# Cloudflare Zero Trust tunnel for OPNSense *January 18, 2025* — by Flaviu Vlaicu > Cloudflare provides you with a secure way to connect your resources without a publicly routable IP. # Cloudflare Tunnel Cloudflare Tunnel provides you with a secure way to connect your resources to Cloudflare without a publicly routable IP address. With Tunnel, you do not send traffic to an external IP — instead, a lightweight daemon in your infrastructure (cloudflared) creates outbound-only connections to Cloudflare’s global network. Cloudflare Tunnelcan connect HTTP web servers, SSH servers , remote desktops, and other protocols safely to Cloudflare. This way, your origins can serve traffic through Cloudflare without being vulnerable to attacks that bypassCloudflare. Refer to ***[Cloudflare documenation](https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/)*** for details on how to implement Cloudflare Tunnelinto your existing infrastructure. ## How it works Cloudflared establishes outbound connections (tunnels) between your resources and Cloudflare’s global network. Tunnels are persistent objects that route traffic to DNS records. Within the same tunnel, you can run as many cloudflared processes (connectors) as needed. These processes will establish connections to Cloudflare and send traffic to the nearest Cloudflare data center. ## How to SSH to your OPNsense router and run: ```bash opnsense-code ports tools cd /usr/ports/net/cloudflared make install ``` ```bash vim /usr/local/etc/rc.d/cloudflared ``` To create a Cloudflare tunnel and application access you can follow the step by step walk through I wrote here: ***[Creating a secure Cloudflare tunnel](https://vlaicu.io/posts/cloudflare-zero-trust/)*** Add the below config: ```bash #!/bin/sh name="cloudflared" rcvar="cloudflared_enable" logfile="/var/log/cloudflared.log" pidfile="/var/run/cloudflared.pid" procname="/usr/local/bin/cloudflared" load_rc_config $name : ${cloudflared_enable:="NO"} : ${cloudflared_mode:="tunnel"} command="/usr/sbin/daemon" command_args="-o ${logfile} -p ${pidfile} -f ${procname} ${cloudflared_mode}" run_rc_command "$1" ``` ```bash vim /etc/rc.conf ``` ***cloudflared*** will now start at boot. To start the tunnel immediately: ```bash /usr/sbin/daemon -o /var/log/cloudflared.log -p /var/run/cloudflared.pid -f /usr/local/bin/cloudflared tunnel --no-autoupdate run --post-quantum --token your_token_here ``` ## Alternative approach to provide the token I have also tested this approach and would recommend using this one as you don't hardcode the token in *rc.conf* ### 1. Create RC Script Create the service script at `/usr/local/etc/rc.d/cloudflared`: ```bash\ #!/bin/sh # PROVIDE: cloudflared\ # REQUIRE: NETWORKING SERVERS\ # KEYWORD: shutdown . /etc/rc.subr name="cloudflared"\ rcvar="cloudflared_enable"\ logfile="/var/log/cloudflared.log"\ pidfile="/var/run/cloudflared.pid"\ procname="/usr/local/bin/cloudflared" load_rc_config $name : ${cloudflared_enable:="NO"}\ : ${cloudflared_mode:="tunnel"} # Load token from secure file\ if [ -f /usr/local/etc/cloudflared/token ]; then\     token=$(cat /usr/local/etc/cloudflared/token)\     command_args="${cloudflared_mode} --token ${token}"\ else\     command_args="${cloudflared_mode}"\ fi command="/usr/sbin/daemon"\ command_args="-o ${logfile} -p ${pidfile} -f ${procname} ${command_args}" run_rc_command "$1"\ ``` ### 2. Set Permissions Make the script executable: ```bash\ chmod 755 /usr/local/etc/rc.d/cloudflared\ ``` ### 3. Store Token Securely Create a secure location for your Cloudflare token: ```bash\ mkdir -p /usr/local/etc/cloudflared\ echo "your-token" > /usr/local/etc/cloudflared/token\ chmod 600 /usr/local/etc/cloudflared/token\ ``` ### 4. Configure RC Add these lines to `/etc/rc.conf`: ```bash\ cloudflared_enable="YES"\ cloudflared_mode="tunnel --no-autoupdate run --post-quantum"\ ``` ### 5. Test the Service Verify the setup: ```bash\ # Start the service\ service cloudflared start # Check status\ service cloudflared status\ ``` ### Security Notes - Keep your token secure and never share it\ - Regularly rotate your tokens\ - Monitor the logs at `/var/log/cloudflared.log` for any issues ### Troubleshooting If the service fails to start:\ 1\. Check the logs: `tail -f /var/log/cloudflared.log`\ 2\. Verify permissions on all files\ 3\. Ensure the token is correctly formatted\ 4\. Confirm the cloudflared binary is present at `/usr/local/bin/cloudflared` You now should have a working secure tunnel to your OPNsense gateway with SSO login access. --- *Source: [https://vlaicu.io/posts/cloudflare-tunnel-opnsense/](https://vlaicu.io/posts/cloudflare-tunnel-opnsense/)*