How to expose Synpse device with Cloudflare tunnels

Published on April 25, 22

Synpse is an end-to-end platform to manage your device fleet that can grow to hundreds of thousands of devices, perform OTA software updates, collect metrics, logs, deploy your containerized applications and facilitate tunnel-based SSH access to any of your device. You can find a Quick Start here .


Hardware

Software

  • Synpse - provides app deployment, SSH and HTTPS access.
  • Cloudflare/Argo Tunnels - CloudFlare tunneling solution
  • Docker - deploying containers on the edge devices prevents a lot of issues.

Intro

When deployed to a device, Synpse applications can be accessible via Synpse-SSH, Synpse-Forward or Synpse http tunnels. Any of these methods can be used in production or debugging. But sometimes it’s not enough. If you want to expose your device via a public URL, already managed and trusted by CloudFlare, you might want to setup Cloudflare (previously Argo) Tunnels. IT Ideal way to serve any application to the world from under your desk.

Step 1: Install Docker

Depending on your RaspberryPi OS Docker installation might vary but in most cases this script from https://docs.docker.com/engine/install/ubuntu should do the job:

curl -fsSL https://get.docker.com -o get-docker.sh
sudo sh get-docker.sh

Step 2: Install Synpse agent on your device

Log into your Synpse account, navigate to the “Devices” section and then click on “Provision”. Use the command in your RaspberryPi terminal. This will download, install and initialize the Synpse agent.

Once the device has appeared in your Synpse dashboard:

Registered RPI
Registered RPI

Once device is visible, click on the “edit labels” from the menu. Add a label ‘type: rpi’:

Label your device
Label your device

In Synpse, applications are installed into the devices based on device labels so it’s a good practice to label your devices accordingly.

Step 3: Deploy any Synpse application

In our example we already have VueTorrent and Plex deployed. And we want to stream and watch movies from your RaspberryPi to anywhere in the world.

Step 3: Create Cloudflare tunnel for Synpse

Go into Zero Trust Dashboard of Cloudflare.

Zero trust dashboard
Zero trust dashboard

Go to Access -> Tunnels -> Create a tunnel and create a new tunnel.

Copy token from any of the provided tabs. It should look like this:

eyJhIjoiZDdmYzZkZDFhxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.....

Step 4: Deploy Cloudflare Argo Tunnel

We are going to deploy single instance for CloudFlare application to all our devices, so all of them appears in our dashboard.

Create a Synpse secret with the token from step 3:

CF Secret
CF Secret

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
name: cf-tunnel
scheduling:
  type: AllDevices
spec:
  containers:
    - name: cf
      # We currently build multi-arch images for arm until CF
      # will sort out the support for it. This is vanilla cloudflared
      # code with no changes. See the code and CI for it:
      # https://github.com/synpse-hq/cloudflared/
      image: ghcr.io/synpse-hq/cloudflared:latest
      args:
        - --no-autoupdate
        - run
      env:
      - name: TUNNEL_TOKEN
        fromSecret: cf-token
      command: tunnel
      networkMode: host
      restartPolicy: {}

Once tunnel is deployed you should see it in the dashboard:

CF connected tunnel
CF connected tunnel

In the individual tunnel, create hostname path for your applications. In our case we have 2 domains:

plex.example.com
torrent.example.com

When creating a hostname, make sure to expose port of your choosing either with ports stanza or use networkMode: host in the application. Mode about this in our documentation,

CF forward rules
CF forward rules

Important: Make sure you configure authentication to all applications you exposing via tunnels!

Next steps

You can deploy tunnels for individual applications, as part of application, or for all devices as we did it here. Deploying to all devices and deploying same application across multiple devices will give you HA capabilities.

Either way it works and you can access all your remote application from anywhere in the world under your trusted domains!