Connecting to CloudFlare, surely its possible.

deanfourie

So, seeing a lot of people wanting to connect CloudFlare WARP tunnels through pfSense.

Can this be done with WireGaurd or any other way? Or could there be a integration done that allows us to use CloudFlare.

This is an awesome feature that is free offered from CloudFlare and can really help those stuck behind CGNat etc.

Anyone been experimenting with this? I would rather not run a docker container inside my pfSense OS to connect to cloudflare.

Thanks

NollipfSense

@deanfourie said in Connecting to CloudFlare, surely its possible.:

I would rather not run a docker container inside my pfSense OS

That's the answer...

deanfourie

@nollipfsense how do I handle things like routing etc?

Can I get a visible and manageable interface in pfSense this way?

Thanks

NollipfSense

@deanfourie I think a better question would be what about REST API that was promised for pfSense 2.6 but didn't make it? Has pfSense moved away from implementing that strategy? With REST API, it would be very easy to run containers and other micro-services...

stephenw10

Are you doing everything shown here?:
https://www.reddit.com/r/PFSENSE/comments/owg78a/sending_traffic_over_cloudflare_warp/

deanfourie

@stephenw10 im actually following this guide, and getting on pretty well.

https://holmq.dk/post/2022-09-16-cloudflared-on-pfsense/

The only issue I am facing now is that, I dont know where to store my config file.

Also, after logging in, I cannot find a credentials file in JSON format? Only the cert.pem file seems to be generated.

Any ideas?

Cheers

deanfourie

Ok I got everything up and runnig by doing the following.

1. Navigate to Diagnostics >> Edit File and edit the following files
/usr/local/etc/pkg/repos/pfSense.conf
/usr/local/etc/pkg/repos/FreeBSD.conf
change the line FreeBSD: { enabled: no } to FreeBSD: { enabled: yes } in both files.
2. Login to a pfSense shell and run pkg update to update the package catelog
3. Install cloudflared with pkg install cloudflared
4. Run cloudlflared tunnel login and follow the steps to login. This will generate a certificate for your account. If this doesnt work, you can cd into the cloudflared directory /usr/local/bin/cloudflared and run ./cloudflared tunnel login. A reboot of pfSense should fix the symbolic link issue.
5. Once logged in, create a tunnel with cloudflared tunnel create <tunnel name>. This will generate a credentials files. You should now see the tunnel created on the cloudflared Zero Trust Cloud dashboard.
6. Connect to your tunnel with cloudflared tunnel run <tunne name>

stephenw10

Hmm, cloudflared is not the same as the WARP client. It may not be what you want here:
https://github.com/cloudflare/cloudflared

I will point out though that adding packages from the FreeBSD repo like that can potentially break all sorts of things. You'll note that part of the instructions has you re-install the pkgs from the pfSense repo that were overwritten. That's a scary install process!
It also won't survive an upgrade

Steve

NollipfSense

@deanfourie Glad you got it sorted despite the method you followed involved modifying pfSense whereas the method Steve shared appeared simple without modification.

deanfourie

@nollipfsense im stuck on this step.

un wgcf generate to get a wgcf-profile.conf

Where is wgcf? Needs to be installed?

stephenw10

This I imagine:

https://github.com/ViRb3/wgcf

stephenw10

At your own risk (review the code yourself to be sure):

[22.05.1-RELEASE][root@8200-2.stevew.lan]/root: fetch https://github.com/ViRb3/wgcf/releases/download/v2.2.15/wgcf_2.2.15_freebsd_amd64
wgcf_2.2.15_freebsd_amd64                             8504 kB 7538 kBps    01s
[22.05.1-RELEASE][root@8200-2.stevew.lan]/root: chmod 0755 wgcf_2.2.15_freebsd_amd64 
[22.05.1-RELEASE][root@8200-2.stevew.lan]/root: ./wgcf_2.2.15_freebsd_amd64 
2023/01/24 22:41:46 Using config file: wgcf-account.toml
wgcf is a utility for Cloudflare Warp that allows you to create and manage accounts, assign license keys, and generate WireGuard profiles. Made by Victor (@ViRb3). Project website: https://github.com/ViRb3/wgcf

Usage:
  wgcf [flags]
  wgcf [command]

Available Commands:
  completion  Generate the autocompletion script for the specified shell
  generate    Generates a WireGuard profile from the current Cloudflare Warp account
  help        Help about any command
  register    Registers a new Cloudflare Warp device and creates a new account, preparing it for connection
  status      Prints the status of the current Cloudflare Warp device
  trace       Prints trace information about the current internet connection
  update      Updates the current Cloudflare Warp account, preparing it for connection

Flags:
      --config string   Configuration file (default "wgcf-account.toml")
  -h, --help            help for wgcf

Use "wgcf [command] --help" for more information about a command.

I imagine you could run that to generate the file anywhere. Doesn't have to be on the firewall.

deanfourie

@stephenw10 Thank you!

deanfourie

@deanfourie So, technically I dont need to install wgcf on the firewall?
I can generate the file and import it later?

stephenw10

Yeah, that's how I read it. You just need that to generate wgcf-profile.conf. Then you use the values from that file to configure Wireguard in pfSense.

Obviously the status and trace commands won't work. Unless maybe you're behind the firewall...

deanfourie

@stephenw10 so with WARP,

Would this allow remote access as well? Do I still need to create a tunnel? I cant quite understand what these WARP shannigans are all about?

Is WARP just like some kind of secure DNS and not a VPN as such?

stephenw10

It's a Wireguard Tunnel to Cloudflare. Wireguard has none of the user/config management that, say, OpenVPN does so things like this and Tailscale have been created to add it.
Cloudflare is about filtering inbound traffic mainly so I imagine this makes it easy to connect, say, a webserver that is buried behind routers/firewalls directly to them.

Why are you trying to connect to them?

deanfourie

@stephenw10 I just want complete subnet access, just like I do with my OVPN.

I am behind CGNat so running servers is a no go, so I use OVPN cloud at the moment which works really well however only allows 3 users free after that it's crazy expensive.

Whereas cloudflare allows up to 50 users free.

deanfourie

@deanfourie OK so im in a catch 22 here,

On my debain box, I have managed to achieve what I want to do, VPN with full network access and secure outbound traffic.

The problem is obviously this is running on a separate VM to my pfSense.

So, I could install cloudflared on pfSense and configure it the same as I have setup the debain one, and this would work. However I have some questions.

1. Will all outbound traffic be routed through it, if not how can it be? Since there is no interface created.
2. same goes for firewall rules? Cant manage firewall rules as there is no separate interface such as a TUN or anything. (How do I tell pfSense to exit via the cloudflared tunnel)? Which route would take precedence?

My other option is to setup the Debain VM as a gateway, and route traffic from pfSense through the Debain GW then out. Setup something like ip forwarding on debain.

or any suggestions are welcome, Im slowly creeping closer and closer to success.

stephenw10

If the cloudflared tunnel doesn't create an interface/gateway then pfSense can't policy route across it. I've never used either but it looks like cloudflared is a proxy to me.