Cloudflare Tunnels/`cloudflared` on Mikrotik RouterOS 7

doc.md

Why?

In their own words:

Cloudflare Tunnel provides you with a secure way to connect your resources to Cloudflare without a publicly routable IP address. With Tunnel, you do not send traffic to an external IP — instead, a lightweight daemon in your infrastructure (cloudflared) creates outbound-only connections to Cloudflare’s edge. Cloudflare Tunnel can connect HTTP web servers, SSH servers, remote desktops, and other protocols safely to Cloudflare. This way, your origins can serve traffic through Cloudflare without being vulnerable to attacks that bypass Cloudflare.

Beyond cyberattacks, this can be particularly useful if you're behind CGNAT, e.g. on cellular or satellite, and you want to make services on or behind your router available to the broader world.

How?

Mikrotik RouterOS 7 supports containers on x86 and aarch64 platforms, letting you run Linux programs including but not limited to cloudflared on the device.

1. Ensure that /system/device-mode/print specifies container: yes (enabling as required)
2. Ensure that your router can pull images from Docker Hub: /container/config/set registry-url=https://registry-1.docker.io.
3. If you have fast USB storage, use it for container extraction: e.g. /container/config/set tmpdir=/usb1-part1/tmp/container-pull
4. Make a veth interface for the container, e.g. /interface/veth/add name=veth1, specifying the container's IP address. You probably also want to add to a bridge.
5. Navigate to https://one.dash.cloudflare.com
6. Go to Access > Tunnels
7. Click "+ Create a tunnel", give it a name, and "Save tunnel"
8. Click the "Docker" button. Notice the docker run command has a --token argument.
9. Add the container, e.g. /container/add remote-image=cloudflare/cloudflared interface=veth1 root-dir=/usb1-part1/container/cloudflared/root hostname=my-cloudflared-container dns=1.1.1.1,1.0.0.1 logging=yes start-on-boot=yes cmd="tunnel --no-autoupdate run --token <your token>"
10. Watch /log/print follow as the container image gets downloaded and extracted.

container,info,debug getting layer sha256:6b0b1527d75b1e49c2cb08f4eb8616c64c9a20a8b9d8c1179146b2675586536b 
container,info,debug layer sha256:6b0b1527d75b1e49c2cb08f4eb8616c64c9a20a8b9d8c1179146b2675586536b downloaded 
container,info,debug getting layer sha256:26e3e4b0848c0e87391a7a844b11fcd2e6d223bd516be6ac8b17bac4e6808609 
container,info,debug layer sha256:26e3e4b0848c0e87391a7a844b11fcd2e6d223bd516be6ac8b17bac4e6808609 downloaded 
container,info,debug getting layer sha256:f2fc327959dd8af631adcfe2ab42d42c0a4912cc735a614528420663e1f5d239 
container,info,debug layer sha256:f2fc327959dd8af631adcfe2ab42d42c0a4912cc735a614528420663e1f5d239 downloaded 
container,info,debug import successful, container ed58d87f-214a-4834-b998-f2d4aa3b34e8 

11. Start the container, e.g. via /container/start
12. Watch /log/print follow as cloudflared starts.

container,info,debug INF Starting tunnel tunnelID=… 
container,info,debug INF Version 2023.2.2 
container,info,debug INF GOOS: linux, GOVersion: go1.19.6, GoArch: arm64 
container,info,debug INF Settings: map[no-autoupdate:true token:*****] 
container,info,debug INF Generated Connector ID: …
container,info,debug INF Initial protocol quic 
…
container,info,debug INF Connection 5ca0dc38-6f3b-4a0c-93b3-798b976d041e registered with protocol: quic connIndex=1 ip=198.41.192.47 location=IAD 
container,info,debug INF Connection 10a4d756-a6f7-4867-95e9-77de78d8aa9f registered with protocol: quic connIndex=2 ip=198.41.192.167 location=IAD 
container,info,debug INF Connection e4baf69b-58b2-4a6f-9624-2029d4c32275 registered with protocol: quic connIndex=3 ip=198.41.200.63 location=ORD 

13. Configure the tunnel from Cloudflare Zero Trust as you see fit.