Connecting to CloudFlare, surely its possible.
-
@stephenw10 im actually following this guide, and getting on pretty well.
https://holmq.dk/post/2022-09-16-cloudflared-on-pfsense/
The only issue I am facing now is that, I dont know where to store my config file.
Also, after logging in, I cannot find a credentials file in JSON format? Only the cert.pem file seems to be generated.
Any ideas?
Cheers
-
Ok I got everything up and runnig by doing the following.
1. Navigate to Diagnostics >> Edit File and edit the following files /usr/local/etc/pkg/repos/pfSense.conf /usr/local/etc/pkg/repos/FreeBSD.conf change the line FreeBSD: { enabled: no } to FreeBSD: { enabled: yes } in both files. 2. Login to a pfSense shell and run pkg update to update the package catelog 3. Install cloudflared with pkg install cloudflared 4. Run cloudlflared tunnel login and follow the steps to login. This will generate a certificate for your account. If this doesnt work, you can cd into the cloudflared directory /usr/local/bin/cloudflared and run ./cloudflared tunnel login. A reboot of pfSense should fix the symbolic link issue. 5. Once logged in, create a tunnel with cloudflared tunnel create <tunnel name>. This will generate a credentials files. You should now see the tunnel created on the cloudflared Zero Trust Cloud dashboard. 6. Connect to your tunnel with cloudflared tunnel run <tunne name> -
Hmm, cloudflared is not the same as the WARP client. It may not be what you want here:
https://github.com/cloudflare/cloudflaredI will point out though that adding packages from the FreeBSD repo like that can potentially break all sorts of things. You'll note that part of the instructions has you re-install the pkgs from the pfSense repo that were overwritten. That's a scary install process!
It also won't survive an upgradeSteve
-
@deanfourie Glad you got it sorted despite the method you followed involved modifying pfSense whereas the method Steve shared appeared simple without modification.
-
@nollipfsense im stuck on this step.
un wgcf generate to get a wgcf-profile.confWhere is wgcf? Needs to be installed?
-
This I imagine:
-
At your own risk (review the code yourself to be sure):
[22.05.1-RELEASE][root@8200-2.stevew.lan]/root: fetch https://github.com/ViRb3/wgcf/releases/download/v2.2.15/wgcf_2.2.15_freebsd_amd64 wgcf_2.2.15_freebsd_amd64 8504 kB 7538 kBps 01s [22.05.1-RELEASE][root@8200-2.stevew.lan]/root: chmod 0755 wgcf_2.2.15_freebsd_amd64 [22.05.1-RELEASE][root@8200-2.stevew.lan]/root: ./wgcf_2.2.15_freebsd_amd64 2023/01/24 22:41:46 Using config file: wgcf-account.toml wgcf is a utility for Cloudflare Warp that allows you to create and manage accounts, assign license keys, and generate WireGuard profiles. Made by Victor (@ViRb3). Project website: https://github.com/ViRb3/wgcf Usage: wgcf [flags] wgcf [command] Available Commands: completion Generate the autocompletion script for the specified shell generate Generates a WireGuard profile from the current Cloudflare Warp account help Help about any command register Registers a new Cloudflare Warp device and creates a new account, preparing it for connection status Prints the status of the current Cloudflare Warp device trace Prints trace information about the current internet connection update Updates the current Cloudflare Warp account, preparing it for connection Flags: --config string Configuration file (default "wgcf-account.toml") -h, --help help for wgcf Use "wgcf [command] --help" for more information about a command.I imagine you could run that to generate the file anywhere. Doesn't have to be on the firewall.
-
@stephenw10 Thank you!
-
@deanfourie So, technically I dont need to install wgcf on the firewall?
I can generate the file and import it later? -
Yeah, that's how I read it. You just need that to generate wgcf-profile.conf. Then you use the values from that file to configure Wireguard in pfSense.
Obviously the status and trace commands won't work. Unless maybe you're behind the firewall...
-
@stephenw10 so with WARP,
Would this allow remote access as well? Do I still need to create a tunnel? I cant quite understand what these WARP shannigans are all about?
Is WARP just like some kind of secure DNS and not a VPN as such?
-
It's a Wireguard Tunnel to Cloudflare. Wireguard has none of the user/config management that, say, OpenVPN does so things like this and Tailscale have been created to add it.
Cloudflare is about filtering inbound traffic mainly so I imagine this makes it easy to connect, say, a webserver that is buried behind routers/firewalls directly to them.Why are you trying to connect to them?
-
@stephenw10 I just want complete subnet access, just like I do with my OVPN.
I am behind CGNat so running servers is a no go, so I use OVPN cloud at the moment which works really well however only allows 3 users free after that it's crazy expensive.
Whereas cloudflare allows up to 50 users free.
-
@deanfourie OK so im in a catch 22 here,
On my debain box, I have managed to achieve what I want to do, VPN with full network access and secure outbound traffic.
The problem is obviously this is running on a separate VM to my pfSense.
So, I could install cloudflared on pfSense and configure it the same as I have setup the debain one, and this would work. However I have some questions.
- Will all outbound traffic be routed through it, if not how can it be? Since there is no interface created.
- same goes for firewall rules? Cant manage firewall rules as there is no separate interface such as a TUN or anything. (How do I tell pfSense to exit via the cloudflared tunnel)? Which route would take precedence?
My other option is to setup the Debain VM as a gateway, and route traffic from pfSense through the Debain GW then out. Setup something like ip forwarding on debain.
or any suggestions are welcome, Im slowly creeping closer and closer to success.
-
If the cloudflared tunnel doesn't create an interface/gateway then pfSense can't policy route across it. I've never used either but it looks like cloudflared is a proxy to me.
-
@stephenw10 it certainly does look more like a proxy.
-
Just to refresh the topic, WARP client for freebsd based firewalls eg:. (pfSense, OPNsense), 10+ pages with useful links for Your inspiration…;)
I really frustrated WHY NETGATE IGNORE WARP/WARP+ as fastest (truth) way to have secured VPN/proxied connection that love a lot of pfSense’s users.
Looks like DevTeam making first step (with documenting DoT with CloudFlare and making a lot of links in official docs certainly for CloudFlare’s public DNSs, which are FREE), stop and not making reasonable next step with making WARP/WARP+ CloudFlare client (service) for pfSense!
Really frustrating! Especially there are a lot of ready-to-use code for FreeBSD, that was tested and work well!
-
Please vote for adding CloudFlare WARP/WARP+ client as a package to pfSense.
Thank You all!
-
@stephenw10 said in Connecting to CloudFlare, surely its possible.:
Are you doing everything shown here?:
https://www.reddit.com/r/PFSENSE/comments/owg78a/sending_traffic_over_cloudflare_warp/@stephenw10 Is this exactly guide working for You?
If answer are “Yes”:
-
What is bandwidth w/ and w/o WARP (or WARP+ if You have) on the same physical channel?
-
What about STABILITY of work (and how You testing this stability)?
Thanks a lot!
-
-
@NollipfSense said in Connecting to CloudFlare, surely its possible.:
@deanfourie I think a better question would be what about REST API that was promised for pfSense 2.6 but didn't make it? Has pfSense moved away from implementing that strategy? With REST API, it would be very easy to run containers and other micro-services...
Beside the Netgate promises, the idea to running micro-services and especially containers inside pfSense - very bad idea.
I prefer to look on pfSense as solid system with a fraction of 3-rd packages (but VERY WELL TESTED an bug-free!).
