Set up Connector connection

1. Complete the connection form to provide the necessary details for setting up the Connector connection. You receive a secret token within 8 business hours to use in the following steps.

2. Provide a container or a server within your private network that satisfies the minimum requirements. This serves as the pivot agent.
   

3. Firewall rules:

   1. Firewall permissions for pulling the cloudflared Docker container or downloading the cloudflared agent into your server
      
   2. Firewall permissions for reaching Fluid Attacks' Cloudflare network
      
   3. Firewall permissions for reaching the internal resources Fluid Attacks will be accessing.
      
   Do not proceed to the next steps until these firewall rules are correctly configured from your side. Outbound rules to IPs or domain destinations specified here, over port 7844 (via TCP and UDP protocols) are required. This is essential for ensure a working and stable connection, and DNS resolution.
   If you intend to share access to several servers within the same private network, make sure your firewall rules allow the pivot agent to reach them.

4. Install cloudflared on the pivot agent.
   

   Linux

   Windows

   Docker

   Linux

   Binary
   

   Download binary for your architecture and execute it directly:
   

   cloudflared-linux-<YOUR ARCH> service install <SECRET TOKEN>

   Debian-based systems (.deb)
   Download and install cloudflared on your server, executing:

   sudo dpkg -i cloudflared-linux-<YOUR ARCH>.deb​
   

   cloudflared service install <SECRET TOKEN>
   

   Red Hat-based systems (.rpm)
   Download and install cloudflared on your server, executing:

   sudo rpm -i cloudflared-linux-<YOUR ARCH>.rpm

   cloudflared service install <SECRET TOKEN>

   Windows

   Option 1
   You can download and install cloudflared on your server, via winget, running this command:

   winget install --id Cloudflare.cloudflared

   
   

   
   

   After that, execute the appropriate command using the secret token provided by Fluid Attacks:
   

   cloudflared.exe service install <SECRET TOKEN>


   
   

   ​
   

   Option 2
   

   Alternatively, download the latest release of cloudflared, rename downloaded file as cloudflare.exe and store it into C:/Cloudflared/ location (if it doesn't exist, create it). Then, go into the C:/Cloudflared/ path and execute this:
   

   .\cloudflared.exe service install <SECRET TOKEN>

   
   

   Docker

   Deploy a service using the cloudflared Docker container on your container runtime system (e.g., AWS ECS, AWS EKS, Azure AKS, GCP GKE, etc.) and then run the appropriate command below using the secret token provided by Fluid Attacks.

   docker run -d --name cloudflared cloudflare/cloudflared:latest tunnel --no-autoupdate run --token <SECRET TOKEN>
   


Make sure you run this command as a System Administrator. If you are running a Docker container, being root within the container is enough.

After establishing the connection, you should verify its functionality accordingly:

• Docker: Review the logs of your container. The specific method for accessing logs will depend on your container runtime environment (e.g., AWS ECS, AWS EKS, Azure AKS, GCP GKE, etc.).
• Windows: Follow the official steps to test connectivity with Powershell.
• Linux and macOS: Follow the official steps to test connectivity with dig.

Follow these steps:

1. Fill out the connection form so Fluid Attacks can set up a connection for you.
2. Install cloudflared in any of the servers you want to share. For this example, it is assumed you install it on the Git repository server.
3. Receive a secret token from Fluid Attacks for setting up the connection.
   

Now you should focus on creating firewall rules that allow the use cases presented previously.

• For secure connection:
  
  •  Allow TCP/UDP via port 7844 to region1.v2.argotunnel.com (required)
  • Allow TCP/UDP via port 7844 to region2.v2.argotunnel.com (required)
  • Allow TCP via port 443 to api.cloudflare.com (optional, to query if software updates are available)
  • Allow TCP via port 443 to update.argotunnel.com (optional, to query if software updates are available)
• For internal communication:
  
  • Allow TCP connections via port 443 (HTTPS) to application environment server
  • Allow TCP/UDP connections via port 53 (DNS) to DNS server

For the application environment server, set the following ingress firewall rule:

• Allow TCP connections via port 443 (HTTPS) from Git repository server

For the DNS server, set the following ingress firewall rule:

• Allow TCP/UDP connections via port 53 (DNS) from Git repository server
  

With cloudflared installed and the required firewall rules in place, you can proceed to enable the connection. As a System Administrator, run the registration command for the connection using the secret token provided by Fluid Attacks.

Once the connection is on, you can proceed and test it as described above.

Note: All use cases for this example scenario should be covered if you have (a) a working pivot agent and (b) minimum privilege firewall rules within your private network.

Frequently asked questions

What is Connector used for?

What are the minimum system requirements for the pivot agent server?

Why are 5 GB of free disk space required for the pivot server?

Why are "administrative privileges" needed?

Administrative privileges are required exclusively for you to access the server, install the cloudflared agent, and execute related commands. Fluid Attacks does not need these privileges, nor does the cloudflared agent require any special system access or permission to run over the server.

How do you access my resources?

The connection is established through a secure, encrypted tunnel. When the cloudflared agent is run on your server with a unique token, it creates an outbound tunnel to the Cloudflare network. Fluid Attacks connects to your tunnel using the Cloudflare WARP client, which allows it to send network-only requests to the specific resources you have made accessible from the pivot server. This process does not require you to open any inbound ports on your end.

Will you be able to access any resource on my private network?

No. Access is strictly limited to the resources you specify. The cloudflared tunnel only allows Fluid Attacks to reach resources that are accessible from the pivot server and that you have explicitly configured to be exposed. Additionally, you must provide a list of these resources (routes, domains, and/or internal DNS) through the corresponding web form. This ensures Fluid Attacks does not access any other resources on your internal network, even if the pivot server has access to them.

Can I allow or restrict access to my internal network resources at any time?

Yes. You can modify the permissions, firewall rules, or network architecture that controls access from Fluid Attacks to your resources at any time. However, you must also notify Fluid Attacks of these changes so we can update the corresponding tunnel configuration. You can do this through your assigned Fluid's Engagement Manager or by sending a ticket to help@fluidattacks.com.

How is the installation token generated and what are its characteristics?

When a tunnel is created by Fluid Attacks, an installation token is generated, which authorizes the cloudflared agent to install on the host (pivot server) and associate that host with the created tunnel. The token has 181 characters and is a secret value, randomly generated by Cloudflare, ensuring that each token is unique for each tunnel and difficult to guess. Its structure is similar to a base-64 JWT, although it does not strictly follow the standard JWT format.

Does the token expire, and can it be reused?

The installation token does not expire and is not automatically regenerated. It can be used indefinitely to install the service on any host where the agent will be installed while the tunnel exists. Once the installation is complete and the agent is running as a service, the token is no longer required. It will only be needed again if the agent needs to be reinstalled on the same or another host/server.

How is the installation token provided to me?

It is usually the Engagement Manager at Fluid Attacks who gives you the token privately, if you are going to perform the installation yourself. If you require live guidance during the installation, Fluid Attacks gives you the token at the time of executing the process.

Is the token sent through the tunnel, and is there a risk of interception?

The token is never transmitted through the tunnel. It is only used locally on the pivot server during the installation of the service. Once installed, the agent establishes a direct and secure connection with Cloudflare’s servers, without needing to re-verify the token at either end. Therefore, there is no risk of the token being intercepted during tunnel operation.

How do I know if my firewall rules are correctly configured?

Before proceeding with the installation, ensure the following:

• Your firewall allows pulling the cloudflared Docker container or downloading the cloudflared agent.
• Your firewall allows connections to Fluid Attacks' Cloudflare network (for more information, refer to the official documentation on testing connectivity).
• Your firewall permits access to the internal resources Fluid Attacks will be assessing.
  

Is it necessary or mandatory to configure all specified outbound firewall rules?

No. Only the firewall outbound rules to IPs or domain destinations specified here, over port 7844 (TCP and UDP) are required to ensure connection via Cloudflare tunnel. Rules related to port 443 (TCP and UDP) are optional (used for some additional features, like download and update cloudflared binaries). And rules related to Region US are not usually required; then, you can ignore them.

When should I configure firewall rules using domains or IPs?

You should use Cloudflare domains if your firewall supports filtering based on FQDN (Fully Qualified Domain Name) and/or enforce SNI (Server Name Indication). If your firewall does not support or enforce these functions, you will have to configure each of the IP addresses specified by Cloudflare instead.

Only in special cases —when network devices struggle to establish Cloudflare tunnel connectivity or DNS resolution fails— it is recommended to configure both domains and IP outbound firewall rules simultaneously.

What happens if firewall rules are not configured correctly?

If the required firewall rules are not properly configured, the connection will fail, preventing Fluid Attacks from accessing your resources (tunnel connectivity could be in either Inactive or Down state). Additionally, if UDP (quic) traffic is blocked or discarded, domain name resolution may fail, causing further disruptions in connectivity or difficulties to fetch and analyze your resources (mainly, in case of automatic cloning or testing).

What if my network uses a proxy behind the firewall?

If your network infrastructure uses a proxy to control outbound traffic, firewall rules must be configured on both the firewall and the proxy. It is crucial that both allow outbound traffic to the domains, IP addresses, ports, and protocols specified by Cloudflare.

What should we do with the connection once the service provided by you ends?

To terminate the connection, simply follow the instructions for uninstalling the cloudflared agent, specified below. You can also delete any binaries, executables, or container images related to cloudflared that you downloaded and, if you wish, take the server completely offline.

How do I check if the cloudflared service is correctly installed?

You can check the status of the service by running the following:

Linux

Windows

Docker

Linux

Use the next command and check if the result shows Active: active (running):

​

systemctl status cloudflared

Windows

Use one of these commands, and check if the result shows STATE: RUNNING:

sc query cloudflared
Get-Service cloudflared

Docker

Use one of these commands to check if the cloudflared container is running:

docker ps | grep cloudflared


docker ps | findstr cloudflared

How can I obtain logs from the cloudflared service?

You can obtain real-time logs by executing the following:

Linux

Windows

Docker

Linux

journalctl -u cloudflared -f

Windows

Get-WinEvent -LogName Application -ProviderName cloudflared -MaxEvents 30 -Wait

Docker

docker logs -f cloudflared

How do I start the cloudflared service if needed?

You can start the service (if it was previously stopped) by executing the following:

systemctl start cloudflared

sc start cloudflared
Start-Service cloudflared

docker start cloudflared

How do I stop the cloudflared service if needed?

sc stop cloudflared
Stop-Service cloudflared

docker stop cloudflared

systemctl restart cloudflared

Restart-Service cloudflared

docker restart cloudflared

Verify internal network connectivity

1. Ensure the resource is active, available, and hasn't changed its network location.
2. From the pivot server, try to access the resource using network commands (like telnet, netcat, nslookup, dig, curl, ping, etc.) to diagnose connectivity and DNS resolution.
   
3. If possible, check your firewall logs to verify if traffic to the resource is being allowed.
   
4. Confirm with us that the resource has been added to the tunnel configuration on our end. If not, request for us to add it.
   

Confirm external network connectivity

1. Make sure your firewall (and proxy) rules allow outbound traffic to Cloudflare's domains and IPs on port 7844 (both TCP and UDP).
   
2. Perform the connectivity tests to the Cloudflare tunnel mentioned in the connectivity test documentation to confirm outbound TCP traffic.
   
3. If possible, check your firewall logs to validate outbound connectivity to Cloudflare's IPs and domains.
   

Check agent execution status

1. Ensure the agent is active and running, executing the appropriate command.
   
2. Try to obtain and check execution logs from the cloudflared service.

Rule out cloudflared agent version issues

1. Uninstall the cloudflared agent and delete the obsolete binary, executable, or container from your server's storage.
   
2. Download and reinstall the latest version (if needed, request the installation secret token).
   
3. Verify the agent's execution status.
   

Run and test a tunnel connection manually

1. Stop the cloudflared service.
   
2. Run a temporary connection with the following command (if needed, request the installation secret token):
   

1. Review the execution terminal logs for any error messages.
   
2. You can stop the temporary execution by aborting the command or closing the terminal in any moment, and then, restart the cloudflared service if necessary.

Rule out secret token issues

1. If needed, request Fluid Attacks to generate and provide you with a new token.
   
2. Stop the cloudflared service.
   
3. Rerun the cloudflared installation command with the new token.
   
4. Validate the service status after execution.
   

Check intermediate network devices

1. Ensure again that required outbound firewall rules towards the Cloudflare tunnel (over port 7844, UDP protocol) are configured and enabled on your network devices.
   
2. Try configuring both the domains and the IPs in your outbound firewall rules at the same time.
   
3. If that doesn't resolve the issue, try configuring only the IP-based rules (even if your devices can handle domain-based rules).
   
4. Confirm that your network devices support quic protocol.
5. Finally, consider updating their firmware or configuring them to allow this protocol, if possible.
   

Support

If you require assistance with the Connector setup, send Fluid Attacks an email at help@fluidattacks.com.