Messages

Hey jbattermann. Did you solve this issue?

Hi 9axqe,

I've setup cloudflared on a Proxmox server instead, but I've written down for myself what my solution back then was. I'm sure there's a better way to do it now.

These are the steps I did back then to enable it as a service:

1. My config is in /root/.cloudflared/config.yml
2. Create this file: /etc/rc.d/argotunnel

Code Select Expand

#!/bin/sh

. /etc/rc.subr

name="argotunnel"
rcvar="argotunnel_enable"
argotunnel_flags="tunnel --config /root/.cloudflared/config.yml"
command_args="run"

command="/usr/local/bin/cloudflared"

load_rc_config $name
run_rc_command "$1"

3. chmod +x /etc/rc.d/argotunnel
4. Add to /etc/rc.conf:

Code Select Expand

argotunnel_enable='YES'
5. Create this script: /root/.cloudflared/automatic_restart.sh

Code Select Expand

#!/bin/bash
SERVICE="cloudflared"
if pgrep -x "$SERVICE" >/dev/null
then
    echo "$SERVICE is running"
else
    echo "$SERVICE stopped"
    /usr/sbin/daemon /etc/rc.d/argotunnel start
fi
6. Create a cron action: /usr/local/opnsense/service/conf/actions.d/actions_argotunnel.conf

Code Select Expand

[start]
command:/bin/sh /root/.cloudflared/automatic_restart.sh
parametes:
type:script
message:starting cloudflared if necessary
description:Check and restart cloudflared
7. Restart cron services

Code Select Expand

service configd restart

8. Create a cron in the OPNsense UI with "Check and restart cloudflared" as command

I've been trying this for a long time now. Can you explain how you've set it up in detail? Would really appreciate it!!

Same for me  :-[

This is some more info I found how to do it: https://www.reddit.com/r/PFSENSE/comments/owg78a/sending_traffic_over_cloudflare_warp/

Hey mrancier, did you manage to get this working?

Hi all,

First of all, this is to setup DoT using Cloudflare Teams, not just Cloudflare. Teams is free under 50 users.

Do you have DoT setup (https://1.1.1.1/help)?

Yes! This is my result: https://1.1.1.1/help#eyJpc0NmIjoiTm8iLCJpc0RvdCI6IlllcyIsImlzRG9oIjoiTm8iLCJyZXNvbHZlcklwLTEuMS4xLjEiOiJZZXMiLCJyZXNvbHZlcklwLTEuMC4wLjEiOiJZZXMiLCJyZXNvbHZlcklwLTI2MDY6NDcwMDo0NzAwOjoxMTExIjoiTm8iLCJyZXNvbHZlcklwLTI2MDY6NDcwMDo0NzAwOjoxMDAxIjoiTm8iLCJkYXRhY2VudGVyTG9jYXRpb24iOiJCUlUiLCJpc1dhcnAiOiJObyIsImlzcE5hbWUiOiJDbG91ZGZsYXJlIiwiaXNwQXNuIjoiMTMzMzUifQ==

Did you add the above to Custom options with your gateway ID?

Under Miscellaneous do you have anything under DNS over TLS Servers?

Yes, you should add the above code into Custom Options, but change the xxxxxxxxx with your gateway ID from Cloudflare.
Both fields under Miscellaneous are empty.

Cadish, your example has a bunch of xxxxxxxxx in it, is that default or are we supposed to plug in some type of information there?

Yes, the xxxxxxxxx is something you need to replace with your Gateway ID from Cloudflare. It's an ID which is linked to a Location that you've set. You can find it in your Cloudflare Teams Dashboard > Gateway > Locations > Edit (on a location). On that page, you can find the ID's to replace the xxxxxxxxx with.

Once you've setup this, you should see the DNS requests in the logs on your Cloudflare Teams Dashboard as well (Logs > Gateway).

I'm using Cloudflare Teams and Unbound as well. This way I also can set some extra policies at Cloudflare to increase my security level even more.

This is my config:

Code Select Expand

# TLS Config
tls-cert-bundle: "/etc/ssl/cert.pem"
# Forwarding Config
forward-zone:
name: "."
forward-tls-upstream: yes
forward-addr: 172.64.36.1@853#xxxxxxxxx.cloudflare-gateway.com
forward-addr: 172.64.36.2@853#xxxxxxxxx.cloudflare-gateway.com
forward-addr: 2a06:98c1:54::28a@853#xxxxxxxxx.cloudflare-gateway.com

Hi,

I've setup Unbound, but on some sites I have trouble to login. It is very difficult to get this solved as I need to whitelist every domain the sites are linking to, which is sometimes a very tedious job.
Is it possible to see somewhere which domains have been blocked in the last period?

Thanks
Cadish

The issue seems to be solved by removing unreachable URL tables. Rebooted a few times and the cron jobs run just fine now.

It's quite strange to me that these could influence the correct starting of the cron jobs.

Regards,
Cadish

I removed some old url tables from the firewall aliases (which were redirecting to 404's), and the cron jobs seems to load fine now. Don't know if this is possible or just coincidence?

Will reboot a couple of times in the next days, but hopefully my problem is solved now...

Thanks for your reply jonf!

I will try to move my file somewhere else. But I notice that it's also affecting cron jobs not created by me, like "ids update" by Suricata. It doesn't run at 23h45, unless cron is restarted manually. So I guess something bigger than my own script is blocking cron to run after a reboot...

This is my /var/cron/tabs/nobody file:

Code Select Expand

# DO NOT EDIT THIS FILE -- OPNsense auto-generated file
#
# User-defined crontab files can be loaded via /etc/cron.d
# or /usr/local/etc/cron.d and follow the same format as
# /etc/crontab, see the crontab(5) manual page.
SHELL=/bin/sh
PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
#minute hour    mday    month   wday    command
# Origin/Description: IDS/ids rule updates
45      23      *       *       *       /usr/local/sbin/configctl ids update
# Origin/Description: cron/Check connection and reboot if necessary
*/5     *       *       *       *       /usr/local/sbin/configctl ping_check load


To add to the strange behaviour: sometimes the cron is loaded correctly after a reboot, sometimes not...

And this goes for all cron jobs, not only the one above... no cron jobs run until I hit "Apply" on the cron page.

Am I really the only one with this problem? What's the best approach to get this issue fixed? Really don't know what to look for, as I have no errors or whatsoever... (that I know of)

Cadish

Adguard is only installed on some devices, not all. I don't know if Sensei is adding a lot of value in top or not... Probably all of these have a lot of overlap, but why not just do it if it's possible... An ad (or malware) which is not blocked by one is hopefully blocked by the other...

Hi all,

I've setup a cron job to restart my WAN interface when my connection drops and reboot if this doesn't help, according to the post of marjohn56.

I've setup a cron job in the GUI as described (see attachment).

Now comes the strange thing: after a reboot, the cron job doesn't start, unless I hit "Apply" on the cron page again. So after each reboot, I must hit the "Apply" button (even without changing anything) before the cron job starts successfully every 5 minutes.

Any clue what can be wrong?

Thanks
Cadish

I have a combination of unbound with proper blacklists, sensei free and adguard on my devices. Works very well!