Cloudflare Tunnel
Cloudflare Tunnel provides you with a secure way to connect your resources to Cloudflare without a publicly routable IP address. With Tunnel, you do not send traffic to an external IP — instead, a lightweight daemon in your infrastructure (cloudflared) creates outbound-only connections to Cloudflare’s global network. Cloudflare Tunnelcan connect HTTP web servers, SSH servers , remote desktops, and other protocols safely to Cloudflare. This way, your origins can serve traffic through Cloudflare without being vulnerable to attacks that bypassCloudflare.
Refer to Cloudflare documenation for details on how to implement Cloudflare Tunnelinto your existing infrastructure.
How it works
Cloudflared establishes outbound connections (tunnels) between your resources and Cloudflare’s global network. Tunnels are persistent objects that route traffic to DNS records. Within the same tunnel, you can run as many cloudflared processes (connectors) as needed. These processes will establish connections to Cloudflare and send traffic to the nearest Cloudflare data center.
How to
SSH to your OPNsense router and run:
opnsense-code ports tools
cd /usr/ports/net/cloudflared
make install
vim /usr/local/etc/rc.d/cloudflared
To create a Cloudflare tunnel and application access you can follow the step by step walk through I wrote here: Creating a secure Cloudflare tunnel
Add the below config:
#!/bin/sh
name="cloudflared"
rcvar="cloudflared_enable"
logfile="/var/log/cloudflared.log"
pidfile="/var/run/cloudflared.pid"
procname="/usr/local/bin/cloudflared"
load_rc_config $name
: ${cloudflared_enable:="NO"}
: ${cloudflared_mode:="tunnel"}
command="/usr/sbin/daemon"
command_args="-o ${logfile} -p ${pidfile} -f ${procname} ${cloudflared_mode}"
run_rc_command "$1"
vim /etc/rc.conf
cloudflared will now start at boot. To start the tunnel immediately:
/usr/sbin/daemon -o /var/log/cloudflared.log -p /var/run/cloudflared.pid -f /usr/local/bin/cloudflared tunnel --no-autoupdate run --post-quantum --token your_token_here
Alternative approach to provide the token
I have also tested this approach and would recommend using this one as you don’t hardcode the token in rc.conf
1. Create RC Script
Create the service script at /usr/local/etc/rc.d/cloudflared:
#!/bin/sh
# PROVIDE: cloudflared\
# REQUIRE: NETWORKING SERVERS\
# KEYWORD: shutdown
. /etc/rc.subr
name="cloudflared"\
rcvar="cloudflared_enable"\
logfile="/var/log/cloudflared.log"\
pidfile="/var/run/cloudflared.pid"\
procname="/usr/local/bin/cloudflared"
load_rc_config $name
: ${cloudflared_enable:="NO"}\
: ${cloudflared_mode:="tunnel"}
# Load token from secure file\
if [ -f /usr/local/etc/cloudflared/token ]; then\
   token=$(cat /usr/local/etc/cloudflared/token)\
   command_args="${cloudflared_mode} --token ${token}"\
else\
   command_args="${cloudflared_mode}"\
fi
command="/usr/sbin/daemon"\
command_args="-o ${logfile} -p ${pidfile} -f ${procname} ${command_args}"
run_rc_command "$1"\
2. Set Permissions
Make the script executable:
chmod 755 /usr/local/etc/rc.d/cloudflared\
3. Store Token Securely
Create a secure location for your Cloudflare token:
mkdir -p /usr/local/etc/cloudflared\
echo "your-token" > /usr/local/etc/cloudflared/token\
chmod 600 /usr/local/etc/cloudflared/token\
4. Configure RC
Add these lines to /etc/rc.conf:
cloudflared_enable="YES"\
cloudflared_mode="tunnel --no-autoupdate run --post-quantum"\
5. Test the Service
Verify the setup:
# Start the service\
service cloudflared start
# Check status\
service cloudflared status\
Security Notes
- Keep your token secure and never share it\
- Regularly rotate your tokens\
- Monitor the logs at
/var/log/cloudflared.logfor any issues
Troubleshooting
If the service fails to start:
1. Check the logs: tail -f /var/log/cloudflared.log
2. Verify permissions on all files
3. Ensure the token is correctly formatted
4. Confirm the cloudflared binary is present at /usr/local/bin/cloudflared
You now should have a working secure tunnel to your OPNsense gateway with SSO login access.