I wish to discuss current status and issues.
Support
It would be really nice if Cloudflare team can support the OpenWrt package and Luci app.
But it probably won’t happen given market share.
Still it makes sense to mention the OpenWrt package in documentation or GitHub readme.
Because this is at least some GUI for the Cloudflare that inexperienced users may start using.
CF UI
There no a Copy Token button but you can only copy the whole command.
I added to the Luci app an ability to paste the command and it will extract the token from it.
Still it’s difficult to explain in documentation were to get the token because there is no any label like “Here is your token.
Copy and keep it secret. Don’t reuse across different devices and always generate a new”.
cloudflared login
I didn’t get yet what is the Certificate of Origin and why it’s not enough of just a token. As far I understood to get the cert a user needs additionally to authorize on the site.
The cloudflared login downloads the cert into ~/.cloudflared/cert.pem. The problem is that the OpenWrt uses a different folder /etc/cloudflared and a user should copy the cert manually. Maybe it’s possible to set a file path for the cert to avoid the copy step. But as far I understood the CF also stores other tunnels files in the home directory.
So maybe it would be better to specify it globally set the /etc/cloudflared instead of .cloudflared.
I had an idea to run the login automatically when a user sets a token.
But the command is not just prints the url but also waits for a user to login on the link. This makes the automation more difficult.
Anyway, for just a simple tunnel the cert looks not needed.
tunnel status
I added a separate page to show tunnels status. luci-app-cloudflared: add Tunnels status page by stokito · Pull Request #6887 · openwrt/luci · GitHub
It was easy to do thankfully to JSON output.
But still I can’t get a status of the tunnel which we see in the Cloudflare dashboard i.e. (UN)HEALTHY.
This is a minor thing but maybe something else would be also useful.
I also wanted to fetch ingress rules to show them to a user but didn’t find anywhere how to do that.
This is not critical just a UX thing.
Ideally it would be great to manage the ingress rules in the Luci app.
It may have an advantage that it will be translated by a community.
Slow start
I had a problem when a tunnel started for two minutes. It tried to connect over QUICK but I don’t have a public IP. Maybe such things can be tuned somehow.
Smaller binary
Routers has limited resources and it would be great if the Cloudflared can be compiled with a smaller footprint.
For example the auto-update feature is not needed for OpenWrt and Docker.
Sub commands tail, service and --post-quantum are probably not needed too.
So maybe we can exclude this features by a build tag. This also can reduce load for CI,
But I’m skeptical that here it’s possible to reduce more than a few percents.
TODO
1 The Cloudflared provides DNS over HTTPS proxy and we probably should allow user co configure it with UCI and use. I’m not sure how it’s useful and maybe a user will use other DoH daemons and providers. Maybe the DNS allows to see some internal only domains? Then we definitely should use it.
- The Cloudflared on shows a warning on start and to fix it we need to change
sysctl configuration. It can be put into /etc/sysctl.d/30-cloudflared-conf as a file:
net.ipv4.ping_group_range="0 429296729"
net.core.rmem_max=2500000
I don’t know if it’s safe to add these settings. Also increasing net/core/rmem_max may be problematic if a router lacks of memory.
A tunnel works despite the warning.