OpenWrt support

Now you can install OpenWrt firmware on a router it and use the Cloudflare Tunnel to access it.

There are two packages: cloudflared daemon and Luci Application luci-app-cloudflared that provides a GUI for configuration.
You can install them with the command opkg install cloudflared luci-app-cloudflared

See details in Wiki

Please test, translate on Weblate, contribute and share.

Sources:

If you have questions or propositions ask here.

P.S. Dear moderator please don’t close the topic.

3 Likes

I wish to discuss current status and issues.

Support
It would be really nice if Cloudflare team can support the OpenWrt package and Luci app.
But it probably won’t happen given market share.

Still it makes sense to mention the OpenWrt package in documentation or GitHub readme.
Because this is at least some GUI for the Cloudflare that inexperienced users may start using.

CF UI
There no a Copy Token button but you can only copy the whole command.
I added to the Luci app an ability to paste the command and it will extract the token from it.
Still it’s difficult to explain in documentation were to get the token because there is no any label like “Here is your token.
Copy and keep it secret. Don’t reuse across different devices and always generate a new”.

cloudflared login
I didn’t get yet what is the Certificate of Origin and why it’s not enough of just a token. As far I understood to get the cert a user needs additionally to authorize on the site.
The cloudflared login downloads the cert into ~/.cloudflared/cert.pem. The problem is that the OpenWrt uses a different folder /etc/cloudflared and a user should copy the cert manually. Maybe it’s possible to set a file path for the cert to avoid the copy step. But as far I understood the CF also stores other tunnels files in the home directory.
So maybe it would be better to specify it globally set the /etc/cloudflared instead of .cloudflared.

I had an idea to run the login automatically when a user sets a token.
But the command is not just prints the url but also waits for a user to login on the link. This makes the automation more difficult.

Anyway, for just a simple tunnel the cert looks not needed.

tunnel status
I added a separate page to show tunnels status. luci-app-cloudflared: add Tunnels status page by stokito · Pull Request #6887 · openwrt/luci · GitHub

It was easy to do thankfully to JSON output.

But still I can’t get a status of the tunnel which we see in the Cloudflare dashboard i.e. (UN)HEALTHY.
This is a minor thing but maybe something else would be also useful.

I also wanted to fetch ingress rules to show them to a user but didn’t find anywhere how to do that.
This is not critical just a UX thing.
Ideally it would be great to manage the ingress rules in the Luci app.
It may have an advantage that it will be translated by a community.

Slow start
I had a problem when a tunnel started for two minutes. It tried to connect over QUICK but I don’t have a public IP. Maybe such things can be tuned somehow.

Smaller binary
Routers has limited resources and it would be great if the Cloudflared can be compiled with a smaller footprint.
For example the auto-update feature is not needed for OpenWrt and Docker.
Sub commands tail, service and --post-quantum are probably not needed too.
So maybe we can exclude this features by a build tag. This also can reduce load for CI,
But I’m skeptical that here it’s possible to reduce more than a few percents.

TODO

1 The Cloudflared provides DNS over HTTPS proxy and we probably should allow user co configure it with UCI and use. I’m not sure how it’s useful and maybe a user will use other DoH daemons and providers. Maybe the DNS allows to see some internal only domains? Then we definitely should use it.

  1. The Cloudflared on shows a warning on start and to fix it we need to change sysctl configuration. It can be put into /etc/sysctl.d/30-cloudflared-conf as a file:
net.ipv4.ping_group_range="0 429296729"
net.core.rmem_max=2500000

I don’t know if it’s safe to add these settings. Also increasing net/core/rmem_max may be problematic if a router lacks of memory.
A tunnel works despite the warning.

1 Like

What minimal OpenWRT version for this package would be? Can’t find it on 19.07.

The OpenWrt 19 was released in 2019 e.g. five years ago.
You’ll need a latest OpenWrt that is running on a powerful AMD based router or even x86

This didn’t work for me:

The Cloudflared on shows a warning on start and to fix it we need to change sysctl configuration. It can be put into /etc/sysctl.d/30-cloudflared-conf as a file:
  net.ipv4.ping_group_range="0 429296729"
  net.core.rmem_max=2500000
 

I had to add value to /proc/sys/net/ipv4/ping_group_range as suggested in error.

[2024-02-22 23:05:42] [warn] : The user running cloudflared process has a GID (group ID) that is not within ping_group_range. You might need to add that user to a group within that range, or instead update the range to encompass a group the user is already in by modifying /proc/sys/net/ipv4/ping_group_range. Otherwise cloudflared will not be able to ping this network, Error: Group ID 0 is not between ping group 1 to 0
[2024-02-22 23:05:42] [warn] : ICMP proxy feature is disabled, Error: cannot create ICMPv4 proxy: Group ID 0 is not between ping group 1 to 0 nor ICMPv6 proxy: socket: permission denied

But still has bunch of error during connection. I found some github issues mentioning those errors but they’re supposed to be fixed in my current version (2024.1.5).

2024-02-23 06:43:13] [info] : Retrying connection in up to 1m4s, IP: 198.41.192.57
[2024-02-23 06:43:14] [error] : Connection terminated, Error: failed to dial to edge with quic: INTERNAL_ERROR (local): tls: CurvePreferences includes unsupported curve
[2024-02-23 06:43:18] [error] : Connection terminated, Error: failed to dial to edge with quic: INTERNAL_ERROR (local): tls: CurvePreferences includes unsupported curve
[2024-02-23 06:43:27] [error] : Connection terminated, Error: failed to dial to edge with quic: INTERNAL_ERROR (local): tls: CurvePreferences includes unsupported curve
[2024-02-23 06:43:27] [error] : Connection terminated, Error: failed to dial to edge with quic: INTERNAL_ERROR (local): tls: CurvePreferences includes unsupported curve
[2024-02-23 06:46:27] [error] : Failed to create new quic connection, IP: 198.41.192.7, Error: failed to dial to edge with quic: INTERNAL_ERROR (local): tls: CurvePreferences includes unsupported curve
[2024-02-23 06:46:27] [error] : Failed to create new quic connection, IP: 198.41.200.23, Error: failed to dial to edge with quic: INTERNAL_ERROR (local): tls: CurvePreferences includes unsupported curve
[2024-02-23 06:46:27] [error] : Failed to create new quic connection, IP: 198.41.200.53, Error: failed to dial to edge with quic: INTERNAL_ERROR (local): tls: CurvePreferences includes unsupported curve
[2024-02-23 06:46:27] [error] : Failed to create new quic connection, IP: 198.41.192.227, Error: failed to dial to edge with quic: INTERNAL_ERROR (local): tls: CurvePreferences includes unsupported curve
[2024-02-23 06:46:27] [info] : Retrying connection in up to 1m4s, IP: 198.41.192.7
[2024-02-23 06:46:27] [info] : Retrying connection in up to 1m4s, IP: 198.41.192.227
[2024-02-23 06:46:27] [info] : Retrying connection in up to 1m4s, IP: 198.41.200.23
[2024-02-23 06:46:27] [info] : Retrying connection in up to 1m4s, IP: 198.41.200.53
[2024-02-23 06:46:29] [info] : Switching to fallback protocol http2, IP: 198.41.200.23
[2024-02-23 06:46:29] [error] : Connection terminated, Error: failed to dial to edge with quic: INTERNAL_ERROR (local): tls: CurvePreferences includes unsupported curve
[2024-02-23 06:46:39] [info] : Switching to fallback protocol http2, IP: 198.41.192.227
[2024-02-23 06:46:39] [error] : Connection terminated, Error: failed to dial to edge with quic: INTERNAL_ERROR (local): tls: CurvePreferences includes unsupported curve
[2024-02-23 06:46:50] [info] : Switching to fallback protocol http2, IP: 198.41.192.7
[2024-02-23 06:46:50] [error] : Connection terminated, Error: failed to dial to edge with quic: INTERNAL_ERROR (local): tls: CurvePreferences includes unsupported curve
[2024-02-23 06:46:56] [info] : Switching to fallback protocol http2, IP: 198.41.200.53
[2024-02-23 06:46:56] [error] : Connection terminated, Error: failed to dial to edge with quic: INTERNAL_ERROR (local): tls: CurvePreferences includes unsupported curve
[2024-02-23 06:51:04] [info] : Registered tunnel connection, IP: 198.41.200.33, Connection: "xxxxx", Location: waw02, Protocol: http2

Try to put the settings to /etc/sysctl.d/30-cloudflared-conf file:

net.ipv4.ping_group_range="0 429296729"
net.core.rmem_max=2500000

After this, restart the service: /etc/init.d/cloudflared restart.