Cloudflare tunnel
cloudflared on TrueNAS (192.168.2.203) connects homelab apps to the internet without port forwarding — required because of CGNAT. Use this when sites work on the LAN but public *.saxobroko.com URLs fail.
TUN-001: All tunnel sites down at once (stream, dash, vault, dsm, sonarr…)
Symptoms: Every homelab subdomain fails publicly around the same time; LAN IP 192.168.2.203 may still work.
Likely cause: cloudflared container stopped on TrueNAS, or TrueNAS rebooted and app did not start.
Fix:
1. Open https://192.168.2.203 on home Wi‑Fi — confirm TrueNAS is up.
2. TrueNAS → Apps → find cloudflared → confirm Running.
3. If stopped, Start; if running, Stop wait 5 sec, Start — Restart cloudflared.
4. Wait two minutes; test https://dsm.saxobroko.com.
Still broken? See cloudflared or Common Issues.
TUN-002: cloudflared app missing from TrueNAS Apps list
Symptoms: Cannot find cloudflared to restart; tunnel dead. Likely cause: App uninstalled, renamed, or hidden after TrueNAS update — may run as custom Docker app. Fix: 1. TrueNAS → Apps → Installed Applications — search "cloudflare". 2. Check Discover or Custom App if not under official charts. 3. Do not reinstall from scratch without Saxon — needs tunnel token from Vaultwarden/Zero Trust. 4. Note exact app name for future FAQs. Still broken? See TrueNAS basics.
TUN-003: cloudflared crashes immediately after start
Symptoms: App shows Running briefly then Error/Stopped; logs mention token or config error. Likely cause: Invalid or expired tunnel credentials, bad config mount, or Docker network glitch after update. Fix: 1. Open app Logs in TrueNAS — screenshot error (do not paste token publicly). 2. Single restart after TrueNAS fully booted (wait 5 min post-reboot). 3. If "invalid tunnel secret" — needs Saxon to refresh token in Zero Trust — do not guess. 4. After TrueNAS OS update, restart NAS once before cloudflared. Still broken? See Common Issues.
TUN-004: Works on LAN (192.168.2.203) but not via public URL
Symptoms: Jellyfin or TrueNAS UI loads locally; stream.saxobroko.com or dsm.saxobroko.com fails from same house on mobile data test.
Likely cause: Classic tunnel failure — LAN bypasses cloudflared; public path broken.
Fix:
1. Restart cloudflared (TUN-001).
2. Zero Trust → Tunnels → connector shows Healthy green.
3. If unhealthy, check TrueNAS internet outbound (google.com on LAN).
4. Verify DNS CNAME to tunnel — DNS (DNS-005).
Still broken? See cloudflared troubleshooting.
TUN-005: Tunnel connector shows Inactive or Disconnected in Zero Trust
Symptoms: Cloudflare Zero Trust dashboard lists tunnel connector red/down.
Likely cause: cloudflared not running, NAS offline, or house internet WAN down blocking outbound tunnel.
Fix:
1. Confirm home internet works (NET-001).
2. Confirm TrueNAS online at .203.
3. Start cloudflared app; wait 60 seconds.
4. Refresh Zero Trust tunnel page — should show Connected with recent heartbeat.
Still broken? See TUN-003.
TUN-006: After TrueNAS reboot tunnel does not come back automatically
Symptoms: NAS restart; all public URLs dead until someone manually starts cloudflared. Likely cause: App set not to auto-start, or start order — cloudflared launched before network ready. Fix: 1. TrueNAS app settings → enable Start on boot / autostart if available. 2. Follow Power outage recovery boot order: router → NAS → wait → verify cloudflared. 3. Manually start cloudflared after each NAS reboot until autostart fixed. 4. Ask Saxon to fix chart settings permanently. Still broken? See Turn everything on.
TUN-007: Multiple cloudflared connectors — which is production?
Symptoms: Zero Trust shows more than one connector; afraid to delete wrong one. Likely cause: Old test connector left registered — only TrueNAS @ 192.168.2.203 should be active homelab connector. Fix: 1. Match connector last seen timestamp with TrueNAS restarts. 2. Do not delete connectors without Saxon — may kill production tunnel. 3. Note connector ID tied to running app logs on NAS. 4. Clean up stale connectors only when Saxon confirms. Still broken? See cloudflared.
TUN-008: Changed tunnel config in dashboard — no effect
Symptoms: Edited public hostname in Zero Trust; behaviour unchanged after save. Likely cause: cloudflared picks up config from Cloudflare within minutes — sometimes needs restart; or edited wrong tunnel. Fix: 1. Confirm editing the homelab tunnel (not a test tunnel). 2. Wait two minutes. 3. Restart cloudflared on TrueNAS. 4. Hard refresh browser incognito. Still broken? See TUN-012.
TUN-009: House internet slow — are tunnels broken?
Symptoms: Slow NBN; wonder if cloudflared makes everything slower. Likely cause: Tunnel adds small overhead but does not usually kill LAN speed — separate from Wi‑Fi/NBN issues. Fix: 1. Test LAN copy to NAS — if slow, see NET-011 not tunnel. 2. Tunnel keepalives use minimal bandwidth. 3. Fix WAN slowness with ISP/UniFi first. 4. Public streaming slowness may be upload speed + transcode — Media won't play. Still broken? See Network general.
TUN-010: Only one subdomain fails — others fine
Symptoms: e.g. radarr.saxobroko.com down; sonarr.saxobroko.com works.
Likely cause: Wrong public hostname → internal URL mapping for that one app — tunnel partially configured.
Fix:
1. Zero Trust → tunnel → Public Hostnames → find failing host.
2. Compare internal URL/port to working sibling app on TrueNAS.
3. Fix URL (e.g. http://192.168.2.203:7878) and save.
4. Restart cloudflared if needed (TUN-008).
Still broken? See Restart Docker app.
TUN-011: dsm.saxobroko.com tunnel works but TrueNAS UI login fails
Symptoms: Cloudflare page loads; TrueNAS login or cert error after.
Likely cause: Tunnel reaches NAS but TrueNAS admin auth or HTTPS setting issue — not tunnel down.
Fix:
1. Try LAN https://192.168.2.203 with same credentials from Vaultwarden.
2. If LAN login fails, reset password procedure via Saxon — not tunnel fix.
3. Confirm tunnel points to correct TrueNAS HTTPS port.
4. See TrueNAS basics.
Still broken? See DSM.
TUN-012: Public hostname points to wrong internal port
Symptoms: Cloudflare 502 or wrong app loads (Sonarr UI on Radarr URL). Likely cause: Copy-paste error when adding tunnel route — common on arr stack with similar ports. Fix: 1. On LAN, identify each app's port from TrueNAS Apps or Services. 2. Zero Trust → edit public hostname Service URL to match. 3. Save and restart cloudflared. 4. Test one URL at a time in incognito. Still broken?* See arr stack.
TUN-013: Should tunnel point to NPM instead of direct app port?
Symptoms: Saxon uses Nginx Proxy Manager for some paths; unsure tunnel target. Likely cause: Some hostnames route to NPM on LAN which forwards to apps — tunnel may target NPM IP:port not final app. Fix: 1. Check NPM for documented entry point. 2. Zero Trust hostname should match whatever Saxon configured — NPM or direct Docker port. 3. Do not change NPM and tunnel independently without both updates. 4. When in doubt, ask Saxon before repointing. Still broken? See NPM proxy FAQ when available.
TUN-014: stream.saxobroko.com (Jellyfin) tunnel issues
Symptoms: Jellyfin public URL fails; LAN direct may work on 192.168.2.203:8096 or documented port.
Likely cause: Jellyfin container stopped, wrong tunnel port, or WAF 403 abroad — distinguish timeout vs 403.
Fix:
1. Confirm Jellyfin app Running on TrueNAS.
2. Verify tunnel hostname → Jellyfin HTTP port.
3. Test from AU — 403 abroad is WAF not tunnel (CFL-003).
4. Restart Jellyfin then cloudflared if 502.
Still broken? See Jellyfin for beginners.
TUN-015: Adding a new public hostname to the tunnel
Symptoms: New Docker app needs newapp.saxobroko.com reachable from outside.
Likely cause: Requires Zero Trust tunnel entry + DNS + WAF — multi-step per Saxon's checklist.
Fix:
1. Confirm app works on LAN IP:port first.
2. Zero Trust → Tunnels → Public Hostname → add name and internal URL.
3. Verify DNS CNAME auto-created — DNS-031.
4. Add to block no aus and localnet full strict ssl — WAF.
Still broken? See cloudflared adding hostname.
TUN-016: dash.saxobroko.com (Homepage) tunnel + Authentik
Symptoms: Homepage dashboard unreachable publicly; Authentik login never reached. Likely cause: Tunnel down or Access/Authentik layer failure — test tunnel first with dsm/stream. Fix: 1. If all tunnel sites down → TUN-001. 2. If only dash fails, check tunnel maps to Homepage port and Homepage container running. 3. If tunnel OK but login loop → Cloudflare edge (CFL-008). 4. See Homepage. Still broken? See Homepage for beginners.
TUN-017: vault.saxobroko.com (Vaultwarden) tunnel down
Symptoms: Password sync fails off-LAN; browser timeout to vault URL. Likely cause: cloudflared or Vaultwarden container stopped — critical for credentials access abroad (if geo allowed). Fix: 1. Remember vault is AU-only via WAF — test from Australia first. 2. Restart Vaultwarden app on TrueNAS, then cloudflared. 3. Bitwarden mobile may work offline with cached vault if already unlocked. 4. LAN fallback not available away from home. Still broken? See Open Vaultwarden.
TUN-018: auth.saxobroko.com tunnel must stay up for SSO
Symptoms: dash/docs login fails; Authentik unreachable.
Likely cause: auth tunnel down breaks SSO chain even if other apps partially work.
Fix:
1. Priority restart: TrueNAS → cloudflared → Authentik app.
2. Test https://auth.saxobroko.com from AU incognito.
3. auth excluded from harsh geo block but still needs working tunnel from Cloudflare to NAS.
4. See Authentik.
Still broken? See CFL-017.
TUN-019: request.saxobroko.com (Overseerr) not loading
Symptoms: Movie request site timeout or 502; LAN may work on internal port. Likely cause: Overseerr container down or tunnel port wrong after reinstall. Fix: 1. TrueNAS → restart Overseerr Docker app. 2. Verify tunnel internal URL matches new port if changed. 3. Restart cloudflared after tunnel edit. 4. See Overseerr guide. Still broken? See DNS-034.
TUN-020: music.saxobroko.com and photos.saxobroko.com failures
Symptoms: Navidrome or Photos public URLs fail; other media apps OK. Likely cause: Per-app tunnel hostname or container issue — not global tunnel unless both fail with all others. Fix: 1. Restart specific app (Navidrome / Photos) in TrueNAS Apps. 2. Check each public hostname mapping in Zero Trust. 3. Test LAN ports documented in Services. 4. Global outage → TUN-001 instead. Still broken? See Navidrome or Photos basics.
TUN-021: sonarr / radarr / prowlarr / lidarr tunnel issues
Symptoms: One or more arr admin UIs unreachable publicly. Likely cause: Each has separate tunnel hostname and port — automation stack partially down common after updates. Fix: 1. Identify which arr fails; restart that container. 2. Verify tunnel port matches app settings — arr stack. 3. Prefer LAN admin at home for heavy config changes. 4. Restart cloudflared once after batch tunnel edits. Still broken? See arr FAQ when available.
TUN-022: Tunnel logs show connection refused to 192.168.2.203:PORT
Symptoms: cloudflared log repeats "connection refused" or "dial tcp" errors.
Likely cause: Target app not listening on that port — container stopped or wrong port in tunnel config.
Fix:
1. On LAN browser, try http://192.168.2.203:PORT directly.
2. Start/fix Docker app until LAN works.
3. Update tunnel public hostname port to match.
4. Restart cloudflared.
Still broken? See TUN-012.
TUN-023: Tunnel logs show 502 or bad gateway from origin
Symptoms: cloudflared connects but app returns error upstream.
Likely cause: App crash, reverse proxy misconfig, or HTTPS/http scheme mismatch on internal URL.
Fix:
1. Toggle internal URL between http:// and https:// only if Saxon documented app requires TLS locally.
2. Default homelab Docker apps usually HTTP internal.
3. Restart app container.
4. Check app-specific logs in TrueNAS.
Still broken? See Restart Docker app.
TUN-024: Old CNAME to local.saxobroko.com breaks tunnel site
Symptoms: DNS resolves but connection times out; legacy DNS pattern still on one subdomain.
Likely cause: Subdomain not migrated from pre-CGNAT local.saxobroko.com A record pattern to tunnel CNAME.
Fix:
1. Cloudflare DNS → replace legacy target with CNAME to *.cfargotunnel.com.
2. Add matching public hostname in Zero Trust.
3. Remove pointing at obsolete public IP.
4. See DNS-006.
Still broken? See Network legacy DNS.
TUN-025: plex.saxobroko.com legacy tunnel
Symptoms: Plex URL fails; Saxon moved primary streaming to Jellyfin.
Likely cause: Plex legacy — may still have tunnel entry but low priority maintenance.
Fix:
1. Prefer stream.saxobroko.com (Jellyfin) for household streaming.
2. If Plex needed, check Plex legacy for current status.
3. Fix tunnel/container only if still intentionally used.
4. Do not confuse Plex and Jellyfin tunnel ports.
Still broken? See Plex legacy FAQ when available.
TUN-026: TrueNAS OS update broke cloudflared networking
Symptoms: Tunnel died immediately after TrueNAS upgrade; apps run but public URLs 502.
Likely cause: Docker network bridge reset — cloudflared lost route to host or apps.
Fix:
1. Reboot TrueNAS once fully updated (wait for pools healthy).
2. Restart cloudflared then affected apps.
3. Verify LAN IP .203 unchanged in UniFi fixed IP (UNI-020).
4. Check cloudflared logs for Docker network errors.
Still broken? See TrueNAS.
TUN-027: Duplicate tunnel public hostname entries
Symptoms: Unpredictable routing; one app intermittently wrong. Likely cause: Two public hostname rows for same subdomain in Zero Trust — conflicting backends. Fix: 1. Zero Trust → tunnel → Public Hostnames → search duplicate subdomain. 2. Delete the wrong/older entry keeping one correct mapping. 3. Restart cloudflared. 4. Document correct internal URL in SaxDocs when stable. Still broken? See TUN-012.
TUN-028: Tunnel works from phone on 4G but not on home Wi‑Fi
Symptoms: Public URL loads on mobile data; same URL fails on home Wi‑Fi (or opposite).
Likely cause: Hairpin NAT / DNS rebinding or local DNS override — unusual on this setup; or browser cache/captive portal.
Fix:
1. Try incognito on home Wi‑Fi.
2. Use LAN IP for local admin instead of public URL when home (192.168.2.203).
3. Confirm not blocking yourself via WAF from misdetected country (rare on AU NBN).
4. Compare exact error: timeout vs 403 vs cert.
Still broken? See DNS-023.
TUN-029: cloudflared high CPU on TrueNAS
Symptoms: NAS fans loud; cloudflared using noticeable CPU in TrueNAS reporting. Likely cause: Temporary reconnect storm after outage, or log level debug — usually settles. Fix: 1. If after outage, wait ten minutes for stable connection. 2. Single restart cloudflared — not repeated loops. 3. If sustained high CPU days, capture logs for Saxon. 4. Do not disable tunnel to "fix" CPU — loses all public access. Still broken? See TrueNAS basics.
TUN-030: WebSockets / Jellyfin live stream fails via tunnel only
Symptoms: Playback stutters or fails on stream.saxobroko.com; LAN playback fine.
Likely cause: Upload bandwidth limit, transcoding load, or client issue — tunnel supports WebSockets by default.
Fix:
1. Test lower quality stream setting in Jellyfin client.
2. Check NBN upload speed saturation (torrents on PC).
3. Restart Jellyfin and cloudflared once.
4. See Media won't play.
Still broken? See Cloudflare edge (CFL-025).
TUN-031: Need to rotate tunnel token after leak
Symptoms: Tunnel credential exposed; Saxon wants new token deployed. Likely cause: Security rotation — requires Zero Trust regenerate + update TrueNAS app secret. Fix: 1. Saxon or authorised admin: Zero Trust → tunnel → Configure → rotate token. 2. Update TrueNAS cloudflared app environment/secret with new token from secure channel — not SaxDocs. 3. Restart cloudflared. 4. Confirm connector Healthy. Still broken? See YubiKey and Vaultwarden for credential storage.
TUN-032: Two tunnels in account — edited the wrong one
Symptoms: Config changes have no effect; hostnames still broken. Likely cause: Zero Trust has test vs production tunnel — hostname added to inactive tunnel. Fix: 1. Identify tunnel name Saxon uses for homelab (check TrueNAS app config label). 2. Move public hostnames to correct tunnel. 3. Delete duplicate hostname from wrong tunnel. 4. Restart cloudflared on TrueNAS production connector only. Still broken? See TUN-007.
TUN-033: cloudflared version outdated after TrueNAS update
Symptoms: Warning in logs about deprecated version; intermittent disconnects. Likely cause: Chart ships older cloudflared — update app catalog when Saxon schedules maintenance. Fix: 1. Do not panic-update during outage unless logs demand it. 2. TrueNAS Apps → cloudflared → Update when pool healthy and Saxon approves. 3. Restart app post-update. 4. Verify tunnel Healthy in Zero Trust. Still broken? See TrueNAS apps.
TUN-034: Firewall on TrueNAS blocking cloudflared outbound
Symptoms: LAN apps work; cloudflared logs cannot reach Cloudflare edge; connector down.
Likely cause: Rare local TrueNAS firewall rule or DNS failure blocking *.cloudflare.com outbound.
Fix:
1. Confirm TrueNAS can ping/browse internet (google.com from NAS shell if comfortable — or trust PC test on same LAN).
2. Dream Machine should allow LAN → WAN outbound by default.
3. Do not add inbound WAN rules — irrelevant for tunnel.
4. Fix house internet first (NET-001).
Still broken? See Network.
TUN-035: Scheduled maintenance — safe to restart cloudflared?
Symptoms: Planned TrueNAS reboot; want to minimise public downtime.
Likely cause: Brief tunnel blip during restart is normal — stagger with household notice.
Fix:
1. Notify household streaming may pause ~2 minutes.
2. Reboot TrueNAS → wait for pools/apps → confirm cloudflared autostart (TUN-006).
3. Verify dsm.saxobroko.com before announcing all clear.
4. Check status.saxobroko.com monitors green.
Still broken? See Pool scrub for maintenance timing.
TUN-036: ICMP / ping Cloudflare tunnel endpoints
Symptoms: Want to "ping tunnel" like a device — unsure how. Likely cause: Tunnels are HTTPS outbound connections — ping is not a meaningful test for beginners. Fix: 1. Use Zero Trust connector Healthy status instead. 2. Test public URL in browser from AU. 3. Test LAN origin IP:port. 4. See TUN-004 diagnostic order in cloudflared. Still broken? See Network general (NET-020).
TUN-037: cloudflared and Docker host network mode
Symptoms: Advanced question whether app uses host or bridge network — tunnel cannot reach localhost service.
Likely cause: If app binds 127.0.0.1 only, cloudflared on bridge cannot reach it — must use LAN IP 192.168.2.203:port.
Fix:
1. Tunnel internal URL should use 192.168.2.203 not 127.0.0.1 unless Saxon documented host networking.
2. Fix tunnel mapping to NAS LAN IP and published port.
3. Restart app and cloudflared.
4. Escalate network mode changes to Saxon.
Still broken? See TUN-022.
TUN-038: Quick diagnostic order (copy Saxon's checklist)
Symptoms: Overwhelmed — need step order for "site unreachable."
Likely cause: Same as cloudflared quick diagnostic — follow in sequence.
Fix:
1. Reach app on LAN at 192.168.2.203:port?
2. cloudflared Running in TrueNAS Apps?
3. DNS CNAME to *.cfargotunnel.com for that host?
4. Hostname in block no aus + localnet full strict ssl (if homelab)?
5. Testing from Australia without bad VPN?
Still broken? See Common Issues.
TUN-039: Tunnel up but Cloudflare 403 — not 502
Symptoms: Connector healthy; browser shows Cloudflare block not gateway error. Likely cause: WAF geo block or Access policy — tunnel is fine; edge blocking user. Fix: 1. Confirm testing from AU (CFL-003). 2. Check Security Events for block reason. 3. Do not restart cloudflared for pure 403 abroad — expected. 4. If 403 in AU, see CFL-015 not TUN-001. Still broken? See WAF rules.
TUN-040: Full tunnel checklist still failing
Symptoms: Completed TUN-038 all steps; public URL still broken from AU. Likely cause: Deep issue — app crash, pool degraded, or credential rotation needed. Fix: 1. Check TrueNAS pool health — not degraded (Pool degraded). 2. Collect cloudflared log excerpt (no secrets) and exact URL/error. 3. Restart specific failing app container once. 4. Escalate to Saxon with LAN-works-Y/N and connector Healthy-Y/N. Still broken? See Handover first 24 hours.
TUN-041: Storj and old inbound services — why tunnel replaced them
Symptoms: Old notes mention port forwards and Storj; confused why tunnel is mandatory now. Likely cause: CGNAT ended inbound connectivity — Storj archived; tunnel is replacement pattern. Fix: 1. Do not attempt port forwarding on Dream Machine for homelab — ineffective. 2. All new external access via cloudflared + Cloudflare. 3. Read Network CGNAT (NET-014). 4. Legacy Plex/port docs are historical only. Still broken? See Network.
TUN-042: When to call Saxon vs fix tunnel yourself
Symptoms: Unsure safety boundary for family fixing cloudflared. Likely cause: Safe: restart cloudflared/app, verify LAN works. Not safe: new tokens, delete tunnel, reinstall TrueNAS app without backup. Fix: 1. Always try TUN-001 restart and Restart cloudflared guide first. 2. Stop if logs mention invalid token, pool degraded, or data loss risk. 3. Write down symptoms using NET-020 order before calling. 4. Credentials only from Vaultwarden + YubiKey — never guess. Still broken? See FAQ overview and Common Issues.