OPNsense Forum

how do I install the cloudflared service on opensense and be able to establish a tunnel with cloudflare?

I did found this guide: https://www.jackpearce.co.uk/cloudflared-opnsense/

after the installation I coudn't find this folder: cd /usr/ports/security/cloudflared

The correct path is /usr/ports/net/cloudflared

Just to follow-up with this:

I followed the same aforementioned guide, https://www.jackpearce.co.uk/cloudflared-opnsense/

However, I am getting stuck on the portion:

"nano /usr/local/etc/rc.d/cloudflared modify so that it matches below. We're just removing ${cloudflared_conf} from the command arguments as we're supplying a token instead of using a config.yaml"

I can't seem to get to the config.yaml portion. I followed the steps and was able to do everything prior to without issue. But I guess I'm stuck at step 5

Seems to me there's (now) a typo on the page.

The page used to look like this a couple of months back:

https://web.archive.org/web/20240202030437/https://www.jackpearce.co.uk/cloudflared-opnsense/

You can clearly see that the line

: ${cloudflared_conf:="/usr/local/etc/cloudflared/config.yml"}

is removed in the "/usr/local/etc/rc.d/cloudflared" file.

On the current version though, the line is not removed any more, which contradicts the accompanying text which states "We're just removing ${cloudflared_conf} from the command arguments".

I just added # at the beginning of this line to comment it out – I prefer it to deleting the line.

I'm not sure what you meant by "I can't seem to get to the config.yaml portion" though, so I'm not sure my comment helps.

Dear All,
I was following the same guide on the latest opnsense version, but I struggle due to the following error:

ERR Failed to dial a quic connection error="failed to dial to edge with quic: INTERNAL_ERROR (local): tls: CurvePreferences includes unsupported curve"

I am trying to start up the service like this:
cloudflared tunnel --post-quantum --no-autoupdate run --token my_token
Any suggestion is highly welcomed!
Thank you in advance!

Found the solution.
Cause: outdated go package

How to fix:

cd /usr/ports/net/cloudflared
make deinstall
make cleanup

EDIT file:   /usr/ports/net/cloudflared/Makefile
FROM         USES=    cpe go:1.22,modules
TO           USES=    cpe go:1.24,modules

make install

cloudflared tunnel --no-autoupdate run --token MY_TOKEN

OPTIONAL (in case of certificate issues) :
Cloudflare Dashboard -> Tunnels -> EDIT tunnel -> Public Hostnames TAB + EDIT -> TLS -> No TLS Verify: ON

Thanks for posting the fix, it does not work for me though:

cd /usr/ports/net/cloudflared
make deinstall
make cleanup
vi /usr/ports/net/cloudflared/Makefile
First discrepancy for me: Go Package is 1.20, not 1.22.

PORTNAME=       cloudflared
DISTVERSION=    2023.10.0
PORTREVISION=   2
CATEGORIES=     net www

MAINTAINER=     egypcio@FreeBSD.org
COMMENT=        Cloudflare's Argo Tunnel client
WWW=            https://developers.cloudflare.com/argo-tunnel/

LICENSE=        APACHE20
LICENSE_FILE=   ${WRKSRC}/LICENSE

RUN_DEPENDS=    ca_root_nss>=0:security/ca_root_nss

USES=           cpe go:1.20,modules
USE_RC_SUBR=    ${PORTNAME}
USE_GITHUB=     yes
GH_ACCOUNT=     cloudflare
CPE_VENDOR=     cloudflare

GO_PKGNAME=     github.com/${GH_ACCOUNT}/${PORTNAME}
GO_TARGET=      ${GO_PKGNAME}/cmd/cloudflared
GO_BUILDFLAGS=  -ldflags '-s -w -extldflags "-static" -X main.Version=${PORTVERSION}'

PLIST_FILES=    bin/${PORTNAME}

.include <bsd.port.mk>

After editing it to "1.24", make install is failing:

$ make install
===>  cloudflared-2023.10.0_2 USES=go has invalid version number: 1.24.
*** Error code 1

Stop.
make: stopped in /usr/ports/net/cloudflared
then I noticed that "make cleanup" also had failed. ("make: don't know how to make cleanup. Stop")

Also interesting, when I do "pkg remove cloudflared", then remove the "/usr/ports/net/cloudflared" folder, "pkg install cloudflared" does not recreate this folder anymore, weirdly.

Quote from: 9axqe on June 23, 2025, 12:04:46 PMAlso interesting, when I do "pkg remove cloudflared", then remove the "/usr/ports/net/cloudflared" folder, "pkg install cloudflared" does not recreate this folder anymore, weirdly.

That's expected. The files in /usr/ports/* are files used to create pkg files from source, not the other way around. pkg does not manage any of the files in /usr/ports/. As long as you didn't delete /usr/ports/.git then you can use git to restore the folder you deleted:

cd /usr/ports
git checkout /usr/ports/net/cloudflared

Since your cloudflared Makefilewas out of date, you also need to update your ports tree (https://docs.freebsd.org/en/books/handbook/ports/#ports-using-git-method) (this is why your Makefile was for 2023.10.0_2, why it wanted to use go1.20 to build, and why make couldn't find 1.24 in your ports tree):

cd /usr/ports
git pull

Or you can delete and re-initialize your ports tree with:

cd ~
opnsense-code -r ports
opnsense-code ports

Deleting your ports tree does not deinstall any packages you built from ports. Once a package is built, that package is installed/deinstalled via pkg (that is, make deinstall is a helper that calls pkg remove with the correct arguments)

Maybe this helps explaining the fundamentals:

https://docs.freebsd.org/en/books/handbook/ports/

Thanks, I had some difficulties holding pkg and ports apart. Is there a command that allows to tell sw installed from packages and from ports apart?

Problem solved following the above instructions (incrementing go package to 1.24). Thanks!

Quote from: 9axqe on June 25, 2025, 06:10:00 PMThanks, I had some difficulties holding pkg and ports apart. Is there a command that allows to tell sw installed from packages and from ports apart?

No, because the ports system is what creates the packages which are then installed.

So "pkg add foo" --> install package from configured repository.

"cd /usr/ports/bar/foo; make install" --> build package locally, then install that just as if it had been from the repo.