Cloudflared as a docker container on Firewalla
Cloudflared allows a Cloudflare Zero-Trust tunnel to be created between CF and your local network. You can then access local devices without port forwarding (useful on CGNAT), add extra authentication into HTTPS facing devices, connect to devices from a phone or other devices using the WARP app/client and various other things. CF offers this for free for up to 50 users (with some restrictions on video I have read but haven't encountered myself)
I have the CF docker container working on my Purple SE, this is how I set it up:
See https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/tunnel-guide/remote/ for details on how to setup the tunnel in the first place on the Cloudflare control panel.
Once you have done this, you will be able to see your tunnel token. You need to use the below docker-compose.yaml file. After logging into my Firewalla using SSH, I created the following file called docker-compose.yaml in "~/.firewalla/run/docker/cloudflared/".
created the following file in "~/.firewalla/run/docker/cloudflared".
version: "3.8"
services:
cloudflared:
image: cloudflare/cloudflared
container_name: cloudflare-tunnel1
dns: 1.1.1.1
restart: unless-stopped
command: tunnel run
environment:
- TUNNEL_TOKEN=TOKENHERE
networks:
default:
ipv4_address: 172.19.19.2
networks:
default:
driver: bridge
ipam:
config:
- subnet: 172.19.19.0/24
(pastebin version - https://pastebin.com/HSSUJdeL)
Then I ran the two commands below:
sudo docker-compose pull
sudo docker-compose up
This setup the Docker container using the yaml file.
Finally I had to run the below two commands before the container would connect to the tunnel:
sudo ip route add 172.19.19.0/24 dev br-$(sudo docker network inspect cloudflared_default |jq -r '.[0].Id[0:12]') table lan_routable
sudo ip route add 172.19.19.0/24 dev br-$(sudo docker network inspect cloudflared_default |jq -r '.[0].Id[0:12]') table wan_routable
Once you do this, the tunnel should connect and will be shown as healthy in the Zero Trust part of the Cloudflare control panel under Access>Tunnels.
To run those commands at boot, I created a file called routeadd.sh in ~/.firewalla/config/post_main.d and then used "sudo chmod +x routeadd.sh" to make it executable.
Hope this helps someone!
-
Stephen! You are a legend!
I can't believe this still isn't a simple GUI config option in the Firewalla app! Having an easy free secure connection from Cloudflare's Warp client for end nodes your network without having ports open is the dream! Any GSM mobile data or internet access becomes secure! Not to mention access to service etc behind the firewall!
This is my first ever docker! Also, my first ever using VI editor etc etc. So a little experimental to try and get it up and running...
I think i have got the YAML correct, however I get a version error... specifically:
ERROR: Version in "./docker-compose.yaml" is unsupported. You might be seeing this error because you're using the wrong Compose file version. Either specify a supported version (e.g "2.2" or "3.3") and place your service definitions under the `services` key, or omit the `version` key and place your service definitions at the root of the file to use version 1.
For more on the Compose file format versions, see https://docs.docker.com/compose/compose-file/The Config file is:
version: "3.8"
services:
cloudflared:
image: cloudflare/cloudflared
container_name: cloudflare-tunnel1
dns: 1.1.1.1
restart: unless-stopped
command: tunnel run
environment:
- TUNNEL_TOKEN=*TOKEN IS HERE*
networks:
default:
ipv4_address: 192.168.130.2
networks:
default:
driver: bridge
ipam:
config:
- subnet: 192.168.130.0/24Any thoughts or ideas would be appreciated..
Also, do you mind dumbing down the "To run those commands on boot" bit please?!
Thanks for any help you can give. Cheers -
Does using version 3.3 work? What model of Firewalla do you have? I have a PurpleSE (plus I have installed the beta firmware too) which may have a newer version of docker which supports "Version 3.8" yaml files. The actual config is pretty basic so it should still work whichever version of docker you have.
Also I did notice you had changed the "ipv4_address: 192.168.130.2" and "subnet: 192.168.130.0/24" on the version of the file you posted. These shouldn't be your normal IP addresses and subnet but are dockers internal IP/Subnet. I used "172.19.19.2" and 172.19.19.0/24 as they were in the range docker used by default and they don't clash with other docker containers or the firewalla itself.
Those two commands need to be run so the Docker container with Cloudflared has access to the WAN (for internet access to cloudflare) and your LAN (to connect to whatever else is on the network for tunnels).
So they don't need to be manually ran every time Firewalla restarts, I did the following:
cd ~/.firewalla/config/post_main.d
(or if that doesn't exist "mkdir ~/.firewalla/config/post_main.d")
then in that folder, I created the routeadd.sh file:
vim routeadd.sh
Added the below to the file:
sudo ip route add 172.19.19.0/24 dev br-$(sudo docker network inspect cloudflared_default |jq -r '.[0].Id[0:12]') table lan_routable sudo ip route add 172.19.19.0/24 dev br-$(sudo docker network inspect cloudflared_default |jq -r '.[0].Id[0:12]') table wan_routableSave it and then make it executable:
sudo chmod +x routeadd.sh
Hope that helps!
-
Yes! 3.3 worked!! Thanks for that!!
I now have a 'healthy' tunnel in Cloudflare!
Thank you very much for that walk-through. It connected perfectly once I sorted out the config issues.
Now, to figure out how to config Zero Trust to make the Warp clients act as a VPN client and send ALL traffic and everything through the tunnel... See how we go.
Thanks again mate!
-
Glad you hear you got it working!
Let me know if you get the Warp as VPN working, I tried using "include IPs" on the Warp Client profile settings and adding 0.0.0.0/0 but that didn't work.
Adding 192.168.1.0/24 did allow access to my local network remotely via the WARP client though.
-
Thanks for the guide, I had to run on my Gold SE, similar to the PiHole instructions
sudo iptables -t nat -A POSTROUTING -s 172.19.19.0/16 -o eth0 -j MASQUERADE
Also, I'm a little bit new to docker. Can I run both my pihole and cloudflared under the same network range? Currently I followed the instructions and they each run under a different network.
-
Hi, tunnel is up and showing "healthy" status in cloudflare, but couldn't run the last two commands in firewalla, I got the following error: "Error: argument "lan_routable" is wrong: "table" value is invalid".
I haven't been able to run the last 2 commands, are they necessary if the tunnel is up and healthy?
Thanks in advance for any help.
Please sign in to leave a comment.
Comments
7 comments