Cloudflare Tunnel Hacks

Installing and running remotely managed tunnel without root access

As of the time of writing, I haven't seen a solution posted on community forum or elsewhere, so I'm writing this.

When creating a new remotely-managed tunnel from one.dash.cloudflare.com dashboard, you'll be asked to copy and run a command that looks like this:

sudo cloudflared service install $SOME_VERY_LONG_SECRET_STRING
# this command registers a cloudflared tunnel service that linked to this remotely managed tunnel
# using systemd or launchd under the hood, depending on the OS
# and unfortunately, running this requires root access

Remotely managed tunnel is much more convenient than locally managed ones, and you get to add new rules with the web dashboard and don't need to deel with UUID file names.

So I decided to investigate and find a way to run this without root access.

I suspected that $SOME_VERY_LONG_SECRET_STRING is a base64 encoded config because of the ending =s, and it really is:

echo -n $SOME_VERY_LONG_SECRET_STRING | base64 -d
# {"a":"cloudflare account id","t":"tunnel id","s":"tunnel secret"}

and this looked familiar to me, because I've seen ~/.cloudflared/uuid.json that looks bascially the same:

{"AccountTag":"cloudflare account id","TunnelID":"tunnel id","TunnelSecret":"tunnel secret"}

save the base64 decoded content into ~/.cloudflared/my-tunnel.json, and run

# I recommend running this in a tmux session
cloudflared tunnel run my-tunnel

And voila, you're connected to Cloudflare's network!