net/cloudflared: new plugin for Cloudflare Tunnel integration#5406
Open
AlanMartines wants to merge 1 commit intoopnsense:masterfrom
Open
net/cloudflared: new plugin for Cloudflare Tunnel integration#5406AlanMartines wants to merge 1 commit intoopnsense:masterfrom
AlanMartines wants to merge 1 commit intoopnsense:masterfrom
Conversation
Member
|
Closes: #5070 |
Member
|
Installing a binary via a script is a no-go. The cloudflared tunnel must exist in freebsd ports and a plugin here only a slim configuration wrapper around it. |
Author
|
The plugin was created precisely because there is currently no equivalent implementation or configuration available in the FreeBSD ports for cloudflared with this level of integration. The goal is not to replace an official port, but to fill this gap by providing a practical way to configure and operate the tunnel within the environment, even if in an encapsulated manner. If an official port with proper support becomes available, the approach can be revisited so that the plugin acts only as a minimal configuration wrapper around that implementation. |
Member
|
I understand your position, but it does not change the initial requirement if an existing freebsd port I'm afraid. |
insanityinside
added a commit
to insanityinside/opnsense-plugins
that referenced
this pull request
May 8, 2026
Reworks the original plugin by Alan Martines to address the architectural feedback on PR opnsense#5406: the custom binary installer is replaced with PLUGIN_DEPENDS= cloudflared, delegating binary management entirely to pkg via the FreeBSD ports tree. The plugin is now a pure configuration wrapper. Binary and service: - Remove install_binary.sh and bundled rc.d script; use FreeBSD port - Pass tunnel token via TUNNEL_TOKEN env var (cloudflared_env in rc.subr) so it does not appear in ps aux; /etc/rc.conf.d/cloudflared chmod 600 - Add config.yml template; move options out of rc.conf.d command args - Hardcode no-autoupdate: true (pkg manages the binary; self-update is inappropriate) New features: - Transport protocol selector: Auto (QUIC with HTTP/2 fallback, default), QUIC-only (UDP 7844), HTTP/2-only (TCP 443) - Automatic outbound firewall rule for TCP/UDP 7844 via cloudflared_firewall() hook; UDP active for Auto and QUIC-only modes, TCP for Auto and HTTP/2-only - quic-disable-pmtu-discovery option: workaround for intermittent QUIC stream errors on networks where ICMP is filtered - Log viewer tab with client-side pagination (25/50/100/200 lines/page, Older/Newer navigation) and Follow mode for live tailing - Crash recovery: monitor.sh syshook and cron job restart cloudflared if it exits unexpectedly; sentinel file suppresses watchdog after intentional stop - newwanip/newwanip6 hook to restart on WAN IP change if daemon exits Reliability fixes: - Improve tunnel health detection: cross-check Prometheus metrics against log output to catch stale ha_connections; report accurate down state Other: - Security notice in UI: tunnel traffic bypasses OPNsense firewall rules - Translations for 20 languages in addition to the original pt_BR (machine generated) - BSD license headers on all scripts - README.md entry Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
14 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Important notices
Model used: Claude Sonnet 4.6 (Anthropic)
Extent of AI involvement: Code generation and review assistance throughout development.
Describe the problem
OPNsense has no native interface for managing Cloudflare Tunnel (cloudflared).
Users must configure it manually via CLI, with no integration into the
OPNsense service management or web UI.
Describe the proposed solution
Adds a new plugin
net/cloudflaredthat integrates Cloudflare Tunnel intoOPNsense as a first-class service:
FreeBSD version and CPU architecture via GitHub API)
and restarts the service
Related issue
N/A