通过Cloudflare tunnel远程管理openwrt路由器

发表于 分类于

前期准备

  • cloudflare账号注册(tunnel有Cloudflared与WARP Connector类型,如果只用cloudflared可以不添加支付信息)

  • 路由器要保证空间足够,我插了个8GB的U盘扩充空间。可以参考路由器扩容

1
2
3
4
5
6
7
root@OpenWrt:~# df -h
Filesystem                Size      Used Available Use% Mounted on
/dev/root                 3.8M      3.8M         0 100% /rom
tmpfs                    58.8M     76.0K     58.8M   0% /tmp
/dev/sda1                 7.3G      7.2M      6.9G   0% /overlay
overlayfs:/overlay        7.3G      7.2M      6.9G   0% /
tmpfs                   512.0K         0    512.0K   0% /dev

安装客户端

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
root@OpenWrt:~# opkg update
Downloading https://downloads.openwrt.org/releases/23.05.4/targets/ramips/mt7621/packages/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_core
Downloading https://downloads.openwrt.org/releases/23.05.4/targets/ramips/mt7621/packages/Packages.sig
Signature check passed.
Downloading https://downloads.openwrt.org/releases/23.05.4/packages/mipsel_24kc/base/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_base
Downloading https://downloads.openwrt.org/releases/23.05.4/packages/mipsel_24kc/base/Packages.sig
Signature check passed.
Downloading https://downloads.openwrt.org/releases/23.05.4/packages/mipsel_24kc/luci/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_luci
Downloading https://downloads.openwrt.org/releases/23.05.4/packages/mipsel_24kc/luci/Packages.sig
Signature check passed.
Downloading https://downloads.openwrt.org/releases/23.05.4/packages/mipsel_24kc/packages/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_packages
Downloading https://downloads.openwrt.org/releases/23.05.4/packages/mipsel_24kc/packages/Packages.sig
Signature check passed.
Downloading https://downloads.openwrt.org/releases/23.05.4/packages/mipsel_24kc/routing/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_routing
Downloading https://downloads.openwrt.org/releases/23.05.4/packages/mipsel_24kc/routing/Packages.sig
Signature check passed.
Downloading https://downloads.openwrt.org/releases/23.05.4/packages/mipsel_24kc/telephony/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_telephony
Downloading https://downloads.openwrt.org/releases/23.05.4/packages/mipsel_24kc/telephony/Packages.sig
Signature check passed.


root@OpenWrt:~# opkg install cloudflared
Installing cloudflared (2024.4.1-2) to root...
Downloading https://downloads.openwrt.org/releases/23.05.4/packages/mipsel_24kc/packages/cloudflared_2024.4.1-2_mipsel_24kc.ipk
Configuring cloudflared.

路由端登录

1
2
3
4
5
6
7
8
root@OpenWrt:~# cloudflared tunnel login
2025-03-31T03:47:24Z ERR Configuration file /etc/cloudflared/config.yml was empty
Please open the following URL and log in with your Cloudflare account:

https://dash.cloudflare.com/argotunnel?aud=&callback=https%3A%2F%2Flogin.cloudflareaccess.org%2Fn0wo8UFOsn48iqCvz0brhqK2JznOfF2WC0oDKPSbV2U%3D

Leave cloudflared running to download the cert automatically.
2025-03-31T03:48:21Z INF Waiting for login...

网页端登录

登录cloudflare,并复制路由器命令行下那一串链接到浏览器的另一个标签页打开。提示如下:

Authorize Tunnel for heiok.com

To finish configuring Tunnel for your zone, click Authorize below.

点击Authorize

浏览器界面显示

Success
Cloudflared has installed a certificate allowing your origin to create a Tunnel on this zone.

You may now close this window and start your Cloudflare Tunnel!

路由器界面显示

You have successfully logged in.
If you wish to copy your credentials to a server, they have been saved to:
/root/.cloudflared/cert.pem
root@OpenWrt:~#

建一条通道

1
2
3
4
5
6
root@OpenWrt:~# cloudflared tunnel create openwrt
2025-03-31T03:52:00Z ERR Configuration file /etc/cloudflared/config.yml was empty
Tunnel credentials written to /root/.cloudflared/a41e4879-e5a8-4efa-9668-d31ed37585a5.json. cloudflared chose this file based on where your origin certificate was found. Keep this file secret. To revoke these credentials, delete the tunnel.

Created tunnel heiok with id a41e4879-e5a8-4efa-9668-d31ed37585a5
root@OpenWrt:~#

加域名解析

1
2
3
4
root@OpenWrt:~# cloudflared tunnel route dns openwrt openwrt.heiok.com
2025-03-31T03:52:56Z ERR Configuration file /etc/cloudflared/config.yml was empty
2025-03-31T03:53:00Z INF Added CNAME openwrt.heiok.com which will route to this tunnel tunnelID=a41e4879-e5a8-4efa-9668-d31ed37585a5
root@OpenWrt:~#

写配置文件

root@OpenWrt:~# vi /etc/cloudflared/config.yml

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
#tunnel: <Tunnel-UUID>
#credentials-file: /etc/cloudflared/<Tunnel-UUID>.json
#
#ingress:

#  - hostname: luci.example.com

#    service: http://localhost:80

#  - hostname: ssh.example.com

#    service: ssh://localhost:22

#  - service: http_status:404

url: http://192.168.18.1
tunnel: a41e4879-e5a8-4efa-9668-d31ed37585a5
credentials-file: /root/.cloudflared/a41e4879-e5a8-4efa-9668-d31ed37585a5.json

测试下连接

1
/usr/bin/cloudflared tunnel --config /etc/cloudflared/config.yml run

网页端Cloudflare–Networks–Tunnels-Your tunnels–Status下显示绿色HEALTHY即表示tunnel建立连接成功。

自启动脚本

root@OpenWrt:~#vi /etc/init.d/cf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
#!/bin/sh /etc/rc.common

START=99
USE_PROCD=1

start_service() {
    echo "Starting cloudflared..."
    procd_open_instance
    procd_set_param command /usr/bin/cloudflared tunnel --config /etc/cloudflared/config.yml run
    procd_set_param respawn
    procd_close_instance
}

stop_service() {
    echo "Stopping cloudflared..."
    procd_open_instance
    procd_close_instance
}
1
2
3
4
5
root@OpenWrt:~#chmod +x /etc/init.d/cf

root@OpenWrt:~#/etc/init.d/cf enable

root@OpenWrt:~#/etc/init.d/cf start