Cloudflare tunnels not working on home network unless VPN is connected
Posted by Loocpac@reddit | sysadmin | View on Reddit | 18 comments
I have some tunnels set up to work with cloud flare to connect to services i have running on my home lab. I can connect to everything using subdomain.domain.net from everywhere except for my home network. If i turn my VPN on it works fine.
this is the error i get
This site can’t provide a secure connection
subdomain.domain.net uses an unsupported protocol.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
but if i turn on my VPN, then it works perfectly fine.
man__i__love__frogs@reddit
You have some kind of DNS misconfiguration. It's probably some mix of your home network trying to reach public versus private IPs since you're on the internal network.
If you ping subdomain.domain.net do you see the internal IP or the public one?
Loocpac@reddit (OP)
It fails to do the ping.
man__i__love__frogs@reddit
What are you using as a DNS server on your home network, is it just your ISP?
Loocpac@reddit (OP)
Yes
EduRJBR@reddit
Are you sure that the tunnel thing is really working? Or maybe instead you are using the proxy feature, with your residential public IP serving the websites, with port forwarding set on the router and all? Maybe you used the second model first, is migrating to tunnel model, and something is off.
If I had to guess, I would say that you added subdomain.domain.net to you computer's hosts file, pointing to the local private IP of the server. But then I don't know if a VPN would bypass the hosts file, even in full tunnel mode.
Did you enable HTTPS, with Let's Encrypt, in your local web server? If you did, that could be an indicator that your computer is trying to access the website locally (because of the hypothetical setting in the hosts file), and as far as I know the certificate would mismatch.
Loocpac@reddit (OP)
My brother can access the site that connects to the service that is running on the server in my house from another state. I can connect to it if I am on my data using my cell phone, or on a VPN on my PC. But can not access it if i am connected to my home network without VPN. So I assume that the tunnel is working properly. everything was working fine, but my domain payment lapsed because my card info changed. I updated my card and got the domain back up. but now this issue. the only thing that we can think of is that it needs a day or so for something to fix itself from it being down. but that makes no since to me because he can access it perfectly fine from his place.
EduRJBR@reddit
Did you make it work using Tunnel from scratch? Wasn't there any stage where the website was accessible from the Internet before you implemented the tunnel? Or any stage where you could access the website simply inside your local network?
Loocpac@reddit (OP)
If I go in and I shut the tunnel, then it's no longer accessible using the web address.
Kumorigoe@reddit
Sorry, it seems this comment or thread has violated a sub-reddit rule and has been removed by a moderator.
Inappropriate use of, or expectation of the Community.
If you wish to appeal this action please don't hesitate to message the moderation team.
gptbuilder_marc@reddit
Cloudflare tunnel working everywhere except your local network while VPN fixes it is almost always a DNS hairpin or split-horizon DNS issue at the router level. Does your router support custom DNS overrides for local domains?
noblejeter@reddit
Maybe you need to configure split dns when connected to your internal network?
dustojnikhummer@reddit
I don't use Cloudflare Tunnels so don't exactly know how that works, but if this was a regular port forwarding setup my bet would be (as I'm guessing yours is) on hairpin NAT/split DNS.
Loocpac@reddit (OP)
Cool, how do I split DNS? I can not find the options to do so on cloud flare. the directions I found on there site for that tell me to go into menus that no longer exist.
dustojnikhummer@reddit
You don't do that on Cloudflare, you do that on your local DNS server. Then you point your local devices (via DHCP) onto that instead of Google or whatever. If you have at least a basic competent router it will have a local DNS server (barebones, but still should allow assigning local A records).
But this is opening a bigger can of worms, such as a local reverse proxy etc.
Loocpac@reddit (OP)
I have been all over the Cloudflare site, I even checked there help section, and there help section is outdated because it is telling me to click into menus that do not exist.
dustojnikhummer@reddit
This is more of a /r/homelab post, but I'm gonna guess
If you turn on a commercial VPN you are forcing your connection to your selfhosted services. This won't work properly if you are inside of your network. You are trying to access your own WAN interface. Pretty much no router will route that without being told so, ie using Hairpin NAT r/networking/comments/1bg28w9/why_we_use_nat_hairpin/
Most people don't do that and instead they use split DNS to point at their local services directly.
It's what I do. My nextcloud.domain.tld doesn't point at my external IP on my local DNS, it points at the internal IP of my reverse proxy instead.
Helpjuice@reddit
Is the TLS version and cipher suite the same version with the VPN on and off?
Loocpac@reddit (OP)
I don't have any idea what that is or how to check.