opnsense · insanityinside · Apr 15, 2026 · May 6, 2026 · May 8, 2026 · May 8, 2026
diff --git a/README.md b/README.md
@@ -49,6 +49,7 @@ misc/theme-rebellion -- A suitably dark theme
 misc/theme-tukan -- The tukan theme - blue/white
 misc/theme-vicuna -- The vicuna theme - blue sapphire
 net/chrony -- Chrony time synchronisation
+net/cloudflared -- Cloudflare tunnel
 net/freeradius -- RADIUS Authentication, Authorization and Accounting Server
 net/frr -- The FRRouting Protocol Suite
 net/ftp-proxy -- Control ftp-proxy processes

diff --git a/net/cloudflared/LICENSE b/net/cloudflared/LICENSE
@@ -0,0 +1,24 @@
+BSD 2-Clause License
+
+Copyright (c) 2026, Alan Martines, Richard Aspden
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+1. Redistributions of source code must retain the above copyright notice, this
+   list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright notice,
+   this list of conditions and the following disclaimer in the documentation
+   and/or other materials provided with the distribution.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
diff --git a/net/cloudflared/Makefile b/net/cloudflared/Makefile
@@ -0,0 +1,8 @@
+PLUGIN_NAME=        cloudflared
+PLUGIN_VERSION=     0.1.0
+PLUGIN_REVISION=    1
+PLUGIN_COMMENT=     Cloudflare Tunnel (cloudflared) integration
+PLUGIN_MAINTAINER=  rick+github@insanityinside.net
+PLUGIN_DEPENDS=     cloudflared
+
+.include "../../Mk/plugins.mk"
diff --git a/net/cloudflared/pkg-descr b/net/cloudflared/pkg-descr
@@ -0,0 +1,20 @@
+Cloudflare Tunnel (cloudflared) integration for OPNsense.
+
+Provides a native MVC interface to manage token-based Cloudflare Zero
+Trust tunnels without opening firewall ports or requiring a static IP.
+Uses the cloudflared binary from the FreeBSD ports collection
+(net/cloudflared).
+
+Features:
+- Token-based tunnel authentication via Cloudflare Zero Trust
+- Transport protocol selection: Auto (QUIC with HTTP/2 fallback),
+  QUIC-only, or HTTP/2-only
+- Automatic outbound firewall rules for QUIC (UDP 7844) and HTTP/2 (TCP 7844)
+- QUIC kernel tuning (kern.ipc.maxsockbuf, net.inet.udp.recvspace)
+- Post-quantum encryption support (--post-quantum)
+- Real-time tunnel health status in the UI
+- Log viewer with pagination and live follow mode
+- Automatic crash recovery and restart on WAN IP change
+- Appears in System: Diagnostics: Services
+
+WWW: https://github.com/cloudflare/cloudflared
diff --git a/net/cloudflared/src/etc/cron.d/cloudflared b/net/cloudflared/src/etc/cron.d/cloudflared
@@ -0,0 +1,9 @@
+# DO NOT EDIT THIS FILE -- OPNsense auto-generated file
+#
+# User-defined crontab files can be loaded via /etc/cron.d
+# or /usr/local/etc/cron.d and follow the same format as
+# /etc/crontab, see the crontab(5) manual page.
+SHELL=/bin/sh
+PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
+#minute	hour	mday	month	wday	who	command
+*	*	*	*	*	root	/usr/local/opnsense/scripts/OPNsense/Cloudflared/monitor.sh
diff --git a/net/cloudflared/src/etc/inc/plugins.inc.d/cloudflared.inc b/net/cloudflared/src/etc/inc/plugins.inc.d/cloudflared.inc
@@ -0,0 +1,127 @@
+<?php
+
+/*
+ * Copyright (C) 2026 Alan Martines <alancpmartines@hotmail.com>
+ * Copyright (C) 2026 Richard Aspden <rick+github@insanityinside.net>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+function cloudflared_enabled()
+{
+    $model = new \OPNsense\Cloudflared\Cloudflared();
+    return (string)$model->general->enabled == '1';
+}
+
+function cloudflared_configure()
+{
+    return [
+        'newwanip'  => ['cloudflared_configure_newwanip:10'],
+        'newwanip6' => ['cloudflared_configure_newwanip:10'],
+    ];
+}
+
+function cloudflared_configure_newwanip($verbose = false)
+{
+    if (!cloudflared_enabled()) {
+        return;
+    }
+    if (file_exists('/var/run/cloudflared.stopped')) {
+        return;
+    }
+    $pidfile = '/var/run/cloudflared.pid';
+    if (file_exists($pidfile)) {
+        $pid = (int)trim(file_get_contents($pidfile));
+        if ($pid > 0 && posix_kill($pid, 0)) {
+            return;
+        }
+    }
+    $backend = new \OPNsense\Core\Backend();
+    $backend->configdRun('cloudflared start');
+}
+
+function cloudflared_firewall($fw)
+{
+    if (!cloudflared_enabled()) {
+        return;
+    }
+
+    $model = new \OPNsense\Cloudflared\Cloudflared();
+    $protocol = (string)$model->general->protocol;
+
+    if ($protocol !== 'http2') {
+        $fw->registerFilterRule(
+            1,
+            [
+                'descr'     => 'Allow Cloudflare Tunnel QUIC (autogenerated)',
+                'direction' => 'out',
+                'from'      => '(self)',
+                'to'        => 'any',
+                'to_port'   => '7844',
+                'protocol'  => 'udp',
+                'type'      => 'pass',
+                'quick'     => true,
+                'statetype' => 'keep',
+                '#ref'      => 'ui/cloudflared/',
+            ]
+        );
+    }
+
+    if ($protocol !== 'quic') {
+        $fw->registerFilterRule(
+            1,
+            [
+                'descr'     => 'Allow Cloudflare Tunnel HTTP/2 (autogenerated)',
+                'direction' => 'out',
+                'from'      => '(self)',
+                'to'        => 'any',
+                'to_port'   => '7844',
+                'protocol'  => 'tcp',
+                'type'      => 'pass',
+                'quick'     => true,
+                'statetype' => 'keep',
+                '#ref'      => 'ui/cloudflared/',
+            ]
+        );
+    }
+}
+
+function cloudflared_services()
+{
+    $services = [];
+
+    if (cloudflared_enabled()) {
+        $services[] = [
+            'description' => gettext('Cloudflare Tunnel'),
+            'configd'     => [
+                'restart' => ['cloudflared restart'],
+                'start'   => ['cloudflared start'],
+                'stop'    => ['cloudflared stop'],
+            ],
+            'name'        => 'cloudflared',
+            'pidfile'     => '/var/run/cloudflared.pid',
+        ];
+    }
+
+    return $services;
+}
diff --git a/...oudflared/src/opnsense/mvc/app/controllers/OPNsense/Cloudflared/Api/ServiceController.php b/...oudflared/src/opnsense/mvc/app/controllers/OPNsense/Cloudflared/Api/ServiceController.php
@@ -0,0 +1,70 @@
+<?php
+
+/*
+ * Copyright (C) 2026 Alan Martines <alancpmartines@hotmail.com>
+ * Copyright (C) 2026 Richard Aspden <rick+github@insanityinside.net>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\Cloudflared\Api;
+
+use OPNsense\Base\ApiMutableServiceControllerBase;
+use OPNsense\Core\Backend;
+
+class ServiceController extends ApiMutableServiceControllerBase
+{
+    protected static $internalServiceClass = '\OPNsense\Cloudflared\Cloudflared';
+    protected static $internalServiceEnabled = 'general.enabled';
+    protected static $internalServiceTemplate = 'OPNsense/Cloudflared';
+    protected static $internalServiceName = 'cloudflared';
+
+    public function reconfigureAction()
+    {
+        if ($this->request->isPost()) {
+            $backend = new Backend();
+            $backend->configdRun("cloudflared reconfigure");
+            return ['status' => 'ok'];
+        }
+        return ['status' => 'failed'];
+    }
+
+    public function tunnelStatusAction()
+    {
+        $backend = new Backend();
+        $response = $backend->configdRun("cloudflared tunnel_status");
+        $data = json_decode(trim($response), true);
+        if ($data === null) {
+            return ['tunnel' => 'unknown'];
+        }
+        return $data;
+    }
+
+    public function logAction()
+    {
+        $backend = new Backend();
+        $raw = $backend->configdRun("cloudflared log");
+        $lines = $raw !== null ? explode("\n", rtrim($raw)) : [];
+        return ['lines' => $lines, 'total' => count($lines)];
+    }
+}
diff --git a/...udflared/src/opnsense/mvc/app/controllers/OPNsense/Cloudflared/Api/SettingsController.php b/...udflared/src/opnsense/mvc/app/controllers/OPNsense/Cloudflared/Api/SettingsController.php
@@ -0,0 +1,38 @@
+<?php
+
+/*
+ * Copyright (C) 2026 Alan Martines <alancpmartines@hotmail.com>
+ * Copyright (C) 2026 Richard Aspden <rick+github@insanityinside.net>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\Cloudflared\Api;
+
+use OPNsense\Base\ApiMutableModelControllerBase;
+
+class SettingsController extends ApiMutableModelControllerBase
+{
+    protected static $internalModelName = 'Cloudflared';
+    protected static $internalModelClass = '\OPNsense\Cloudflared\Cloudflared';
+}
diff --git a/net/cloudflared/src/opnsense/mvc/app/controllers/OPNsense/Cloudflared/IndexController.php b/net/cloudflared/src/opnsense/mvc/app/controllers/OPNsense/Cloudflared/IndexController.php
@@ -0,0 +1,41 @@
+<?php
+
+/*
+ * Copyright (C) 2026 Alan Martines <alancpmartines@hotmail.com>
+ * Copyright (C) 2026 Richard Aspden <rick+github@insanityinside.net>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\Cloudflared;
+
+use OPNsense\Base\IndexController as BaseIndexController;
+
+class IndexController extends BaseIndexController
+{
+    public function indexAction()
+    {
+        $this->view->generalForm = $this->getForm("general");
+        $this->view->pick('OPNsense/Cloudflared/index');
+    }
+}
diff --git a/net/cloudflared/src/opnsense/mvc/app/controllers/OPNsense/Cloudflared/forms/general.xml b/net/cloudflared/src/opnsense/mvc/app/controllers/OPNsense/Cloudflared/forms/general.xml
@@ -0,0 +1,44 @@
+<form>
+    <field>
+        <id>Cloudflared.general.enabled</id>
+        <label>Enable</label>
+        <type>checkbox</type>
+        <help>Enable Cloudflare Tunnel</help>
+    </field>
+    <field>
+        <id>Cloudflared.general.token</id>
+        <label>Tunnel Token</label>
+        <type>password</type>
+        <help>The token for your Cloudflare Tunnel. Get it from one.dash.cloudflare.com > Access > Tunnels.</help>
+    </field>
+    <field>
+        <id>Cloudflared.general.post_quantum</id>
+        <label>Enable Post-Quantum Encryption</label>
+        <type>checkbox</type>
+        <help>Pass --post-quantum to enable post-quantum cryptography for the tunnel connection.</help>
+    </field>
+    <field>
+        <id>Cloudflared.general.quic_disable_pmtu_discovery</id>
+        <label>Disable QUIC PMTU Discovery</label>
+        <type>checkbox</type>
+        <help>Pass --quic-disable-pmtu-discovery to cloudflared. Workaround for intermittent "failed to accept QUIC stream" errors on networks where ICMP is filtered and path MTU discovery does not work correctly.</help>
+    </field>
+    <field>
+        <id>Cloudflared.general.protocol</id>
+        <label>Protocol</label>
+        <type>dropdown</type>
+        <help>Transport protocol for the tunnel connection. Auto tries QUIC first and falls back to HTTP/2 if unavailable. Outbound firewall rules are automatically added: UDP 7844 for Auto and QUIC modes, TCP 7844 for Auto and HTTP/2 modes.</help>
+    </field>
+    <field>
+        <id>Cloudflared.general.kern_ipc_maxsockbuf</id>
+        <label>Max Socket Buffer (kern.ipc.maxsockbuf)</label>
+        <type>text</type>
+        <help>Recommended value for QUIC performance. Default is 16777216.</help>
+    </field>
+    <field>
+        <id>Cloudflared.general.net_inet_udp_recvspace</id>
+        <label>UDP Recv Space (net.inet.udp.recvspace)</label>
+        <type>text</type>
+        <help>Recommended value for QUIC performance. Default is 8388608.</help>
+    </field>
+</form>