[SOLVED] Connecting to a Windows VM using SPICE client over the Internet via Cloudflare tunnels

S

Snowiness7674

New Member
Nov 29, 2022
9
5
3
I am self-hosting Proxmox VE v7.4 and have a Windows 11 VM configured with a SPICE display and SPICE enhancements enabled. I've installed both spice-guest-tools and spice-webdavd on the VM to enable folder sharing and I can connect to the VM just fine using virt-viewer on my local network.

I decided to externalize my Proxmox instance using Cloudflare Tunnels and have cloudflared running on the Proxmox host tunneling https://localhost:8006 for the web interface and http://localhost:3128 for SPICE proxy. I set up 2 separate subdomains for the web interface and the SPICE proxy using Cloudflare tunnels with proxmox.mydomain.com for the web interface and proxmox-spice.mydomain.com for the SPICE proxy.

With this setup I can access the Proxmox web interface just fine on https://proxmox.mydomain.com. However, if I try to access the VM using SPICE (virt-viewer), it fails to connect. I noticed that the pve-spice.vv files would have proxy=http://proxmox.mydomain.com:3128 instead of what I assume should be set to proxy=https://proxmox-spice.mydomain.com (which cloudflared would route to http://localhost:3128) so I changed that value manually but that didn't work either. virt-viewer times out trying to connect to the VM and I get a "Unable to connect to the graphics server" error.

If I try to access my Proxmox instance over my LAN with the instance's IP address instead, the pve-spice.vv files would have proxy=http://192.168.1.10:3128 which works just fine with virt-viewer on my local network.

Oh and noVNC console works just fine on both my local network as well as through Cloudflare tunnels for this VM.

Any pointers on what I'm doing wrong here?

Thanks!
 
  • Like
Reactions: raidptn
Regular Cloudflare tunnels only tunnel HTTP/HTTPS traffic. For non HTTP traffic like SPICE, you need to use the 'private networks' feature of tunnels and it requires installation of the WARP client. After I added the private network that serves SPICE traffic to the tunnel, I was able to connect to the VM using virt-viewer after logging to Cloudflare WARP client and connecting to Zero Trust.

Basically, you can't tunnel SPICE traffic over HTTP/HTTPS without installing the WARP client.

More info: https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/private-net/
 
Last edited:
  • Like
Reactions: raidptn and leesteken
I am currently experiencing the same issue dealing with SPICE through Cloudflare tunnels, which I configured the same way as you did, reviewed the downloaded .vv files and such.

Would you mind sharing an anonymized/example version of your Proxmox server configuration regarding the WARP client and maybe some bullet list of steps to recreate it?

Thank you in advance.
 
k0rtuz said:
Would you mind sharing an anonymized/example version of your Proxmox server configuration regarding the WARP client and maybe some bullet list of steps to recreate it?
Click to expand...
I've rebuilt my server since then so I don't have my Proxmox config but this had nothing to do with Proxmox, it was an error in my undertanding of how Cloudflare tunnels work. 'Normal' Cloudflare tunnels only tunnel HTTP/HTTPS traffic. Tunneling non-HTTP traffic like SPICE on port 3128 requires the clients/users to connect to your tunnel via the Cloudflare WARP client which lets them access private network just like a VPN. I believe the WARP client even uses Wireguard under the hood. You can also use so-called WARP connectors to reach private networks without needing to install the WARP client on every client/user device but I didn't go that route.

To get it working, you have to install the Cloudflare WARP client on the device from which you are going to run the SPICE client. You need to then log in to your Zero Trust account in Cloudflare's WARP client and then connect to Zero Trust. Once you're connected (see screenshots below) you can use virt-viewer to open the .vv files and you should be able to reach your VM.

1699626364055.png1699627264926.png1699626900669.png1699626552948.png

Make sure your Cloudflare tunnel has the private network you want to connect to added to it. This network should contain your Proxmox host.

1699627423167.png
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom