OpenWrt support

Now you can install OpenWrt firmware on a router it and use the Cloudflare Tunnel to access it.

There are two packages: cloudflared daemon and Luci Application luci-app-cloudflared that provides a GUI for configuration.
You can install them with the command opkg install cloudflared luci-app-cloudflared

See details in Wiki

Please test, translate on Weblate, contribute and share.

Sources:

If you have questions or propositions ask here.

P.S. Dear moderator please don’t close the topic.

5 Likes

I wish to discuss current status and issues.

Support
It would be really nice if Cloudflare team can support the OpenWrt package and Luci app.
But it probably won’t happen given market share.

Still it makes sense to mention the OpenWrt package in documentation or GitHub readme.
Because this is at least some GUI for the Cloudflare that inexperienced users may start using.

CF UI
There no a Copy Token button but you can only copy the whole command.
I added to the Luci app an ability to paste the command and it will extract the token from it.
Still it’s difficult to explain in documentation were to get the token because there is no any label like “Here is your token.
Copy and keep it secret. Don’t reuse across different devices and always generate a new”.

cloudflared login
I didn’t get yet what is the Certificate of Origin and why it’s not enough of just a token. As far I understood to get the cert a user needs additionally to authorize on the site.
The cloudflared login downloads the cert into ~/.cloudflared/cert.pem. The problem is that the OpenWrt uses a different folder /etc/cloudflared and a user should copy the cert manually. Maybe it’s possible to set a file path for the cert to avoid the copy step. But as far I understood the CF also stores other tunnels files in the home directory.
So maybe it would be better to specify it globally set the /etc/cloudflared instead of .cloudflared.

I had an idea to run the login automatically when a user sets a token.
But the command is not just prints the url but also waits for a user to login on the link. This makes the automation more difficult.

Anyway, for just a simple tunnel the cert looks not needed.

tunnel status
I added a separate page to show tunnels status. luci-app-cloudflared: add Tunnels status page by stokito · Pull Request #6887 · openwrt/luci · GitHub

It was easy to do thankfully to JSON output.

But still I can’t get a status of the tunnel which we see in the Cloudflare dashboard i.e. (UN)HEALTHY.
This is a minor thing but maybe something else would be also useful.

I also wanted to fetch ingress rules to show them to a user but didn’t find anywhere how to do that.
This is not critical just a UX thing.
Ideally it would be great to manage the ingress rules in the Luci app.
It may have an advantage that it will be translated by a community.

Slow start
I had a problem when a tunnel started for two minutes. It tried to connect over QUICK but I don’t have a public IP. Maybe such things can be tuned somehow.

Smaller binary
Routers has limited resources and it would be great if the Cloudflared can be compiled with a smaller footprint.
For example the auto-update feature is not needed for OpenWrt and Docker.
Sub commands tail, service and --post-quantum are probably not needed too.
So maybe we can exclude this features by a build tag. This also can reduce load for CI,
But I’m skeptical that here it’s possible to reduce more than a few percents.

TODO

1 The Cloudflared provides DNS over HTTPS proxy and we probably should allow user co configure it with UCI and use. I’m not sure how it’s useful and maybe a user will use other DoH daemons and providers. Maybe the DNS allows to see some internal only domains? Then we definitely should use it.

  1. The Cloudflared on shows a warning on start and to fix it we need to change sysctl configuration. It can be put into /etc/sysctl.d/30-cloudflared-conf as a file:
net.ipv4.ping_group_range="0 429296729"
net.core.rmem_max=2500000

I don’t know if it’s safe to add these settings. Also increasing net/core/rmem_max may be problematic if a router lacks of memory.
A tunnel works despite the warning.

1 Like

What minimal OpenWRT version for this package would be? Can’t find it on 19.07.

The OpenWrt 19 was released in 2019 e.g. five years ago.
You’ll need a latest OpenWrt that is running on a powerful AMD based router or even x86

This didn’t work for me:

The Cloudflared on shows a warning on start and to fix it we need to change sysctl configuration. It can be put into /etc/sysctl.d/30-cloudflared-conf as a file:
  net.ipv4.ping_group_range="0 429296729"
  net.core.rmem_max=2500000
 

I had to add value to /proc/sys/net/ipv4/ping_group_range as suggested in error.

[2024-02-22 23:05:42] [warn] : The user running cloudflared process has a GID (group ID) that is not within ping_group_range. You might need to add that user to a group within that range, or instead update the range to encompass a group the user is already in by modifying /proc/sys/net/ipv4/ping_group_range. Otherwise cloudflared will not be able to ping this network, Error: Group ID 0 is not between ping group 1 to 0
[2024-02-22 23:05:42] [warn] : ICMP proxy feature is disabled, Error: cannot create ICMPv4 proxy: Group ID 0 is not between ping group 1 to 0 nor ICMPv6 proxy: socket: permission denied

But still has bunch of error during connection. I found some github issues mentioning those errors but they’re supposed to be fixed in my current version (2024.1.5).

2024-02-23 06:43:13] [info] : Retrying connection in up to 1m4s, IP: 198.41.192.57
[2024-02-23 06:43:14] [error] : Connection terminated, Error: failed to dial to edge with quic: INTERNAL_ERROR (local): tls: CurvePreferences includes unsupported curve
[2024-02-23 06:43:18] [error] : Connection terminated, Error: failed to dial to edge with quic: INTERNAL_ERROR (local): tls: CurvePreferences includes unsupported curve
[2024-02-23 06:43:27] [error] : Connection terminated, Error: failed to dial to edge with quic: INTERNAL_ERROR (local): tls: CurvePreferences includes unsupported curve
[2024-02-23 06:43:27] [error] : Connection terminated, Error: failed to dial to edge with quic: INTERNAL_ERROR (local): tls: CurvePreferences includes unsupported curve
[2024-02-23 06:46:27] [error] : Failed to create new quic connection, IP: 198.41.192.7, Error: failed to dial to edge with quic: INTERNAL_ERROR (local): tls: CurvePreferences includes unsupported curve
[2024-02-23 06:46:27] [error] : Failed to create new quic connection, IP: 198.41.200.23, Error: failed to dial to edge with quic: INTERNAL_ERROR (local): tls: CurvePreferences includes unsupported curve
[2024-02-23 06:46:27] [error] : Failed to create new quic connection, IP: 198.41.200.53, Error: failed to dial to edge with quic: INTERNAL_ERROR (local): tls: CurvePreferences includes unsupported curve
[2024-02-23 06:46:27] [error] : Failed to create new quic connection, IP: 198.41.192.227, Error: failed to dial to edge with quic: INTERNAL_ERROR (local): tls: CurvePreferences includes unsupported curve
[2024-02-23 06:46:27] [info] : Retrying connection in up to 1m4s, IP: 198.41.192.7
[2024-02-23 06:46:27] [info] : Retrying connection in up to 1m4s, IP: 198.41.192.227
[2024-02-23 06:46:27] [info] : Retrying connection in up to 1m4s, IP: 198.41.200.23
[2024-02-23 06:46:27] [info] : Retrying connection in up to 1m4s, IP: 198.41.200.53
[2024-02-23 06:46:29] [info] : Switching to fallback protocol http2, IP: 198.41.200.23
[2024-02-23 06:46:29] [error] : Connection terminated, Error: failed to dial to edge with quic: INTERNAL_ERROR (local): tls: CurvePreferences includes unsupported curve
[2024-02-23 06:46:39] [info] : Switching to fallback protocol http2, IP: 198.41.192.227
[2024-02-23 06:46:39] [error] : Connection terminated, Error: failed to dial to edge with quic: INTERNAL_ERROR (local): tls: CurvePreferences includes unsupported curve
[2024-02-23 06:46:50] [info] : Switching to fallback protocol http2, IP: 198.41.192.7
[2024-02-23 06:46:50] [error] : Connection terminated, Error: failed to dial to edge with quic: INTERNAL_ERROR (local): tls: CurvePreferences includes unsupported curve
[2024-02-23 06:46:56] [info] : Switching to fallback protocol http2, IP: 198.41.200.53
[2024-02-23 06:46:56] [error] : Connection terminated, Error: failed to dial to edge with quic: INTERNAL_ERROR (local): tls: CurvePreferences includes unsupported curve
[2024-02-23 06:51:04] [info] : Registered tunnel connection, IP: 198.41.200.33, Connection: "xxxxx", Location: waw02, Protocol: http2

Try to put the settings to /etc/sysctl.d/30-cloudflared-conf file:

net.ipv4.ping_group_range="0 429296729"
net.core.rmem_max=2500000

After this, restart the service: /etc/init.d/cloudflared restart.

Hello, thanks for the luci-app. It greatly helped a newbie like me to configure it easily.
I have GL.iNet AX1800, AXT1800 and MT6000 with up-to-date firmwares.
The first 2 routers can connect to cloudflared pretty fine with version 2023.5.1 (built 2023-05-23-2246 UTC).

On MT6000, cloudflared service won’t start at boot with any version including version 2024.2.1 (built 2024-02-20-1728 UTC).
However, in luci-app-cloudflared’s Configuration tab, if I change anything and then pressed the “Save and Apply” button, the tunnel runs successfully.
The same behaviour is seen when I use “cloudflared turnnel run” after boot, via SSH, it always runs fine.

I have setup a cloudflare tunnel already in cloudflare website, for this router.
The issue here is that I can’t make cloudflared run at boot, since after that successful initial setup with cloudflare site.
It seems like it read the config.yml but the issue is:
{“level”:“error”,“error”:“lookup cfd-features.argotunnel.com on 127.0.0.1:53: server misbehaving”,“time”:“2024-02-29T09:23:47Z”,“message”:“Failed to fetch features, default to disable”}
I am at my wit’s end how to fix this. Tried different versions and different versions of config files as well.
But if I manually run it or pressing Save and Apply in luci-app-cloudflared, it just connects in a few seconds.
Please kindly advise.
I can upload the .log file if required.

Sorry, but I can’t help here. This looks like a problem with the coudlfared itself.
Check logs carefully. On the forum there is one topic with the similar

Maybe you have some DNS service running on 53 port like adblocker.

1 Like

I’ve got the tunnel working now, but when I reboot the router the service doesn’t restart.
Where do I add a line in openwrt to have it auto startup. Ive tried adding it to the "Startup Local startup tab in openwrt with this command “/etc/init.d/cloudflared restart” but it does nothing on reboot.
Only way I can get it to restart is SSH into router and run that command.
What am I doing wrong?

Thanks
Kyle

Did you use a latest version of OpenWrt?
Did you installed with opkg or by a script that downloads itself like GitHub - adshrc/openwrt-cloudflared: You want to expose a device in your local network to the Internet? Here comes a one-command solution!?

The cloudflared package has an init script enables by default so you don’t need to call it additionally.
Try to execute:

opkg remove cloudlfared
opkg install cloudlfared

1 Like

Did you use a latest version of OpenWrt? Yes latest version

Did you installed with opkg or by a script that downloads itself like GitHub - adshrc/openwrt-cloudflared: You want to expose a device in your local network to the Internet? Here comes a one-command solution!? Done both since trying everything to try and get it to work.

Should I uninstall different ones I see there is a Clouflare and a Luci Cloudflare package installed, do I need to remove both and start again?

Ok ill try those two commands you mentioned.

tried the following and nothing seems to work.

I uninstalled everything and reinstalled and LUCI says its up and running and it is connected to cloud tunnel.
Once I reboot router it doesn’t reconnect to cloud with tunnel.
I have to go back in with SSH and Restart the cloudflared and then it works.

Check logs with logread command.

What would be the minimum specs you would recommend for the Router?
Would it run fine on something like the Cudy WR1300?

ty

https://openwrt.org/toh/cudy/cudy_wr1300_v2
16mb of disk.
the cloudflared package itself is 9mb and 24mb unpacked.
So it should work on the router but may not if you have disk busy.

1 Like

ty
besides a minimum of 30+mb, (I assume from your answer), any other requirements?

It’s upacked to RAM which is 128mb on the router. Try to install it, I only tested in in a virtual machine so can’t tell you exactly.

1 Like

I don’t yet have this router, I am just trying to find a not-to-expansive router available here locally, which I can surely set up without any issues.

I would appreciate your suggestions of the minimum requirements you would say it should work flawlessly, disk space, RAM, CPU, etc.

ty

Just got this set up for remote luci access, works very nicely!

However, I do get some errors on startup… I figured I’d build it myself and see if current source has the same issue and it does appear to

[2024-04-13 15:17:28] [error] : Failed to create new quic connection, IP: 198.41.218.7, Error: failed to dial to edge with quic: INTERNAL_ERROR (local): tls: CurvePreferences includes unsupported curve
[2024-04-13 15:17:28] [info] : Retrying connection in up to 32s, IP: 198.41.218.7
[2024-04-13 15:17:35] [error] : Failed to create new quic connection, IP: 198.41.219.6, Error: failed to dial to edge with quic: INTERNAL_ERROR (local): tls: CurvePreferences includes unsupported curve
[2024-04-13 15:17:35] [info] : Retrying connection in up to 1m4s, IP: 198.41.219.6
[2024-04-13 15:17:42] [error] : Failed to create new quic connection, IP: 198.41.219.7, Error: failed to dial to edge with quic: INTERNAL_ERROR (local): tls: CurvePreferences includes unsupported curve
[2024-04-13 15:17:42] [info] : Retrying connection in up to 1m4s, IP: 198.41.219.7
[2024-04-13 15:17:47] [error] : Failed to create new quic connection, IP: 198.41.219.9, Error: failed to dial to edge with quic: INTERNAL_ERROR (local): tls: CurvePreferences includes unsupported curve
[2024-04-13 15:17:47] [info] : Retrying connection in up to 1m4s, IP: 198.41.219.9
[2024-04-13 15:17:57] [error] : Failed to create new quic connection, IP: 198.41.218.5, Error: failed to dial to edge with quic: INTERNAL_ERROR (local): tls: CurvePreferences includes unsupported curve
[2024-04-13 15:17:57] [info] : Retrying connection in up to 1m4s, IP: 198.41.218.5

The connection does eventually fall back to http2, so its not really an issue, but it would be nice to understand why this is happening

Edit: I did also try creating /etc/sysctl.d/30-cloudflared-conf and adding the mentioned config to no effect

Edit2: I believe this is happening because the build is not using cloudflare-go? Hmm…

1 Like

You can ignore the QUICK error, this is known issue

1 Like