML

cat << YML | tee ${CONFIG_FILE} >/dev/null
---
tunnel: shahed-aa-${USER}
credentials-file: ${AUTHNZ_FILE}

ingress:
  - service: http://localhost
    hostname: aa.shahed.biz
  - service: http_status:404

warp-routing:
  enabled: true

# icmpv4-src: 10.19.83.68

private_network:
  - 10.19.83.0/24

dns:
  - 1.1.1.1
  - 8.8.8.8
  - 10.19.83.100

loglevel: info
logfile: ${LOGGER_FILE}

heartbeat:
  interval: 10s
  max_retries: 3

restart: true
YML

cat <<'ENV'|tee -a ${HOME}/.bashrc >/dev/null
# cloudflare tunnel config
export CLOUDFLARED_CONFIG=${HOME}/.cloudflared/argo.yml
ENV

cat <<'ENV'|tee -a ${HOME}/.profile >/dev/null
if [ -f ${HOME}/.bashrc ]; then
    . ${HOME}/.bashrc
fi
ENV

source ~/.profile
   cat ~/.cloudflared/argo.yml
cloudflared tunnel run shahed-aa-${USER}
exit

SYSTEM_FILE=cloudflared@chorke.com.service
SYSTEM_PATH=/etc/systemd/system/${SYSTEM_FILE}

cat << INI | sudo tee ${SYSTEM_PATH} >/dev/null
[Unit]
Description=cloudflared
After=network-online.target
Wants=network-online.target

[Service]
Group=chorke-com-argo
User=chorke-com-argo
TimeoutStartSec=0
Type=notify
ExecStart=/usr/bin/cloudflared --no-autoupdate \
--config /home/system/chorke-com-argo/\
.cloudflared/argo.yml tunnel run
Restart=on-failure
RestartSec=5s

[Install]
WantedBy=multi-user.target
INI

SYSTEM_FILE=cloudflared@chorke.org.service
SYSTEM_PATH=/etc/systemd/system/${SYSTEM_FILE}

cat << INI | sudo tee ${SYSTEM_PATH} >/dev/null
[Unit]
Description=cloudflared
After=network-online.target
Wants=network-online.target

[Service]
Group=chorke-org-argo
User=chorke-org-argo
TimeoutStartSec=0
Type=notify
ExecStart=/usr/bin/cloudflared --no-autoupdate \
--config /home/system/chorke-org-argo/\
.cloudflared/argo.yml tunnel run
Restart=on-failure
RestartSec=5s

[Install]
WantedBy=multi-user.target
INI

SYSTEM_FILE=cloudflared@shahed.biz.service
SYSTEM_PATH=/etc/systemd/system/${SYSTEM_FILE}

cat << INI | sudo tee ${SYSTEM_PATH} >/dev/null
[Unit]
Description=cloudflared
After=network-online.target
Wants=network-online.target

[Service]
Group=shahed-biz-argo
User=shahed-biz-argo
TimeoutStartSec=0
Type=notify
ExecStart=/usr/bin/cloudflared --no-autoupdate \
--config /home/system/shahed-biz-argo/\
.cloudflared/argo.yml tunnel run
Restart=on-failure
RestartSec=5s

[Install]
WantedBy=multi-user.target
INI

cat << EXE | sudo bash
systemctl daemon-reload
systemctl enable cloudflared@chorke.com.service
systemctl start  cloudflared@chorke.com.service
systemctl status cloudflared@chorke.com.service
EXE

cat << EXE | sudo bash
systemctl daemon-reload
systemctl enable cloudflared@chorke.org.service
systemctl start  cloudflared@chorke.org.service
systemctl status cloudflared@chorke.org.service
EXE

cat << EXE | sudo bash
systemctl daemon-reload
systemctl enable cloudflared@shahed.biz.service
systemctl start  cloudflared@shahed.biz.service
systemctl status cloudflared@shahed.biz.service
EXE

tail -n100 \
-f /var/log/cloudflared/chorke.com/argo.log
journalctl -xeu cloudflared@chorke.com.service

tail -n100 \
-f /var/log/cloudflared/chorke.org/argo.log
journalctl -xeu cloudflared@chorke.org.service

tail -n100 \
-f /var/log/cloudflared/shahed.biz/argo.log
journalctl -xeu cloudflared@shahed.biz.service

cat << EXE | sudo bash
systemctl daemon-reload
systemctl disable cloudflared@chorke.com.service
systemctl stop    cloudflared@chorke.com.service
systemctl status  cloudflared@chorke.com.service
EXE

cat << EXE | sudo bash
systemctl daemon-reload
systemctl disable cloudflared@chorke.org.service
systemctl stop    cloudflared@chorke.org.service
systemctl status  cloudflared@chorke.org.service
EXE

cat << EXE | sudo bash
systemctl daemon-reload
systemctl disable cloudflared@shahed.biz.service
systemctl stop    cloudflared@shahed.biz.service
systemctl status  cloudflared@shahed.biz.service
EXE

WARP Routing

Skipped » Find More » 👆 

cloudflared tunnel create shahed-aa-${USER}
cloudflared tunnel list --output=json|jq -r '.[].name'
ln -s ${CONFIG_BASE}/56f034e2-7fc7-4423-8db3-1e9db8a24ca3.json ${AUTHNZ_FILE}

cat << YML | tee ${CONFIG_FILE} >/dev/null
---
tunnel: shahed-aa-${USER}
credentials-file: ${AUTHNZ_FILE}

warp-routing:
  enabled: true

loglevel: info
logfile: ${LOGGER_FILE}

heartbeat:
  interval: 10s
  max_retries: 3

restart: true
YML

cat <<'ENV'|tee -a ${HOME}/.bashrc >/dev/null
# cloudflare tunnel config
export CLOUDFLARED_CONFIG=${HOME}/.cloudflared/argo.yml
ENV

cat <<'ENV'|tee -a ${HOME}/.profile >/dev/null
if [ -f ${HOME}/.bashrc ]; then
    . ${HOME}/.bashrc
fi
ENV

source ~/.profile
   cat ~/.cloudflared/argo.yml
cloudflared tunnel run shahed-aa-${USER}
exit

Skipped » Find More » 👆

VIRT Routing

Skipped » Find More » 👆 

cat << INI | sudo tee /etc/systemd/system/warp0.service >/dev/null
[Unit]
Description=Cloudflared WARP Routing Virtual Interface
After=network.target

[Service]
Type=oneshot
ExecStart=/usr/sbin/ip link add warp0 type dummy
ExecStartPost=/usr/sbin/ip addr add 10.20.40.1/32 dev warp0
ExecStartPost=/usr/sbin/ip link set warp0 up
ExecStop=/usr/sbin/ip link delete warp0
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target

INI

cat << EXE | sudo bash
systemctl enable  warp0.service
systemctl start   warp0.service
systemctl status  warp0.service
EXE

sudo systemctl enable  --now warp0.service
sudo systemctl disable --now warp0.service

cloudflared tunnel route \
ip add 10.20.40.1/32 shahed-aa-shahed-biz-argo

# ping interval
ping 10.20.40.1 -i 10

# ping interval & times
ping 10.20.40.1 -i 10 -c 6

# ssh through warp routing
ssh -qt chorke@10.20.40.1 bash

Skipped » Find More » 👆

Playground

cat /usr/local/etc/cloudflared/config.yml
ls -lah ~/.cloudflare-warp
ls -lah  ~/cloudflare-warp

sudo cloudflared service uninstall
systemctl  status cloudflared
journalctl -xeu   cloudflared

tail -n100 -f /var/log/cloudflared.log 
sudo systemctl daemon-reload
ps aux|grep cloudflared

ls -alh /etc/systemd/system|grep cloudflared
ls -alh /etc/systemd/system|grep minikube
ls -alh /etc/systemd/system|grep minio

ls -lah /usr/local/etc/cloudflared/
          ls -lah /etc/cloudflared/
            ls -lah ~/.cloudflared/

sudo ln -s /etc/cloudflared/chorke.com-config.yml \
/etc/cloudflared/config.yml
ls -lah /etc/cloudflared/

cloudflared access \
ssh-config --hostname aa.chorke.com

ssh-keygen -t ed25519 -C "argo@chorke.org" \
-f ~/.ssh/argo.chorke.org_ed25519

echo 'id  -g'|sudo -i -u ${USER} bash
echo 'id -ng'|sudo -i -u ${USER} bash

cat /proc/sys/net/ipv4/ping_group_range
sysctl net.ipv4.ping_group_range

echo '0 10000'|\
sudo tee /proc/sys/net/ipv4/ping_group_range

cat /etc/sysctl.conf
sudo sysctl -p

warp-cli disconnect
warp-cli connect
warp-cli status

telnet 10.19.83.68 5432
telnet 10.19.83.68 3306
telnet 10.19.83.68 22

nmap 10.19.83.68 --reason -Pn -p22,3306,5432
nmap 10.19.83.68 --reason -Pn --top 20
tail -n100 -f /var/log/kern.log

hostname
hostnamectl
nmcli general hostname
sudo hostnamectl set-hostname chorke-aa
sudo systemctl restart systemd-hostnamed

# shahed-ab » avoid conflict own ip
sudo warp-cli add-exclude 10.20.40.2

# hetzner-aa » avoid conflict own ip
sudo warp-cli add-exclude 10.20.41.1

References

Retrieved from "https://wiki.chorke.org/index.php?title=Cloudflare/Argo_Tunnel&oldid=14128"