net/cloudflared: new plugin for Cloudflare Tunnel integration

net/cloudflared/LICENSE

@@ -0,0 +1,24 @@
+BSD 2-Clause License
+
+Copyright (c) 2026, Alan Martines
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+1. Redistributions of source code must retain the above copyright notice, this
+   list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright notice,
+   this list of conditions and the following disclaimer in the documentation
+   and/or other materials provided with the distribution.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

net/cloudflared/Makefile

@@ -0,0 +1,8 @@
+PLUGIN_NAME=        cloudflared
+PLUGIN_VERSION=     0.1.0
+PLUGIN_REVISION=    1
+PLUGIN_COMMENT=     Cloudflare Tunnel (cloudflared) integration
+PLUGIN_MAINTAINER=  alancpmartines@hotmail.com
+PLUGIN_DEPENDS=     fetch
+
+.include "../../Mk/plugins.mk"

net/cloudflared/pkg-descr

@@ -0,0 +1,17 @@
+Cloudflare Tunnel (cloudflared) integration for OPNsense.
+
+Provides a native MVC interface to manage token-based Cloudflare Zero
+Trust tunnels without opening firewall ports or requiring a static IP.
+Follows Method 1: Token-based Setup using binaries from the kjake
+FreeBSD fork of cloudflared.
+
+Features:
+- Token-based tunnel authentication via Cloudflare Zero Trust
+- Integrated binary installer with automatic FreeBSD version and
+  architecture detection
+- QUIC kernel tuning (kern.ipc.maxsockbuf, net.inet.udp.recvspace)
+- Post-quantum encryption support (--post-quantum)
+- Real-time tunnel health status in the UI
+- Appears in System: Diagnostics: Services
+
+WWW: https://github.com/AlanMartines/os-cloudflared

net/cloudflared/src/etc/inc/plugins.inc.d/cloudflared.inc

@@ -0,0 +1,53 @@
+<?php
+
+/*
+ * Copyright (C) 2026 Alan Martines <alancpmartines@hotmail.com>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+function cloudflared_enabled()
+{
+    $model = new \OPNsense\Cloudflared\Cloudflared();
+    return (string)$model->general->enabled == '1';
+}
+
+function cloudflared_services()
+{
+    $services = [];
+
+    if (cloudflared_enabled()) {
+        $services[] = [
+            'description' => gettext('Cloudflare Tunnel'),
+            'configd'     => [
+                'restart' => ['cloudflared restart'],
+                'start'   => ['cloudflared start'],
+                'stop'    => ['cloudflared stop'],
+            ],
+            'name'        => 'cloudflared',
+            'pidfile'     => '/var/run/cloudflared.pid',
+        ];
+    }
+
+    return $services;
+}

net/cloudflared/src/opnsense/mvc/app/controllers/OPNsense/Cloudflared/Api/ServiceController.php

@@ -0,0 +1,56 @@
+<?php
+
+namespace OPNsense\Cloudflared\Api;
+
+use OPNsense\Base\ApiMutableServiceControllerBase;
+use OPNsense\Core\Backend;
+
+class ServiceController extends ApiMutableServiceControllerBase
+{
+    protected static $internalServiceClass = 'OPNsense\Cloudflared\Cloudflared';
+    protected static $internalServiceEnabled = 'general.enabled';
+    protected static $internalServiceTemplate = 'OPNsense/Cloudflared';
+    protected static $internalServiceName = 'cloudflared';
+
+    /**
+     * Reconfigura o serviço: cria diretórios, recarrega templates,
+     * aplica sysctl tunables e reinicia o serviço.
+     */
+    public function reconfigureAction()
+    {
+        if ($this->request->isPost()) {
+            $backend = new Backend();
+            $backend->configdRun("cloudflared reconfigure");
+            return ['status' => 'ok'];
+        }
+        return ['status' => 'failed'];
+    }
+
+    public function tunnelStatusAction()
+    {
+        $backend = new Backend();
+        $response = $backend->configdRun("cloudflared tunnel_status");
+        $data = json_decode(trim($response), true);
+        if ($data === null) {
+            return ['tunnel' => 'unknown'];
+        }
+        return $data;
+    }
+
+    public function installAction()
+    {
+        if ($this->request->isPost()) {
+            $backend = new Backend();
+            $response = $backend->configdRun("cloudflared install_binary");
+            if ($response === null) {
+                return ['response' => 'ERROR: configd did not respond. Run "service configd restart" on OPNsense.'];
+            }
+            $response = trim($response);
+            if ($response === '' || $response === 'FAILED') {
+                return ['response' => 'ERROR: Action not found. Run "service configd restart" on OPNsense to reload actions.'];
+            }
+            return ['response' => $response];
+        }
+        return ['response' => 'error'];
+    }
+}

net/cloudflared/src/opnsense/mvc/app/controllers/OPNsense/Cloudflared/Api/SettingsController.php

@@ -0,0 +1,12 @@
+<?php
+
+namespace OPNsense\Cloudflared\Api;
+
+use OPNsense\Base\ApiMutableModelControllerBase;
+use OPNsense\Cloudflared\Cloudflared;
+
+class SettingsController extends ApiMutableModelControllerBase
+{
+    protected static $internalModelName = 'Cloudflared';
+    protected static $internalModelClass = 'OPNsense\Cloudflared\Cloudflared';
+}

net/cloudflared/src/opnsense/mvc/app/controllers/OPNsense/Cloudflared/IndexController.php

@@ -0,0 +1,40 @@
+<?php
+
+/**
+ *    Copyright (C) 2026 Alan Martines <alancpmartines@hotmail.com>
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE of THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\Cloudflared;
+
+use OPNsense\Base\IndexController as BaseIndexController;
+
+class IndexController extends BaseIndexController
+{
+    public function indexAction()
+    {
+        $this->view->generalForm = $this->getForm("general");
+        $this->view->pick('OPNsense/Cloudflared/index');
+    }
+}

net/cloudflared/src/opnsense/mvc/app/controllers/OPNsense/Cloudflared/forms/general.xml

@@ -0,0 +1,38 @@
+<form>
+    <field>
+        <id>Cloudflared.general.enabled</id>
+        <label>Enable</label>
+        <type>checkbox</type>
+        <help>Enable Cloudflare Tunnel</help>
+    </field>
+    <field>
+        <id>Cloudflared.general.token</id>
+        <label>Tunnel Token</label>
+        <type>password</type>
+        <help>The token for your Cloudflare Tunnel. Get it from one.dash.cloudflare.com > Access > Tunnels.</help>
+    </field>
+    <field>
+        <id>Cloudflared.general.no_autoupdate</id>
+        <label>Disable Auto-Update</label>
+        <type>checkbox</type>
+        <help>Pass --no-autoupdate to cloudflared. Recommended when managing updates manually via the Install/Update Binary button.</help>
+    </field>
+    <field>
+        <id>Cloudflared.general.post_quantum</id>
+        <label>Enable Post-Quantum Encryption</label>
+        <type>checkbox</type>
+        <help>Pass --post-quantum to enable post-quantum cryptography for the tunnel connection.</help>
+    </field>
+    <field>
+        <id>Cloudflared.general.kern_ipc_maxsockbuf</id>
+        <label>Max Socket Buffer (kern.ipc.maxsockbuf)</label>
+        <type>text</type>
+        <help>Recommended value for QUIC performance. Default is 16777216.</help>
+    </field>
+    <field>
+        <id>Cloudflared.general.net_inet_udp_recvspace</id>
+        <label>UDP Recv Space (net.inet.udp.recvspace)</label>
+        <type>text</type>
+        <help>Recommended value for QUIC performance. Default is 8388608.</help>
+    </field>
+</form>

net/cloudflared/src/opnsense/mvc/app/languages/en_US.po

@@ -0,0 +1,93 @@
+msgid ""
+msgstr ""
+"Project-Id-Version: os-cloudflared\n"
+"Language: en_US\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+
+# Menu & ACL
+msgid "Cloudflare Tunnel"
+msgstr "Cloudflare Tunnel"
+
+msgid "Settings"
+msgstr "Settings"
+
+msgid "Allow access to Cloudflare Tunnel settings"
+msgstr "Allow access to Cloudflare Tunnel settings"
+
+msgid "Allow access to Cloudflare Tunnel service status/control"
+msgstr "Allow access to Cloudflare Tunnel service status/control"
+
+# General Form
+msgid "General Settings"
+msgstr "General Settings"
+
+msgid "Enable"
+msgstr "Enable"
+
+msgid "Tunnel Token"
+msgstr "Tunnel Token"
+
+msgid "Disable Auto-Update"
+msgstr "Disable Auto-Update"
+
+msgid "Enable Post-Quantum Encryption"
+msgstr "Enable Post-Quantum Encryption"
+
+msgid "Max Socket Buffer (kern.ipc.maxsockbuf)"
+msgstr "Max Socket Buffer (kern.ipc.maxsockbuf)"
+
+msgid "UDP Recv Space (net.inet.udp.recvspace)"
+msgstr "UDP Recv Space (net.inet.udp.recvspace)"
+
+msgid "Enable Cloudflare Tunnel"
+msgstr "Enable Cloudflare Tunnel"
+
+msgid "The token for your Cloudflare Tunnel. Get it from one.dash.cloudflare.com > Access > Tunnels."
+msgstr "The token for your Cloudflare Tunnel. Get it from one.dash.cloudflare.com > Access > Tunnels."
+
+msgid "Pass --no-autoupdate to cloudflared. Recommended when managing updates manually via the Install/Update Binary button."
+msgstr "Pass --no-autoupdate to cloudflared. Recommended when managing updates manually via the Install/Update Binary button."
+
+msgid "Pass --post-quantum to enable post-quantum cryptography for the tunnel connection."
+msgstr "Pass --post-quantum to enable post-quantum cryptography for the tunnel connection."
+
+msgid "Recommended value for QUIC performance. Default is 16777216."
+msgstr "Recommended value for QUIC performance. Default is 16777216."
+
+msgid "Recommended value for QUIC performance. Default is 8388608."
+msgstr "Recommended value for QUIC performance. Default is 8388608."
+
+# UI Buttons
+msgid "Apply"
+msgstr "Apply"
+
+msgid "Install/Update Binary"
+msgstr "Install/Update Binary"
+
+msgid "Start"
+msgstr "Start"
+
+msgid "Stop"
+msgstr "Stop"
+
+msgid "Restart"
+msgstr "Restart"
+
+msgid "Running"
+msgstr "Running"
+
+msgid "Stopped"
+msgstr "Stopped"
+
+msgid "No response from server. Check if configd is running."
+msgstr "No response from server. Check if configd is running."
+
+msgid "Tunnel"
+msgstr "Tunnel"
+
+msgid "Healthy"
+msgstr "Healthy"
+
+msgid "Connecting"
+msgstr "Connecting"