💡 How to make cloudflared tunnel use a proxy server (socks5 or http/s) when connecting to edge nodes ???

Question

💡 How to make cloudflared tunnel use a proxy server (socks5 or http/s) when connecting to edge nodes ???

Tmalll opened this issue 2 years ago · 4 comments

Describe the feature you'd like
I am a Chinese user. In mainland China, the network situation is very bad when directly connected to the edge node of cloudflared, so a proxy server is needed to use it, usually they are socks5 or http/s

Describe alternatives you've considered
Haven't found a better solution yet

Additional context
https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/ports-and-ips/

I checked the above documents and found that cfd needs to connect to the following 4 domain names. Is there a way to let them go through the socks5 or http/s proxy channel?

region1.v2.argotunnel.com
region2.v2.argotunnel.com
api.cloudflare.com
update.argotunnel.com

Answer 1 · 2023-09-05T15:30:04.000Z

This is something that we don't actually want to support within cloudflared.
Furthermore, http2 transport only has a subset of features that cloudflared allows and the official transport to use should be QUIC, which wouldn't work for the SOCKS proxy.

Answer 2 · 2023-10-25T15:38:36.000Z

I found a workaround, and there is no need to change cloudflared itself. The proposed solution only works on Linux with iptables.
It applies a transparent proxy on certain IP ranges. Here are the steps.

1. Setup a transparent server that listens on localhost:12345

12345 can be replaced by any other number, but you need to make sure that the port numbers are consistent between commands. Here, let's take V2RAY as an example. First, you need to have a V2RAY client config that has a working outbound. Then, add these to the inbounds:

  "inbounds": [
<some other inbounds>,
    {
      "port": 12345, // make sure that the port numbers are consistent
      "protocol": "dokodemo-door",
      "settings": {
        "network": "tcp,udp",
        "followRedirect": true // Need to be set as true to accept traffic from iptables
      }
    }
  ],

You should NEVER enable sniffing (HTTP or TLS) on port 12345.
The domainStrategy in routing may have to be "AsIs".

2. Create iptable rules that redirect certain Cloudflare IP ranges to the V2RAY proxy

According to "https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/deploy-tunnels/tunnel-with-firewall/", we should redirect 4 domains. However, it seems that api.cloudflare.com and update.argotunnel.com are not used frequently while cloudflared is running, so there is no need to proxy them. Only a subset of Cloudflare IPs supports edge nodes (Port 7844). I found that we only need to redirect 198.41.192.0/24 and 198.41.200.0/24 to make it work:

sudo iptables -t nat -A OUTPUT -d 198.41.192.0/24 -p tcp -j REDIRECT --to-ports 12345
sudo iptables -t nat -A OUTPUT -d 198.41.200.0/24 -p tcp -j REDIRECT --to-ports 12345

./cloudflared-linux-amd64 tunnel --url http://localhost:8000 --protocol http2 should work and you should be able to see that the edge node location is now close to your proxy server.

Answer 3 · 2024-03-12T17:23:37.000Z

Hi @rikka0w0, do you have a complete working example ?
Does v2Ray can act as a client can forward directly toward internet ?

Answer 4 · 2024-06-16T12:29:55.000Z

Hi @rikka0w0, do you have a complete working example ? Does v2Ray can act as a client can forward directly toward internet ?

https://github.com/ChaiByte/CF-Tunnel-Transparent-Proxy/

It might be helpful.