What's new

Cloudflared Tunnel in RT-AC68U

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

tracked

New Around Here
Hi,

I have an old RT-AC68U that does not support wireguard. I don't have experience with other VPN. So as a work around was thinking of using Cloudflared tunnel. Cloudflare already provides the binary for arm and it appears to work but I don't know how to go about starting and using it.

I have not been able to find info about this here but I have found instructions in openwrt post so not sure how to do it in Merlin or if it's even possible.


I have downloaded the Cloudflared binary after SSH and that's about it.

I have gone over the User-script post but my skills are very limited. https://github.com/RMerl/asuswrt-merlin.ng/wiki/User-scripts
 
Hi! Brighter minds than mine might have corrections, but I modified the instructions from your link and they worked for me on my RT-AX86U.

Prerequisites:
- I'm assuming you already have an entware partition set up
- Create the tunnel on Cloudflare and grab your token from the setup instructions (the ones that start with cloudflared service install)

1. SSH into your router

2. Download the cloudflared binary:

(Note: I replaced the version from the instructions with the latest version as of writing)

Bash:
VERSION="2024.5.1"

curl -O -L \
  https://github.com/cloudflare/cloudflared/releases/download/${VERSION}/cloudflared-linux-arm \
&& chmod +x cloudflared-linux-arm \
&& mv cloudflared-linux-arm /opt/bin/cloudflared

3. Set up the init script

Bash:
touch /opt/etc/init.d/S99cloudflared
chmod +x /opt/etc/init.d/S99cloudflared

4. Set up the init script (don't forget to replace this part with your unique cloudflared token)

Bash:
cat >> /opt/etc/init.d/S99cloudflared << EOF
#!/bin/sh
ENABLED="yes"
PROCS="cloudflared"
ARGS="--no-autoupdate tunnel run --token $REPLACE_WITH_YOUR_CLOUDFLARED_TOKEN_HERE_FIRST"
WORK_DIR=""
DESC=$PROCS
PREARGS=""
PRECMD=""
POSTCMD=""
. /opt/etc/init.d/rc.func
EOF

5. Enable and test

Bash:
/opt/etc/init.d/S99cloudflared start
/opt/etc/init.d/S99cloudflared check

Hope this helps!
 
Last edited:
NOTE: While the above instructions *do* work, I've had issues with the cloudflared daemon staying up. I'm open to suggestions on improving upon my instructions, but in the meantime proceed with caution while I figure out an updated solution.
 
I can see possibly the tunnel failing if the WAN goes down. I would have checked and restart the tunnel, if required, on a "connected" event in the wan-event script.
 
well the service method was failing frequently
have opted with very noobish wan-event and shell script with cron job and its working with no issues

/jffs/scripts/wan-event
Code:
#!/bin/sh

if [ "$1" = "0" ] && [ "$2" = "connected" ]; then
   killall cloudflared
   sleep 5
   /opt/bin/cloudflared --config /opt/etc/cloudflared/config.yml --logfile /tmp/mnt/sandisk/cloudflared.log tunnel run proxy-dns
fi

/var/spool/cron/crontabs/admin
Code:
* * * * * /jffs/scripts/cloudflared.sh

/jffs/scripts/cloudflared.sh
Code:
#!/bin/sh

if pidof cloudflared > /dev/null
then
echo "cloudflared is running"
else
/opt/bin/cloudflared --config /opt/etc/cloudflared/config.yml --logfile /tmp/mnt/sandisk/cloudflared.log tunnel run proxy-dns
fi
 
well the service method was failing frequently
have opted with very noobish wan-event and shell script with cron job and its working with no issues

/jffs/scripts/wan-event
Code:
#!/bin/sh

if [ "$1" = "0" ] && [ "$2" = "connected" ]; then
   killall cloudflared
   sleep 5
   /opt/bin/cloudflared --config /opt/etc/cloudflared/config.yml --logfile /tmp/mnt/sandisk/cloudflared.log tunnel run proxy-dns
fi

/var/spool/cron/crontabs/admin
Code:
* * * * * /jffs/scripts/cloudflared.sh

/jffs/scripts/cloudflared.sh
Code:
#!/bin/sh

if pidof cloudflared > /dev/null
then
echo "cloudflared is running"
else
/opt/bin/cloudflared --config /opt/etc/cloudflared/config.yml --logfile /tmp/mnt/sandisk/cloudflared.log tunnel run proxy-dns
fi
Nothing noobish about it if it works and gets the job done!
 
I just started experimenting w/ this and have some observations.

While you can configure individual web apps (http/https), I've discovered it may be more flexible to only establish SSH access through Cloudflare, not just for SSH itself, but the fact you can access just about anything else via SSH tunneling and local port forwarding, including other SSH servers, VNC, RDP, etc. IOW, you configure Cloudflare once and forget about it, rather than managing individual apps.

And speaking of VNC, I can't get that to work. I don't understand why VNC is available under applications, but NOT under hostnames on the tunnel. All I see is RDP. There's an inconsistency there I can't explain.

As far as SSH, I'm NOT talking about SSH via the browser option, but SSH via the CLI. All you need is to have the cloudflared executable available locally and use the ProxyCommand directive. Seems to work well, but it may be problematic for some platforms (e.g., iOS, Android).

One problem I've found is getting MFA working w/ SSH (CLI). If I don't specify authentication via the ProxyCommand directive, then it prompts me w/ the GUI and either requires OTP, or if already authenticated, minimally requests approval. But once I respond to the GUI, the SSH client itself never responds. It just hangs. It's as if the SSH client is never informed of the approval. If I instead try to authenticate on the ProxyCommand directive directly w/ the --cred-file option (I created the .pem file via Cloudflare), it hangs as well. I just can't figure out how to make it work. I assume any other policies (e.g., geo blocking) are working. But MFA is giving me problems.

Nice thing about using Cloudflare is that you can enable/disable remote access *while* being remote. That in itself adds another layer of security and convenience. It also means no need for DDNS.
 
NOTE: While the above instructions *do* work, I've had issues with the cloudflared daemon staying up. I'm open to suggestions on improving upon my instructions, but in the meantime proceed with caution while I figure out an updated solution.
I recently set this up using the @spindrift instructions on a stock 3.0.0.6 RT-AC88U Pro. I noticed that if I initiate the service manually (using S99cloudflared start), it runs well, but the service stops as soon as I log out. On the other hand, if I reboot the router, the service starts on its own and remains stable (it has been 18 hours at the time of writing this).

It seems to be related to the process ownership of the init.d scripts, which may be different when initiated from the process versus when called by a logged-in user. I don't believe I have enough knowledge to delve deeper into this init process. Only thing I thought of was calling it with nohup, which didn't work either.

I must mention that I installed entware following a guide from https://github.com/jarpatus/asuswrt_scripts, which reverse-engineered the method stock AsusWRT uses to set up their optware when the Download Manager is installed. This may or may not be related, but I understand that the issue also occurs on the Merlin version. Anyway, I think (but hope not) this ownership thing is related to entware or, perhaps, interaction between the piggyback betwen this AsusWRT default init process and entware init process.
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top