tunnel routing "connection refused"

[ryandsm]

The problem

Recently set up the addon with o problems for the local system, but when I'm adding additional hosts I will get and error.

What version of Cloudflared has the issue?

4.1.1

What was the last working version of Cloudflared?

4.1.1

What type of installation are you running?

Home Assistant OS

Add-on YAML Configuration

external_hostname: my.domain.com
additional_hosts:
  - hostname: myother.domain.com
    service: http://192.168.86.199:80
tunnel_name: homeassistant

Anything in the logs that might be useful for us?

-----------------------------------------------------------
 Add-on: Cloudflared
 Use a Cloudflare Tunnel to remotely connect to Home Assistant without opening any ports
-----------------------------------------------------------
 Add-on version: 4.1.1
 You are running the latest version of this add-on.
 System: Home Assistant OS 9.5  (amd64 / generic-x86-64)
 Home Assistant Core: 2023.3.5
 Home Assistant Supervisor: 2023.04.0
-----------------------------------------------------------
 Please, share the above information when looking for help
 or support in, e.g., GitHub, forums or the Discord chat.
-----------------------------------------------------------
[13:24:51] INFO: Checking add-on config...
[13:24:51] INFO: Checking for existing certificate...
[13:24:51] INFO: Existing certificate found
[13:24:51] INFO: Checking for existing tunnel...
[13:24:51] INFO: Existing tunnel with ID (some numbers) found
[13:24:51] INFO: Checking if existing tunnel matches name given in config
[13:24:52] INFO: Existing Cloudflare Tunnel name matches config, proceeding with existing tunnel file
[13:24:52] INFO: Creating config file...
[13:24:52] INFO: Validating config file...
Validating rules from /tmp/config.json
OK
[13:24:52] INFO: Creating DNS entry my.domain.com...
2023-04-16T20:24:53Z INF my.domain.com is already configured to route to your tunnel tunnelID=(some numbers)
[13:24:53] INFO: Creating DNS entry myother.domain.com...
2023-04-16T20:24:53Z INF myother.domain.com is already configured to route to your tunnel tunnelID=(some numbers)
[13:24:53] INFO: Finished setting up the Cloudflare Tunnel
[13:24:53] INFO: Connecting Cloudflare Tunnel...
2023-04-16T20:24:53Z INF Starting tunnel tunnelID=(some numbers)
2023-04-16T20:24:53Z INF Version 2023.4.0
2023-04-16T20:24:53Z INF GOOS: linux, GOVersion: go1.19.6, GoArch: amd64
2023-04-16T20:24:53Z INF Settings: map[config:/tmp/config.json cred-file:/data/tunnel.json credentials-file:/data/tunnel.json loglevel:info metrics:0.0.0.0:36500 no-autoupdate:true origincert:/data/cert.pem]
2023-04-16T20:24:53Z INF Generated Connector ID: "some numbers"
2023-04-16T20:24:53Z INF Initial protocol quic
2023-04-16T20:24:53Z INF ICMP proxy will use 172.30.33.5 as source for IPv4
2023-04-16T20:24:53Z INF ICMP proxy will use :: as source for IPv6
2023-04-16T20:24:53Z INF Starting metrics server on [::]:36500/metrics
2023-04-16T20:24:54Z INF Connection (some numbers) registered with protocol: quic connIndex=0 ip=198.41.200.63 location=PHX
2023-04-16T20:24:54Z INF Connection (some numbers) registered with protocol: quic connIndex=1 ip=198.41.192.227 location=LAX
2023-04-16T20:24:55Z INF Connection (some numbers) registered with protocol: quic connIndex=2 ip=198.41.192.47 location=LAX
2023-04-16T20:24:56Z INF Connection (some numbers) registered with protocol: quic connIndex=3 ip=198.41.200.43 location=PHX
2023-04-16T20:28:06Z ERR  error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: dial tcp 192.168.86.199:3012: connect: connection refused" cfRay=7b8f2c3be88f7c1e-LAX ingressRule=1 originService=http://192.168.86.199:3012
2023-04-16T20:28:06Z ERR Request failed error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: dial tcp 192.168.86.199:3012: connect: connection refused" connIndex=1 dest=https://myother.domain.com/ ip=198.41.192.227 type=http
2023-04-16T20:28:06Z ERR  error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: dial tcp 192.168.86.199:3012: connect: connection refused" cfRay=7b8f2c3c99007c1e-LAX ingressRule=1 originService=http://192.168.86.199:3012

Steps to reproduce the issue

I set up the addon by adding into configuration the external home assistant host and Cloudflair tunnel name. this worked and I have no problems with connecting to home assistant. I wanted to access other services on the network as well so I added into additional hostnames the information as shown in the YAML. this is when I get the error. I can still access Home assistant with no problems.

Additional information

No response

[elcajon]

This is indeed strange.
What I notice at first glance is that you have configured the service http://192.168.86.199:80 in the additional_hosts. The error message from the log however tries to connect to 192.168.86.199:3012.
Does more helpful information appear in the log when you change the log level in the add-on options to debug or trace?

[brenner-tobias]

Additionally, can you add a little bit more context about what kind of service you are trying to route through the tunnel?
Some services do block requests from unknown reverse proxies (e.g. new routers like Fritz!Box), so this might be an issue on the service side.

[ryandsm]

This is indeed strange. What I notice at first glance is that you have configured the service http://192.168.86.199:80 in the additional_hosts. The error message from the log however tries to connect to 192.168.86.199:3012. Does more helpful information appear in the log when you change the log level in the add-on options to debug?

sorry that was me trying something while I was typing out the message. it should be port :3012

[ryandsm]

it's a docker on an Unraid server. The service is vaultwarden: https://github.com/dani-garcia/vaultwarden/wiki

[elcajon]

So I guess 3012 is the websocket port of Vaultwarden, right?
Can you try to use ws://192.168.86.199:3012 for your service definition?

[ryandsm]

ws://192.168.86.199:3012

under the other hostname section?

• hostname: gardaz.blitzthenet.homes
  service: ws://192.168.86.199:3012

[elcajon]

Exactly... But it is just a guess on my part, after a short Google research.

https://community.cloudflare.com/t/tunnel-with-websockets/318111
cloudflare/cloudflared#526

[ryandsm]

this is what i'm gettign
2023-04-16T21:38:08Z ERR error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: dial tcp 172.30.32.1:8123: connect: connection refused" cfRay=7b8f92d34cf77eb7-LAX ingressRule=0 originService= (XX)
2023-04-16T21:38:08Z ERR Request failed error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: dial tcp 172.30.32.1:8123: connect: connection refused" connIndex=2 dest=https:// (XX) milleraz.blitzthenet.homes/api/websocket ip=198.41.192.47 type=ws

[elcajon]

The error message refers to the 8123 port, where Home Assistant is normally active. Also the IP address 172.30.xx is the Home Assistant OS internal IP of the Home Assistant Docker container.
Can you provide more information on what the add-on configuration looks like now?

And a question out of interest, is there a reason why you install Vaultwarden separately in Docker and not use the add-on in Home Assistant?

[ryandsm]

Are you referring to vaultwarden, cloud flair, or somthing else in regards to add-on configuration.

[elcajon]

The last logs you provided are independent of Vaultwarden because they contain the address and port of Home Assistant.

Could you change your add-on configuration to something like this and try again?

external_hostname: my.domain.com
additional_hosts:
  - hostname: myother.domain.com
    service: ws://192.168.86.199:3012
tunnel_name: homeassistant

[ryandsm]

What I'm getting now.

[15:10:50] INFO: Creating DNS entry my.domain.com...
2023-04-16T22:10:51Z INF my.domain.com is already configured to route to your tunnel tunnelID= ( Some number)
[15:10:51] INFO: Creating DNS entry myother.domain.com...
2023-04-16T22:10:51Z INF myother.domain.com is already configured to route to your tunnel tunnelID=5( Some number)
[15:10:51] INFO: Finished setting up the Cloudflare Tunnel
[15:10:51] INFO: Connecting Cloudflare Tunnel...
2023-04-16T22:10:51Z INF Starting tunnel tunnelID= (some number)
2023-04-16T22:10:51Z INF Version 2023.4.0
2023-04-16T22:10:51Z INF GOOS: linux, GOVersion: go1.19.6, GoArch: amd64
2023-04-16T22:10:51Z INF Settings: map[config:/tmp/config.json cred-file:/data/tunnel.json credentials-file:/data/tunnel.json loglevel:info metrics:0.0.0.0:36500 no-autoupdate:true origincert:/data/cert.pem]
2023-04-16T22:10:51Z INF Generated Connector ID: (some number)
2023-04-16T22:10:51Z INF Initial protocol quic
2023-04-16T22:10:51Z INF ICMP proxy will use 172.30.33.2 as source for IPv4
2023-04-16T22:10:51Z INF ICMP proxy will use :: as source for IPv6
2023-04-16T22:10:51Z INF Starting metrics server on [::]:36500/metrics
2023-04-16T22:10:52Z INF Connection (some number) registered with protocol: quic connIndex=0 ip=198.41.200.53 location=PHX
2023-04-16T22:10:52Z INF Connection (some number) egistered with protocol: quic connIndex=1 ip=198.41.192.47 location=LAX
2023-04-16T22:10:53Z INF Connection (some number) registered with protocol: quic connIndex=2 ip=198.41.192.7 location=LAX
2023-04-16T22:10:54Z INF Connection (some number) registered with protocol: quic connIndex=3 ip=198.41.200.233 location=PHX
2023-04-16T22:15:04Z ERR error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: dial tcp 192.168.86.199:3012: connect: connection refused" cfRay=7b8fc8ea0ec77d5f-LAX ingressRule=1 originService=ws://192.168.86.199:3012
2023-04-16T22:15:04Z ERR Request failed error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: dial tcp 192.168.86.199:3012: connect: connection refused" connIndex=1 dest=https://myother.domain.com/ ip=198.41.192.47 type=http
2023-04-16T22:15:04Z ERR error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: dial tcp 192.168.86.199:3012: connect: connection refused" cfRay=7b8fc8ed89917d5f-LAX ingressRule=1 originService=ws://192.168.86.199:3012
2023-04-16T22:15:04Z ERR Request failed error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: dial tcp 192.168.86.199:3012: connect: connection refused" connIndex=1 dest=https://myother.domain.com/ ip=198.41.192.47 type=http
2023-04-16T22:15:04Z ERR error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: dial tcp 192.168.86.199:3012: connect: connection refused" cfRay=7b8fc8eeaa5d7d5f-LAX ingressRule=1 originService=ws://192.168.86.199:3012
2023-04-16T22:15:04Z ERR Request failed error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: dial tcp 192.168.86.199:3012: connect: connection refused" connIndex=1 dest=https://myother.domain.com/favicon.ico ip=198.41.192.47 type=http

[elcajon]

Currently I can't think of anything else we could try, sorry.
Since it's not directly a problem with the add-on, but with Cloudflare itself, I move the error to the discussions.

[brenner-tobias]

Not sure if this helps, but in the linked thread, the solution is also using the "httpHostHeader" variable for the originRequest. Maybe this is also something, you can look into @ryandsm.

In order to do that, you have to switch to a remote managed tunnel, since there is no option to set this in our add-on.