I used to add the debian repository from https://pkg.cloudflare.com and install the package locally on my VyOS firewall, but found that VyOS can run docker containers, so I decided to give it a try. I like the idea of not having to install any Third Party software on my firewall and get a simpler/more portable configuration.
I’m using cloudflared for two things. First of all i’m using it to access my VyOS from the Internet by using Cloudflare Zero Trust. Secondly I’m using it as a DoH (DNS over HTTPS) client to get my DNS queries encrypted.
Add container image to VyOS
add container image cloudflare/cloudflared:latest
1. Create the Cloudflared container.
configure
set container name cloudflared
set container name cloudflared allow-host-networks
set container name cloudflared restart always
set container name cloudflared cap-add net-raw
set container name cloudflared memory 128 # Decrease memory limit from 512MB to 128MB.
set container name cloudflared image cloudflare/cloudflared:latest
set container name cloudflared command 'tunnel --no-autoupdate run'
set container name cloudflared environment TUNNEL_TOKEN value 'YOUR_TOKEN'
set container name cloudflared environment TZ value 'Europe/Berlin'
commit
save
Create the rest of your configuration from the Cloudflare Zero Trust Dashboard
2. Cloudflared DNS Proxy as DoH client
configure
set container name cloudflared-dns-proxy
set container name cloudflared-dns-proxy allow-host-networks
set container name cloudflared-dns-proxy restart always
set container name cloudflared-dns-proxy image cloudflare/cloudflared:latest
set container name cloudflared-dns-proxy cap-add net-bind-service
set container name cloudflared-dns-proxy memory 64 # Set memory limit to 64MB. Default is 512MB
set container name cloudflared-dns-proxy command 'proxy-dns'
set container name cloudflared-dns-proxy environment TUNNEL_DNS_ADDRESS value '127.0.0.1'
set container name cloudflared-dns-proxy environment TUNNEL_DNS_PORT value '53'
set container name cloudflared-dns-proxy environment TUNNEL_DNS_UPSTREAM value 'https://1.1.1.1/dns-query, https://dns.google/dns-query' # Use cloudflare dns as primary and google as backup resolver
set system name-server 1.1.1.1 # Set VyOS to use Cloudflare DNS as resolver for all system lookups
set service dns forwarding listen-address 192.168.1.1 # Listen on LAN IP
set service dns forwarding allow-from 192.168.1.0/24 # Allow local network clients to query the firewall
set service dns forwarding name-server 127.0.0.1 # forward the query from local clients to cloudflared-dns-proxy container
commit ; save
VyOS Container documentation