Description
Describe the bug
When I run cloudflared as a non-root user, installed with cloudflared service install, it can't access any backend service in the local network. Each access results in a log entry like this:
Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: dial tcp 192.168.1.1:443: connect: no route to host
Any backend on the localhost is accessible, so the tunnel is working overall.
There are no network issues and I can reach this IP just from the host. After launchctl unload ~/Library/LaunchAgents/com.cloudflare.cloudflared.plist and sudo cloudflared service install, the same cloudflared binary with the same command line arguments is able to serve the backends on the local network.
To Reproduce
Steps to reproduce the behavior:
- Configure
cloudflaredto run as a local user - Run
launchctl bootstrap gui/501 ~/Library/LaunchAgents/com.cloudflare.cloudflared.plistto start it - Configure a backend on a different machine on the local network
- Attempt to access the backend
Expected behavior
I expect cloudflared to behave identically when run as root or a different user.
Environment and versions
- OS: macOS 15.4.1
- Architecture: Apple Silicon
- Version: 2025.04.2
Logs and errors
See above
Additional context
When debugging the issue over Apple Remote Desktop, I got a popup asking whether cloudflared should be allowed local network access. I clicked "yes" and verified that /opt/homebrew/Cellar/cloudflared/2025.4.2/bin/cloudflared is enabled in System Preferences / Privacy & Security / Local Network.
I assume this is related to macOS's security mechanisms.