Cloudflare tunnel

Coudflare Zero Trust Tunnel is a service from that proxies traffic to your origin (e.g. a webserver or router). Cloudflare attracts client requests and sends them to you via the cloudflared daemon, without requiring you to poke holes on your firewall - your origin can remain as closed as possible. It is often used not only for privacy but also just a method of NAT traversal to device that doesn't have a static IP.

Cloudflare Tunnel is great when it works. I had difficulty setting up tunnels thus this guide.

Start by creating an account at The free plan is sufficient for most users.

You require a domain to add as a site to Cloudflare's service. You receive instructions on how to point the domain to selected Cloudflare DNS servers Sometimes it takes a while for DNS to propagate. In the meantime set up the rest of your settings. I registered a cheap domain specific for this purpose and have no plans to host anything there for an audience. Finally, once DNS has propagated and your site's status says active, we can proceed.

Select Zero Trust from the sidebar; this is where tunnels are managed. Set up things as you like. For example, under Gateway you find DNS and Firewall policies; there is no need to touch them at all to get tunnel(s) working. Under SettingsGeneral settings you can find your Team domain. The sub-domain/hostname part, meaning that part before is something that you should remember. When you log in with WARP (available for desktop OSs and phones) to establish a client connection, this Team ID is asked upon logon. So write it down if it is difficult to remember.

Under SettingsNetwork are settings for the proxy. To get tunnels working, you must enable the proxy. By default, it seems to be disabled. When you enable it, you can select either TCP or UDP, or both. This part is rarely mentioned in other guides.

Other settings on that page are not important for tunneling, except Split tunnels and local domain fallback - so select manage. There, are settings for device enrolments. Make necessary changes there for login requirements. For example, *

Edit also the default profile - there you find the section Split tunnels. Select what you prefer. In this example, we choose to Exclude IPs and domains. Click manage then find a list of subnets, IP addresses, and domain names. Make sure that the network you want to connect to is not on the list. For example, if your LAN is, make sure none of the subnets on the list include your used IP range.

For service mode, I chose Gateway with WARP. Unsure whether other modes work. It should be chosen as default.

If you want local DNS to resolve to IP addresses, set this under Local Domain Fallback. As I did not use it, I cannot comment.

On Device posture, as WARP Client checks, I added Gateway with name Gateway - but that is possibly not a requirement. Other settings on that page can be left as-is.

Finally, basic setup is complete. Keep your browser open and make sure you stay logged in to Cloudflare.

Login to your router and install cloudflared package:

opkg update
opkg install cloudflared

Settings are in /etc/config/cloudflared, but the only setting that should be changed is the enabled boolean. It is false by default.

Another location is at /etc/cloudflared, some changes there are necessary but at this moment, we won't touch anything there.

You can create a tunnel in the Cloudflare dashboard or via command line on your machine (“locally managed”).

Go to Zero Trust Dashboard at Open NetworksTunnels and click on Create a tunnel.

You can copy the token from “4. Run the following command:” and put it into /etc/config/cloudflared option token.

Then you need to specify a Public Hostname with type HTTP and URL http://localhost:80 where your Luci or website is running.

Then restart daemon with /etc/init.d/cloudflared restart. It may take up to 3 minutes while the tunnel will be established. Once you see in logs Updated to new configuration config=“{\”ingress\ then your local tunnel was established and received its config.

Since a tunnel is configured remotely you may need to open /etc/cloudflared/config.yml and comment all lines there.

First you'll need to run cloudflared tunnel login:

root@openwrt:/etc/cloudflared# cloudflared tunnel login
Please open the following URL and log in with your Cloudflare account:

Leave cloudflared running to download the cert automatically.

Copy the link and open it in your browser to proceed. If you were still logged in, you will get a view where you see the site as option that we added in the beginning. Select your site and click Authorize.

Go back to your OpenWrt shell, and you see a notification that cert.pem has been created. We copy it to cloudflareds config path.

You have successfully logged in.
If you wish to copy your credentials to a server, they have been saved to:
root@openwrt:/etc/cloudflared# cp /root/.cloudflared/cert.pem /etc/cloudflared/

Next we create the tunnel named TUNNELNAME. Copy the generated json config file to the /etc/cloudflared/ config path. XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX is the generated id.

root@openwrt:/etc/cloudflared# cloudflared tunnel create TUNNELNAME
Tunnel credentials written to /root/.cloudflared/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX.json. cloudflared chose this file based on where your origin certificate was found. Keep this file secret. To revoke these credentials, delete the tunnel.

root@openwrt:/etc/cloudflared# cp /root/.cloudflared/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX.json /etc/cloudflared/

Edit /etc/cloudflared/config.yml: I commented out the first line about the URL which is superfluous:

#url: http://localhost:8000
credentials-file: /etc/cloudflared/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX.json

I got errors logged about wrong sysctl values so put the settings to I created the /etc/sysctl.d/30-cloudflared-conf file:

net.ipv4.ping_group_range="0 429296729"

After this, restart the service: /etc/init.d/cloudflared restart

Return to the browser and at Cloudflare Zero Trust, open AccessTunnels. In the list should be our freshly created TUNNELNAME.

Choose to configure it and you are prompted that TUNNELNAME must be irreversibly migrated. Go ahead and migrate it, confirm all queries. Now, re-configure it. Choose Private Network tab and add new network. On the CIDR prompt add your LAN subnet. In this example it was

After this we enable, and restart cloudflared:

/etc/init.d/cloudflared stop
/etc/init.d/cloudflared enable
/etc/init.d/cloudflared start

Install Cloudflare WARP to your phone, disable wi-fi staying on the mobile network and start WARP. In SettingsAccount, enter your team name. This is in Cloudflare General Settings. If you added suitable rules to SettingsWarp settingsDevice enrollment you will be asked your credentials, i.e. email address. You are emailed a verification code which you need to enter there.

Under WARP's SettingsAdvancedConnection optionsExcluded routes verify that your LAN subnet is absent from the list - we previously excluded it. Under Virtual Networks, verify that the profile you chose is checked. I edited the default profile without creating a new one. Finally, exit settings. The front page should say Zero Trust, Connected and Your internet is protected. Open your web browser and point it to your router's IP at and if all went well, LuCi opens (in case you have it installed).

You may notice that ICMP ping doesn't work. This is normal and you cannot do anything about it because we enabled TCP and UDP, while ICMP used by ping is unavailable as a feature on cloudflared.

If you see a message “failed to dial to edge with quic” this is a known issue

This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
  • Last modified: 2024/04/11 11:41
  • by stokito