Safely connect to OctoPrint from outside of your home with Cloudflare Zero Trust

Intro

The options you had until today to connect to OctoPrint from outside of your home were 4:

1. Port Forward: Open a port in your home router + port forward + reverse proxy + dynamic dns (or static one)
2. VPN: Setup your own VPN (see guide)
3. Obico: The former "The Spaghetti Detective" acts as a tunnel to let you connect from outside your home
4. OctoEverywhere: Also a tunnel that let's you connect from outside your home

We can now add yet another option called Cloudflare Zero Trust Tunneling. This option is as safe as using a VPN and it might be even easier to setup. Moreover, with a VPN your client has access to all your home network while with this option you can limit exactly who has access to what service/machine.

Prerequisites

• OctoPod 3.28 or newer
• Cloudflare Account (with a free plan is enough)

Setup

1. Follow this Cloudflare Tunnel Easy Setup guide as a starting point. By the end of the previous guide, users are going to be able to use a browser to connect to OctoPrint from outside your home. We need to do a few more steps to let OctoPod also connect to your OctoPrint
2. Create a new Service Token by going to Access -> Service Auth. You can call the new token "OctoPod Token". Make sure to copy CF-Access-Client-Id and CF-Access-Client-Secret. You will need that information later
3. Make sure you already have an "Access Group" that includes the email addresses of people you want to let connect directly to OctoPrint using a browser. Next, under "Include" add a Selector for Service Token and select the token you created in the step 2
4. Go back to Access -> Applications. Edit the application you created in step 1 and this time add a new Policy. You can call it "OctoPod Token". Select Service Auth under Action. Under Create additional rules select Service Token and select the token you created in step 2
5. Open a browser and go to your OctoPrint instance. Open Settings and go to API. Make sure to have a check next to Allow Cross Origin Resource Sharing (CORS). Restart OctoPrint

To access your camera from outside you will also want to create an Application and proper Tunnel->Public hostname.

The last steps are done in OctoPod. You will need to add a new printer by following these steps:

1. Go to Settings in OctoPod and click on Printers and click + on the top right. You can select "OctoPrint - Application Key" (recommended) or "OctoPrint - Global API Key"
2. Make sure to use HTTPS in the printer hostname. The printer hostname has to match what you created in Cloudflare when you added a Public hostname when you configured the tunnel. You will run into some issues if you use HTTP so please use HTTPS.
3. You should be fine leaving HTTP Authentication empty since no reverse proxy should be used in this setup
4. Under Additional Headers you will need to enter the secret sauce. Copy CF-Access-Client-Id: your-value-from-step-2 , CF-Access-Client-Secret: your-value-from-step-2 and of course replace your-value-from-step-2 with the corresponding values from step 2 from the previous section. As you can see client_id and client_secret are now passed as headers to make the magic work. Include both and separate by comma as shown in bold text.

You are all done. Finish adding the new printer and give it a go.

Troubleshooting

• I see a "Not refreshing" red error message in OctoPod. When I click on the (?) I see the error message "Invalid HTTP upgrade (301)".
  • Fix: Go to OctoPod Settings -> Printers and edit the printer's hostname. Replace HTTP with HTTPS and save.
• I see a "Not refreshing" red error message in OctoPod. When I click on the (?) I see the error message "Invalid HTTP upgrade (403)".
  • Fix: Go to OctoPrint Settings -> API. Check Allow Cross Origin Resource Sharing (CORS) and restart OctoPrint. After OctoPrint restarted you will need to close and open OctoPod (or switch between printers)