Cloudflared as a docker container on Firewalla

Comments

6 comments

  • Avatar
    russell

    Stephen! You are a legend!

    I can't believe this still isn't a simple GUI config option in the Firewalla app! Having an easy free secure connection from Cloudflare's Warp client for end nodes your network without having ports open is the dream! Any GSM mobile data or internet access becomes secure! Not to mention access to service etc behind the firewall!

     

    This is my first ever docker! Also, my first ever using VI editor etc etc. So a little experimental to try and get it up and running...

    I think i have got the YAML correct, however I get a version error... specifically: 

    ERROR: Version in "./docker-compose.yaml" is unsupported. You might be seeing this error because you're using the wrong Compose file version. Either specify a supported version (e.g "2.2" or "3.3") and place your service definitions under the `services` key, or omit the `version` key and place your service definitions at the root of the file to use version 1.
    For more on the Compose file format versions, see https://docs.docker.com/compose/compose-file/

    The Config file is:

    version: "3.8"
    services:
      cloudflared:
          image: cloudflare/cloudflared
          container_name: cloudflare-tunnel1
          dns: 1.1.1.1
          restart: unless-stopped
          command: tunnel run
          environment:
            - TUNNEL_TOKEN=*TOKEN IS HERE*
          networks:
            default:
              ipv4_address: 192.168.130.2
    networks:
      default:
        driver: bridge
        ipam:
          config:
            - subnet: 192.168.130.0/24

     

    Any thoughts or ideas would be appreciated.. 

    Also, do you mind dumbing down the "To run those commands on boot" bit please?! 
    Thanks for any help you can give. Cheers

    0
    Comment actions Permalink
  • Avatar
    Stephen Cooper

    Does using version 3.3 work? What model of Firewalla do you have?  I have a PurpleSE (plus I have installed the beta firmware too) which may have a newer version of docker which supports "Version 3.8" yaml files. The actual config is pretty basic so it should still work whichever version of docker you have. 

    Also I did notice you had changed the  "ipv4_address: 192.168.130.2" and "subnet: 192.168.130.0/24" on the version of the file you posted. These shouldn't be your normal IP addresses and subnet but are dockers internal IP/Subnet. I used "172.19.19.2" and 172.19.19.0/24 as they were in the range docker used by default and they don't clash with other docker containers or the firewalla itself. 

    Those two commands need to be run so the Docker container with Cloudflared has access to the WAN (for internet access to cloudflare) and your LAN (to connect to whatever else is on the network for tunnels). 

    So they don't need to be manually ran every time Firewalla restarts, I did the following:

    cd ~/.firewalla/config/post_main.d

    (or if that doesn't exist "mkdir ~/.firewalla/config/post_main.d")

    then in that folder, I created the routeadd.sh file:

    vim routeadd.sh

    Added the below to the file:

    sudo ip route add 172.19.19.0/24 dev br-$(sudo docker network inspect cloudflared_default  |jq -r '.[0].Id[0:12]') table lan_routable
    sudo ip route add 172.19.19.0/24 dev br-$(sudo docker network inspect cloudflared_default |jq -r '.[0].Id[0:12]') table wan_routable

    Save it and then make it executable:

    sudo chmod +x routeadd.sh

    Hope that helps!

    0
    Comment actions Permalink
  • Avatar
    russell

    Yes! 3.3 worked!! Thanks for that!!

    I now have a 'healthy' tunnel in Cloudflare!

    Thank you very much for that walk-through. It connected perfectly once I sorted out the config issues.

    Now, to figure out how to config Zero Trust to make the Warp clients act as a VPN client and send ALL traffic and everything through the tunnel... See how we go.

    Thanks again mate!

    0
    Comment actions Permalink
  • Avatar
    Stephen Cooper

    Glad you hear you got it working!

    Let me know if you get the Warp as VPN working, I tried using "include IPs" on the Warp Client profile settings and adding 0.0.0.0/0 but that didn't work.

    Adding 192.168.1.0/24 did allow access to my local network remotely via the WARP client though. 

    0
    Comment actions Permalink
  • Avatar
    Chris Jones

    +1 - I'd definitely be interested in this being a native feature.

    0
    Comment actions Permalink
  • Avatar
    Gilles Khouzam

    Thanks for the guide, I had to run on my Gold SE, similar to the PiHole instructions

    sudo iptables -t nat -A POSTROUTING -s 172.19.19.0/16 -o eth0 -j MASQUERADE

    Also, I'm a little bit new to docker. Can I run both my pihole and cloudflared under the same network range? Currently I followed the instructions and they each run under a different network.

    0
    Comment actions Permalink

Please sign in to leave a comment.