Unable to Connect to Minecraft Server via Cloudflare Tunnel (Other Services Working Fine)
Context: I'm getting into selfhosting and want to host a game server(Minecraft should take the port 25565 and need tcp traffic) through a cloudflared tunnel through my own domain.
A connection from the outside does not appear possible, although I don't know its reason, in the following I will go through the steps I took, I would be very grateful for any tips or ideas.
My steps so far (based on https://developers.cloudflare.com/cloudflare-one/applications/non-http/cloudflared-authentication/arbitrary-tcp/):
1.Bought a domain (gameserver.kyoto)
2.Created a cloudflare account and replaced the nameservers with the nameservers from Cloudflare
3.Downloaded the latest version of cloudflared on the host server (ubuntu 22.04)
4.Logged in, downloaded the credentials from cloudflare
5.Created a new tunnel "minecraft"
6.Created a config file like this
tunnel: 7c7af860-xxxx-xxxx-xxxx-7d235e1a5b4e credentials-file: /etc/cloudflared/7c7af860-xxxx-xxxx-xxxx-7d235e1a5b4e.json ingress: - hostname: ssh.gameserver.kyoto service: ssh://localhost:22 - hostname: minecraft.gameserver.kyoto service: tcp://localhost:25565 - hostname: grafana.gameserver.kyoto service: http://localhost:3000 - service: http_status:404Started the tunnel -> I dont see any mention of "configuration updated" or smt like that, furthermore when I run "cloudflared tunnel info mc-tunnel" It does not say that it has a configuration. 9.Testing from within the local network but a different PC
PS C:\Users\php> Test-NetConnection -ComputerName minecraft.gameserver.kyoto-Port 25565 ComputerName : minecraft.gameserver.kyoto RemoteAddress : 172.67.211.11 RemotePort : 25565 InterfaceAlias : ethernet SourceAddress : 192.168.0.60 PingSucceeded : True PingReplyDetails (RTT) : 3 ms TcpTestSucceeded : False10.I have launched a temporary game server but no incoming traffic can be detected. By connecting to the tunnel, I am able to use SSH and access the Grafana dashboard. However, only Minecraft returns an error: "Connection refused: no further information." I would be grateful for any help, Thank you.
24 Replies
Doesn't sound like you followed the connect from client machine step?
https://developers.cloudflare.com/cloudflare-one/applications/non-http/cloudflared-authentication/arbitrary-tcp/#connect-from-a-client-machine
Cloudflare Docs
Arbitrary TCP
Cloudflare Access provides a mechanism for end users to authenticate with their single sign-on (SSO) provider and connect to resources over arbitrary TCP without being on a virtual private network (VPN).
Thank you for your reply.
I'm sorry for the lack of explanation.
Between steps 8 and 9, I performed the following actions on the client machine:
On the client machine, I started the tunnel:
PS C:\Users\php> cloudflared access tcp --hostname minecraft.gameserver.kyoto --url localhost:25555 2025-05-02T19:50:34Z INF Start Websocket listener host=localhost:25555Step 9: Testing from within the local network on a different PC
PS C:\Users\php> Test-NetConnection -ComputerName minecraft.gameserver.kyoto -Port 25565 ComputerName : minecraft.gameserver.kyoto RemoteAddress : 172.67.211.11 RemotePort : 25565 InterfaceAlias : ethernet SourceAddress : 192.168.0.60 PingSucceeded : True PingReplyDetails (RTT) : 3 ms TcpTestSucceeded : False PS C:\Users\php> Test-NetConnection -ComputerName localhost -Port 25555 WARNING: TCP connect to (::1 : 25555) failed ComputerName : localhost RemoteAddress : 127.0.0.1 RemotePort : 25555 InterfaceAlias : Loopback Pseudo-Interface 1 SourceAddress : 127.0.0.1 TcpTestSucceeded : TrueStep 10: I launched Minecraft Java Edition on the client machine and attempted to connect to localhost:25555, but I received the error:
Connection refused: no further information.Assuming
minecraft.gameserver.kyoto is the real hostname, you'll have to make a dns record to route to the tunnel
via the cli, you can use
cloudflared tunnel route dns <UUID or NAME> minecraft.gameserver.kyoto
Or just adding a CNAME on minecraft to <UUID>.cfargotunnel.comI can confirm from the dashboard that the settings are configured as shown below.
Is there any additional configuration required beyond this?
just to be clear,
gameserver.kyoto is meant to be a fake/stand in domain? It's not registeredYes, it's a dummy.
This is my first time posting to this open community, so I'm using a fake domain.
If the real domain is needed, I can provide it by DM.
Shouldn't be needed, was just making sure I understood. After you attempt to connect within minecraft, there should be more logs output by the access tcp command
Understood.
I’ll provide the output from the command as-is, with only the domain changed.
Should the
access tcp command be run on the server machine or the client machine?
If there’s any documentation for this process, I’d appreciate it if you could share it so I can follow along.client machine. Docs are just the same as linked above in regards to getting arbitrary tcp setup
Thank you.
After running the
access tcp command on the client machine, I tried connecting from Minecraft to localhost:25555 multiple times, but no logs were output.
PS C:\Users\php> cloudflared access tcp --hostname minecraft.gameserver.kyoto--url localhost:25555 2025-05-02T19:50:34Z INF Start Websocket listener host=localhost:25555By the way, running the Test-NetConnection command from the client machine also does not produce any logs.
Interesting, sounds like it might think it's establishing connection to a degree. You can tag on
--log-level debug at the end and see if we can't get anymore out of it.
There is a few issues that can result from the way your domain is setup in Cloudflare, if you don't have Websockets on under Network -> Websockets, or if you have aggressive firewall like Bot Fight mode on, but should be something in logs from thatLogs were only recorded when running
Test-NetConnection -ComputerName localhost -Port 25555.
PS C:\Users\php> cloudflared access tcp --hostname minecraft.gameserver.kyoto --url localhost:25555 --log-level debug 2025-05-03T04:52:26Z INF Start Websocket listener host=localhost:25555 2025-05-03T04:52:45Z DBG Websocket request: GET / HTTP/1.1 Host: minecraft.gameserver.kyoto User-Agent: cloudflared/2025.4.0 2025-05-03T04:52:47Z DBG Access Websocket request: GET / HTTP/1.1 Host: minecraft.gameserver.kyoto Cf-Access-Token: xxx User-Agent: cloudflared/2025.4.0 2025-05-03T04:52:47Z DBG Websocket response: "HTTP/1.1 101 Switching Protocols\r\nAlt-Svc: h3=":443"; ma=86400\r\nCf-Cache-Status: DYNAMIC\r\nCf-Ray: 939d26a51c8d7379-NRT\r\nConnection: upgrade\r\nDate: Sat, 03 May 2025 04:52:47 GMT\r\nNel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}\r\nReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XroVVHeeWBZKa%2FsHDtuf7Lk78WZQQ85y%2FxWh5h8ZSuVwFOQo%2Fm%2Bt4%2Fs4KXBFHH7KqiGoGC1s2heXuI%2Fn0aU%2FNleTzasUzfqq8gHmJJAUMeLzedIlHyx%2BOhp%2BznDOQycXJFRsEQTeX%2Fluujn4oQ%3D%3D"}],"group":"cf-nel","max_age":604800}\r\nSec-Websocket-Accept: +LjxgHHNH8hpe2MH2pWIi7uvf/k=\r\nServer: cloudflare\r\nServer-Timing: cfL4;desc="?proto=TCP&rtt=2644&min_rtt=2640&rtt_var=999&sent=5&recv=6&lost=0&retrans=0&sent_bytes=3109&recv_bytes=1469&delivery_rate=1634938&cwnd=252&unsent_bytes=0&cid=bea82eddf03a812f&ts=50&x=0"\r\nUpgrade: websocket\r\n\r\n" 2025-05-03T04:52:47Z DBG downstream->upstream copy: read tcp 192.168.0.60:59357->104.21.53.89:443: use of closed network connectionThere are no logs recorded for the connection from Minecraft or the command
Test-NetConnection -ComputerName minecraft.gameserver.tokyo -Port 25565.Test-NetConnection -ComputerName minecraft.gameserver.tokyo -Port 25565This (going directly against the domain) will never work, as the tunnel hostname just uses Cloudflare's normal shared proxy setup. This is why it requires you to run cloudflared on the client and then create a virtual setup locally cf-access-token is sensitive there if you logged in anyway the websocket is establishing successfully, anything interesting on tunnel host side? If you're on linux and have installed the tunnel as a service, you can check logs via
journalctl -u cloudflared -f --lines=100
Otherwise, if you're running it from console and such, can just look at normal logsShould the cf-access-token be masked?
yes
This is
journalctl -u cloudflared -f --lines=100 command result.When you install the tunnel as a service, it copies your current config to
/etc/cloudflared/config.yml and uses that. Are you editing that config/does that config have all the minecraft stuff configured? If you were running it as a user before, some people get tripped up in editing the config under their user directoryYes, I’m editing
/etc/cloudflared/config.yml.
then I'd say it's time to check the more silly things as I've done this same setup before without issue
Your screenshot above showed multiple tunnels, they're all on separate machines and not conflicting?
Can you connect to the minecraft server not through the tunnel?
Restarted tunnel since last config change (it doesn't auto refresh when using local tunnels)
You can use
cloudflared tunnel ingress rule https://minecraft.gameserver.kyoto to validate it's being routed right locally (at least on latest update config)
I would change all the localhost references to 127.0.0.1 out of paranoria, at least the tunnel config for minecraft. IPv6 usually isn't setup and isn't supported for Minecraft
You can use 25565 locally too in the access url command, unless you're using that port locally for some reason?Your screenshot above showed multiple tunnels, they're all on separate machines and not conflicting?I have a question about this part. I'm hosting two Ubuntu servers: one for the Minecraft server and one as a playground server. As shown in the screenshot, I've created two separate Cloudflare tunnels—one for Minecraft and one for the playground. (Is this an acceptable setup?) Also, to access the Minecraft server, I run the following command from PowerShell on my Windows PC: cloudflared access tcp --hostname minecraft.gameserver.kyoto--url localhost:25555 --log-level debug Additionally, to SSH into the Minecraft server, I use tunneling via Ubuntu on WSL: ~/.ssh/config
Can you connect to the Minecraft server not through the tunnel?You mean accessing it directly via the private IP, without using the tunnel? Yes, I can connect—SSH, Grafana (HTTP), and Minecraft all work fine.
Restarted tunnel since last config change (it doesn't auto refresh when using local tunnels)I noticed a message in the logs indicating that cloudflared was outdated, so I upgraded it. The tunnel was restarted during that process. However, I still can’t connect.
You can use cloudflared tunnel ingress rule https://minecraft.gameserver.kyoto to validate it's being routed right locally (at least on latest update config)I ran this on the server: This indicates that it's using /home/php/.cloudflared/config.yml, not /etc/cloudflared/config.yml. Why is that? By the way, here is the content of /home/php/.cloudflared/config.yml:
I would change all the localhost references to 127.0.0.1 out of paranoia, at least the tunnel config for Minecraft. IPv6 usually isn't setup and isn't supported for Minecraft You can use 25565 locally too in the access URL command, unless you're using that port locally for some reason?I will apply these changes now.
t, I've created two separate Cloudflare tunnels—one for Minecraft and one for the playground. (Is this an acceptable setup?)Yea, one per vm works best.
This indicates that it's using /home/php/.cloudflared/config.yml, not /etc/cloudflared/config.yml. Why is that?When running as your user, it prefers the one in your home directory. When running as a service, it uses the one under /etc/cloudflared. It's a bit confusing. If you delete the one under your home directory (or rename to something else), that command should run against, or you can also specify in the command like
cloudflared tunnel --config /etc/cloudflared/config.yml ingress rule https://minecraft.gameserver.kyotoOMNG
I can connect
I was able to connect after changing from localhost to 127.0.0.1.
@Chaika
Thank you so much!
interesting, I'd guess your minecraft server wasn't bound on ipv6 (I don't think mc really supports it)
well we took the long way but at least it was a simple fix lol
at least for the future, localhost resolves to
127.0.0.1 and ::1 and is worth being careful around (most of the time, explicitly specifying 127.0.0.1), if you're not sure the service is on bothYes, I'm glad it turned out to be a simple fix.
I'm also relieved to know that the general steps I followed were correct.
Cloudflare's public documentation is really clear and helpful.
And yes, I’ll remember that casually using localhost can be risky.
Thank you so much for your help.