Port Forwarding or Tunneling a Service
Last updated
Last updated
This guide will step you through Port Forwarding or Tunneling a service
Authentication, Access and Accounts
There are 2 solutions for making a service accessible externally - a CF Tunnel or Port Forwarding.
Log into Cloudflare's Zero Trust
On the left, select Access > Tunnels
Select the relevant tunnel and click on 'Configure'
Click on the Public Hostname tab
Click on 'Add Public Hostname' and input the relevant data, eg
Click on Save hostname
Naigate to the url and confirm it is working
Note: If the internal service is on HTTPS you may need to disable TLS verify,
Authentication is applied as an 'Application' and allows you to limit services to specific users, IP address, countries etc.
Log into Cloudflare's Zero Trust
On the left, select Access > Applications
Click on 'Add an application' and select Self Hosted
Configure the Application
Application Configuration block Input the name and URLs you wish to configure
Application Appearance block Select custom logo and provide a URL to an image, such as the logo of the app
Tags Apply any relevant tags, such as 'test', 'xfgn' etc
Click on OK / Save / Next
Create a policy using the information outlined in Cloudflare Authenticationand hit OK / Save / Next
Under the settings tab, tick 'Enable automatic cloudflared authentication'
Click on OK / Save / Next
As port forwarding opens the server to direct access via the internet, we require the firewall to be enabled.
SSH into server and input the below commands
Run the below command to get a list of active ports on the server and take note of anything that may need to be allowed through. Take note of anything with 'docker', as these will be containers running on the host (you can compare this data against Portainer)
Use the below command to allow ports through the firewall
Ensure that the Crowdsec Firewall bouncer is enabled and configured
Generic "allow list", applicable to all our servers
Navigate to the UniFi site manager and select Rigatoni
Click on the settings cog in the bottom left
Select Security > Port Forwarding
Click on Create Entry
Please ensure the port forward rule is named using the below scheme
| Forwarding to | Purpose | Firewall Rule Name |
|---|---|---|
Lungo | API to allow remote devices to connect to Wazuh | Lungo - Wazuh API |
Latte | Ports to make Plex available externally | Latte - Plex Ports |
Espresso | Portainer Edge Agent connection to Portainer main instance | Espresso - Edge Agent |
Where possible, limit the 'From' IP to the relevant client (eg VPS), though this isn't possible for most use cases (eg Plex, Pterodactyl game ports)
