📝 Is an arbitrary TCP tunnel encrypted end to end?

[alexandervlpl]

... or just client to edge/edge to origin? There seem to be no details anywhere about what "encrypted" actually means, which is vitally important for many use cases especially if you're replacing a VPN or similar tools. Is it safe to use something like telnet and plaintext passwords over the tunnel, or is that stuff transiting Cloudflare's network unencrypted in a place like Russia?

Available Documentation
https://www.cloudflare.com/products/tunnel/

The Tunnel daemon creates an encrypted tunnel between your origin web server and Cloudflare’s nearest data center

So not e2e? Does this apply to all "applications", or just HTTP? More info needed.

https://developers.cloudflare.com/cloudflare-one/applications/non-http/arbitrary-tcp/
No info here.

Suggested Documentation
Explicit overview of where encryption/decryption happens for different kinds of tunnels. Maximum transparency.

Additional context
Here's the specific setup I'm wondering about.

Origin:
cloudflared --no-autoupdate tunnel run ..

Public hostname:
tcp://foo.bar.com:1234

Client:
cloudflared access tcp --hostname foo.bar.com --url localhost:1234

[AnimMouse]

No, arbitrary TCP tunnel is not encrypted end to end. cloudflared access is basically a browser that connects to Cloudflare's edge using WebSocket and exposes the TCP port to localhost. It is essentially the same using Cloudflare as a normal reverse proxy (the orange cloud) and Cloudflare can look in your arbitrary TCP stream if they wanted to. So if you don't trust Cloudflare, you can encrypt the arbitrary TCP stream using stunnel for example before sending it via cloudflared.

Is it safe to use something like telnet and plaintext passwords over the tunnel

In the eyes of attackers outside Cloudflare, yes, it is safe enough. Just make sure to add Access policies to foo.bar.com before running the tunnel, so that other people who know your domain name can't connect to your arbitrary TCP tunnel.