Cloudflare Tunnel 内网穿透

警告
本文最后更新于 2022-09-30,文中内容可能已过时。

# 需求

居家办公,需要把公司电脑穿出来让家里电脑链接。

# 环境

需要cloudflared这个工具,在下面链接下载对应的版本。

https://github.com/cloudflare/cloudflared/releases

# 公司机器配置

1
2
3
4
5
6
7
8
9
ubuntu@ubuntu:~$ cloudflared login
Please open the following URL and log in with your Cloudflare account:

https://dash.cloudflare.com/argotunnel?callback=https%3A%2F%2Flogin.cloudflareaccess.org%2FRl3hix8lZBOXDNuSgnGsRNsKoM98SsecBz_S7dSxtyg%3D

Leave cloudflared running to download the cert automatically.
You have successfully logged in.
If you wish to copy your credentials to a server, they have been saved to:
/home/ubuntu/.cloudflared/cert.pem

打开它提示的url用你的cloudflare账号登录,选择域名后会生成一个cert.pem鉴权文件。

1
2
3
4
5
6
7
ubuntu@ubuntu:~$ cloudflared tunnel create test
Tunnel credentials written to /home/ubuntu/.cloudflared/9a9001bf-0015-4047-b196-9568ccff947a.json. cloudflared chose this file based on where your origin certificate was found. Keep this file secret. To revoke these credentials, delete the tunnel.

Created tunnel test with id 9a9001bf-0015-4047-b196-9568ccff947a
ubuntu@ubuntu:~$ cloudflared tunnel route dns 9a9001bf-0015-4047-b196-9568ccff947a test.y4er.com
2022-09-27T09:49:04Z INF Added CNAME test.y4er.com which will route to this tunnel tunnelID=9a9001bf-0015-4047-b196-9568ccff947a
ubuntu@ubuntu:~$

这会创建一个test的tunnel,tunnel的uuid是9a9001bf-0015-4047-b196-9568ccff947a,绑定在test.y4er.com域名上。这个时候看你的dns记录会发现多了这条记录。

然后可以开始穿透了。

1
2
3
cloudflared tunnel --name test --url rdp://127.0.0.1
cloudflared tunnel --name test --url http://127.0.0.1:8080
cloudflared tunnel --name test --url tcp://127.0.0.1:3306

我这里是转发127.0.0.1的3389端口

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
ubuntu@ubuntu:~$ cloudflared tunnel --name test --url rdp://127.0.0.1
2022-09-27T09:52:52Z INF Reusing existing tunnel with this name tunnelID=9a9001bf-0015-4047-b196-9568ccff947a
2022-09-27T09:52:52Z INF Starting tunnel tunnelID=9a9001bf-0015-4047-b196-9568ccff947a
2022-09-27T09:52:52Z INF Cannot determine default configuration path. No file [config.yml config.yaml] in [~/.cloudflared ~/.cloudflare-warp ~/cloudflare-warp /etc/cloudflared /usr/local/etc/cloudflared]
2022-09-27T09:52:52Z INF Version 2022.9.1
2022-09-27T09:52:52Z INF GOOS: linux, GOVersion: go1.18.6, GoArch: amd64
2022-09-27T09:52:52Z INF Settings: map[n:test name:test url:rdp://127.0.0.1]
2022-09-27T09:52:52Z INF cloudflared will not automatically update when run from the shell. To enable auto-updates, run cloudflared as a service: https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/run-tunnel/as-a-service/
2022-09-27T09:52:52Z INF Generated Connector ID: a1da23e2-cdfc-44db-a0b0-2428e8c4a85a
2022-09-27T09:52:52Z INF Initial protocol quic
2022-09-27T09:52:52Z INF Starting metrics server on 127.0.0.1:45235/metrics
2022/09/27 09:52:52 failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/lucas-clemente/quic-go/wiki/UDP-Receive-Buffer-Size for details.
2022-09-27T09:52:53Z INF Connection de1df8d6-3983-4944-8a70-6c62ed96404b registered connIndex=0 ip=198.41.200.33 location=SJC
2022-09-27T09:52:55Z INF Connection 815b9bee-5b7b-4abd-badc-3dc397143278 registered connIndex=2 ip=198.41.200.73 location=SJC
2022-09-27T09:52:55Z INF Connection 842a5dc0-698c-454c-8a92-7bb0c9560b0e registered connIndex=3 ip=198.41.192.107 location=LAX
2022-09-27T09:52:58Z WRN Failed to create new quic connection error="failed to dial to edge with quic: timeout: no recent network activity" connIndex=1 ip=198.41.192.227
2022-09-27T09:52:58Z INF Retrying connection in up to 2s seconds connIndex=1 ip=198.41.192.227
2022-09-27T09:52:58Z WRN Connection terminated error="failed to dial to edge with quic: timeout: no recent network activity" connIndex=1

报错是因为默认用quic协议传输数据,国内不支持,他会自动回退协议到http2上,所以报错不用管。

# 家里机器配置

啥也不用配置,直接运行

1
cloudflared access rdp --hostname test.y4er.com --listener 127.0.0.1:3389

然后公司电脑的3389就被映射到了本机的3389上。

直接mstsc链接就行了。

image.png

比向日葵好用一万倍。

# 实际配置

懒得起一个cmd专门跑这个玩意,所以做成supervisor服务配一个自启动。

1
2
3
4
5
6
7
8
9
[program:cloudflared]
command=cloudflared tunnel --name test --url rdp://127.0.0.1
dircetory=/usr/local/bin/     #进程目录
autostart=true     #在supervisord启动的时候是否自动启动
autorestart=true     #程序退出后是否自动重启
#日志输出
stderr_logfile=/tmp/client_stderr.log
stdout_logfile=/tmp/client_stdout.log
user=ubuntu

注意user为你当前用户,不然cloudflared拿不到鉴权文件。

写完了才发现直接可以命令安装服务

1
cloudflared service install

# 跳板机

公司电脑配置

1
cloudflared tunnel --name test --bastion

家里电脑配置

1
cloudflared access tcp --hostname test.y4er.com --listener 127.0.0.1:3389 --destination 127.0.0.1:3389

destination可以指定其他端口或其他ip。

# 速度

client链接的时候挂个代理就不会特别卡了。我用着比向日葵舒服,至少不会断,tom用的时候特别卡,可能是因为代理或者家庭宽带的线路问题,因人而异吧。

文笔垃圾,措辞轻浮,内容浅显,操作生疏。不足之处欢迎大师傅们指点和纠正,感激不尽。