I used to add the debian repository from https://pkg.cloudflare.com and install the package locally on my VyOS firewall, but found that VyOS can run docker containers, so I decided to give it a try. I like the idea of not having to install any Third Party software on my firewall and get a simpler/more portable configuration.
I’m using cloudflared for two things. First of all i’m using it to access my VyOS from the Internet by using Cloudflare Zero Trust. Secondly I’m using it as a DoH (DNS over HTTPS) client to get my DNS queries encrypted.
Add container image to VyOS
add container image cloudflare/cloudflared:latest
1. Create the Cloudflared container.
configure set container name cloudflared set container name cloudflared allow-host-networks set container name cloudflared restart always set container name cloudflared cap-add net-raw set container name cloudflared memory 128 # Decrease memory limit from 512MB to 128MB. set container name cloudflared image cloudflare/cloudflared:latest set container name cloudflared command 'tunnel --no-autoupdate run' set container name cloudflared environment TUNNEL_TOKEN value 'YOUR_TOKEN' set container name cloudflared environment TZ value 'Europe/Berlin' commit save
Create the rest of your configuration from the Cloudflare Zero Trust Dashboard
2. Cloudflared DNS Proxy as DoH client
configure set container name cloudflared-dns-proxy set container name cloudflared-dns-proxy allow-host-networks set container name cloudflared-dns-proxy restart always set container name cloudflared-dns-proxy image cloudflare/cloudflared:latest set container name cloudflared-dns-proxy cap-add net-bind-service set container name cloudflared-dns-proxy memory 64 # Set memory limit to 64MB. Default is 512MB set container name cloudflared-dns-proxy command 'proxy-dns' set container name cloudflared-dns-proxy environment TUNNEL_DNS_ADDRESS value '127.0.0.1' set container name cloudflared-dns-proxy environment TUNNEL_DNS_PORT value '53' set container name cloudflared-dns-proxy environment TUNNEL_DNS_UPSTREAM value 'https://184.108.40.206/dns-query, https://dns.google/dns-query' # Use cloudflare dns as primary and google as backup resolver set system name-server 220.127.116.11 # Set VyOS to use Cloudflare DNS as resolver for all system lookups set service dns forwarding listen-address 192.168.1.1 # Listen on LAN IP set service dns forwarding allow-from 192.168.1.0/24 # Allow local network clients to query the firewall set service dns forwarding name-server 127.0.0.1 # forward the query from local clients to cloudflared-dns-proxy container commit ; save
VyOS Container documentation