Hetzner Cloudflare Tunnel - Failed to dial to edge with quic - Chris Stretton

When establishing a tunnel from your Hetzner server to Cloudlfare, you may encounter the following when cloudflared is attempting to connect home to cloudflare.

ERR Failed to create new quic connection error="failed to dial to edge with quic: timeout: no recent network activity"
WRN If this log occurs persistently, and cloudflared is unable to connect to Cloudflare Network with `quic` protocol, then most likely your machine/network is getting its egress UDP to port 7844 (or others) blocked or dropped. Make sure to allow egress connectivity as per https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/configuration/ports-and-ips/
INF Switching to fallback protocol http2

Cause

Even if you allow all egress through your firewall and the Hetzner robot firewall, you may still see this.

The reason is because Hetzner’s firewall is a fairly stupid stateless packet filter, which means it does not know the difference between responses to packets you have sent, and incomming connections.

To fix this you must allow UDP (QUIC is a UDP based protocol unlike the fallback TCP) ports 23768-65535 INCOMMING to your server

Solution Steps

1. Log on to Hetzner Robot and select Firewall for your server
2. Add a new rule, name it something appropriate like UDP Established v4
3. Set the version to ipv4 and the protocol to UDP.
4. Set the destination port to 32768-65535
5. Set the action to Accept
6. Repeat the above for ipv6 if your server supports it
7. Hit “Save” at the bottom of the page

NB. You can only have 10 rules with the Hetzner firewall, you may need to combine service ports into a single rule to give you enough rules free to do this depending on your set up.