Cloudflared legacy service install fails

Hello,

I have tried to install cloudflared as DNS proxy followed the documentation (cloudflared (DoH) - Pi-hole documentation). It seems like the --legacy-option isn't avaiable anymore.

$ sudo cloudflared service install --legacy
Incorrect Usage: flag provided but not defined: -legacy

NAME:
   cloudflared service install - Install Cloudflare Tunnel as a system service

USAGE:
   cloudflared service install [command options] [arguments...]

OPTIONS:
   --help, -h  show help (default: false)

$ sudo cloudflared service install --h
NAME:
   cloudflared service install - Install Cloudflare Tunnel as a system service

USAGE:
   cloudflared service install [command options] [arguments...]

OPTIONS:
   --help, -h  show help (default: false)

Does anyone have a solution for this yet?

@MichaIng This is a DietPi install. Anything unique with DietPi, or do you have an installer for this package?

Nope, we have no special cloudflared integration. The docs state to download and install the builds right from Cloudflare, so no chance to have any effect on supported command-line options. Looks like --legacy is really not supported anymore then?

The link to the command-line options is dead btw. I'll check where to get the info now.

It's a raspian 4 modell and not a dietpi.
But this doesn't have to do with that.
Im earlier versions it was working with that option.
I guess the option was just removed.

Also not mentioned anymore on current docs:

Does anyone know what that flag was actually supposed to do? Usually it doesn't seem reasonable to provide any "legacy" solution, but of course there may have been a good reason for this, and it may be broken now that the flag is not available anymore :wink:.

I found the commit where it was removed: TUN-5679: Add support for service install using Tunnel Token ยท cloudflare/cloudflared@7065233 ยท GitHub
L29-L34 and L229-L241 in cmd/cloudflared/linux_service.go

My guess is that you need an account for that now and erlier not.

2 Likes

Nice catch.

Does the installer and cloudflared work without the --legacy as it should work?

No, following output is printed:

$ sudo cloudflared service install
Configuration file /etc/cloudflared/config.yml must contain entries for the tunnel to run and its associated credentials:
tunnel: TUNNEL-UUID
credentials-file: CREDENTIALS-FILE

Thanks.

I created a github doc issue so it won't get lost here on discourse. (Cloudflared installation fails with current cloudflared version ยท Issue #679 ยท pi-hole/docs ยท GitHub)

I'm not using cloudflared myself, so I won't investigate further - but if you know how to solve the issue I can change the documentation. Or you do it if you like :wink:

I got it to run.

I try to explain simply what I did:

  1. Headless install isn't possible anymore. And you need a domain in Cloudflare.
    Download cloudflared for your operating system with a browser on it. Downloads can be found here: https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/installation/
  2. On Windows start powershell and switch where you downloaded the file:
> cd C:\Users\Sascha\Downloads
> .\cloudflared-windows-amd64.exe version
cloudflared version 2022.3.1 (built 2022-03-07-1648 UTC)
  1. run following commands to generate the cert:
.\cloudflared-windows-amd64.exe tunnel login

You will see something like that in the output and your default browser should automacilly opened ip. If not, copy the URI and enter it manually.

> .\cloudflared-windows-amd64.exe tunnel login
A browser window should have opened at the following URL:

https://dash.cloudflare.com/argotunnel?callback=https%3A%2F%2Flogin.cloudflareaccess.org%2FnaLFvrre1Cp14FdlBwqAfMaEM6qPXxxxxxxxxxxxxxx%3D

If the browser failed to open, please visit the URL above directly in your browser.
  1. The opened window should look like this:
    (screenshot placeholder)

  2. After the authorize the following output should come:

You have successfully logged in.
If you wish to copy your credentials to a server, they have been saved to:
C:\Users\Sascha\.cloudflared\cert.pem

Upload this file and move it to /etc/cloudflare/cert.pem (root permissions required)

  1. Then you can go on on your headless machine:
 $ sudo cloudflared tunnel create pihole
Tunnel credentials written to /etc/cloudflared/1d1261e0-xxxx-xxxx-xxxx-xxxxxxxxxxxxx.json. cloudflared chose this file based on where your origin certificate was found. Keep this file secret. To revoke these credentials, delete the tunnel.

Created tunnel pihole with id 1d1261e0-xxxx-xxxx-xxxx-xxxxxxxxxxxxx

Tunnel Token: eyJhIjoiMzU0YzcyZGZlYTkzZjlhODA1OTY2ZjEzOWE3Mjk4YzMiLCJ0IjoiMWQxMjYxZTAtYjEzZC00NTM2Lxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  1. Then edit the config file:
tunnel: 1d1261e0-xxxx-xxxx-xxxx-xxxxxxxxxxxxx
credentials-file: /etc/cloudflared/1d1261e0-xxxx-xxxx-xxxx-xxxxxxxxxxxxx.json
proxy-dns: true
proxy-dns-port: 5053
proxy-dns-upstream:
  - https://1.1.1.1/dns-query
  - https://1.0.0.1/dns-query
  - https://[2606:4700:4700::1111]/dns-query
  - https://[2606:4700:4700::1001]/dns-query
  1. An normal start works now and redirects DNS traffic:
$ sudo cloudflared --config /etc/cloudflared/config.yml tunnel run
2022-03-11T10:01:13Z INF Starting tunnel tunnelID=1d1261e0-xxxx-xxxx-xxxx-xxxxxxxxxxxxx
2022-03-11T10:01:13Z INF Version 2022.3.1
2022-03-11T10:01:13Z INF GOOS: linux, GOVersion: go1.17.5, GoArch: arm64
2022-03-11T10:01:13Z INF Settings: map[proxy-dns:true proxy-dns-port:5053 proxy-dns-upstream:[https://1.1.1.1/dns-query https://1.0.0.1/dns-query https://[2606:4700:4700::1111]/dns-query https://[2606:4700:4700::1001]/dns-query]]
2022-03-11T10:01:13Z INF Adding DNS upstream url=https://1.1.1.1/dns-query
2022-03-11T10:01:13Z INF Adding DNS upstream url=https://1.0.0.1/dns-query
2022-03-11T10:01:13Z INF Adding DNS upstream url=https://[2606:4700:4700::1111]/dns-query
2022-03-11T10:01:13Z INF Adding DNS upstream url=https://[2606:4700:4700::1001]/dns-query
2022-03-11T10:01:13Z INF Starting DNS over HTTPS proxy server address=dns://localhost:5053
2022-03-11T10:01:13Z INF cloudflared will not automatically update when run from the shell. To enable auto-updates, run cloudflared as a service: https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/run-tunnel/as-a-service/
2022-03-11T10:01:13Z INF Generated Connector ID: b74a38d2-xxxx-xxxx-xxxx-xxxxxxxxxxxxx
2022-03-11T10:01:13Z INF Initial protocol http2
2022-03-11T10:01:13Z INF Starting metrics server on 127.0.0.1:44611/metrics
2022-03-11T10:01:14Z INF Connection 723de50b-6f89-4f7a-808b-4171271659f7 registered connIndex=0 location=AMS
2022-03-11T10:01:15Z INF Connection 6247f312-09f0-4e32-ac69-a4770aee541f registered connIndex=1 location=TXL
2022-03-11T10:01:16Z INF Connection 8f297940-e3f0-434b-89f2-23662c12f57d registered connIndex=2 location=AMS
2022-03-11T10:01:17Z INF Connection 55ebaac5-89ae-4fc1-bfa6-56e5201030db registered connIndex=3 location=TXL
  1. The command sudo cloudlfared service install works now like a charm
$ sudo cloudflared service install
2022-03-11T10:05:18Z INF Using Systemd
2022-03-11T10:05:18Z INF systemctl daemon-reload
pi@raspberrypi:~ $ sudo service cloudflared start
pi@raspberrypi:~ $ sudo service cloudflared status
โ— cloudflared.service - Cloudflare Tunnel
     Loaded: loaded (/etc/systemd/system/cloudflared.service; enabled; vendor preset: enabled)
     Active: active (running) since Fri 2022-03-11 11:45:03 CET; 3s ago
   Main PID: 20000 (cloudflared)
      Tasks: 10 (limit: 8986)
        CPU: 301ms
     CGroup: /system.slice/cloudflared.service
             โ””โ”€20000 /usr/local/bin/cloudflared --no-autoupdate --config /etc/cloudflared/config.yml tunnel run

Mar 11 11:45:02 raspberrypi cloudflared[20000]: 2022-03-11T10:45:02Z INF Adding DNS upstream url=https://[2606:4700:4700::1001]/dns-query
Mar 11 11:45:02 raspberrypi cloudflared[20000]: 2022-03-11T10:45:02Z INF Starting DNS over HTTPS proxy server address=dns://localhost:5053
Mar 11 11:45:02 raspberrypi cloudflared[20000]: 2022-03-11T10:45:02Z INF Generated Connector ID: 7ec871d3-xxxx-xxxx-xxxx-xxxxxxxxxxxxx
Mar 11 11:45:02 raspberrypi cloudflared[20000]: 2022-03-11T10:45:02Z INF Initial protocol http2
Mar 11 11:45:03 raspberrypi cloudflared[20000]: 2022-03-11T10:45:03Z INF Starting metrics server on 127.0.0.1:44257/metrics
Mar 11 11:45:03 raspberrypi cloudflared[20000]: 2022-03-11T10:45:03Z INF Connection 7ac4c1a1-559e-4d76-98c1-817c6d0cf330 registered connIndex=0 location=AMS
Mar 11 11:45:03 raspberrypi systemd[1]: Started Cloudflare Tunnel.
Mar 11 11:45:04 raspberrypi cloudflared[20000]: 2022-03-11T10:45:04Z INF Connection c2aead71-6a17-4e40-a627-81b15863d507 registered connIndex=1 location=TXL
Mar 11 11:45:05 raspberrypi cloudflared[20000]: 2022-03-11T10:45:05Z INF Connection 4aaafa40-f113-49a4-b997-459c34206f0e registered connIndex=2 location=AMS
Mar 11 11:45:06 raspberrypi cloudflared[20000]: 2022-03-11T10:45:06Z INF Connection 8be70431-79b4-489d-a1c9-62d7f15f1170 registered connIndex=3 location=TXL
3 Likes

I can't upload the screenshots here :frowning:
I get always "Sorry, there was an error uploading that file. Please try again."
I upload them to the github issue.

Simply said, I followed the official documentation and included it to the config.

Thanks for sharing!

One day we need to fix the documentation. Until then, we will link to your description.


Strange.. maybe a discourse backend issue...

Are you perhaps using a blocking browser extension like uBlock Origin?
In that case, you may have to allow that extension to access
pi-hole-discourse.s3.amazonaws.com
in order to upload images.

Does it mean cloudflared cannot be used anymore just as DNS proxy to any upstream provider like it was, but only as full tunnel associated to a Cloudflare domain? That would be a pity :disappointed:. In this case I'd just drop it from Pi-hole docs, especially since recent Unbound supports DoH along with DoT as well, and with dnscrypt-proxy all encrypted DNS wrapper protocols are supported.

That's indeed the case, I just tried.

In order to get a tunnel, you have to enable Cloudflare Zero Trust dashboard.
In order to get to that dashboard, you need to add a site, change the DNS, etc etc
Once it's done and try to enable Cloudflare Zero Trust dashboard, you have to select a plan. When you select the free plan, you still have to add a VISA card number.
At this point, I stopped and removed cloudflared from the raspberry.

This is very sad that they did this. Are there any other alternatives?

I installed it this morning, headless on Ubuntu. The command "cloudflared proxy-dns" does work without a cloudflare account. For me on Ubuntu 18 anyway.

I mostly followed these directions:
Connect to 1.1.1.1 using DoH clients ยท Cloudflare 1.1.1.1 docs
cloudflared (DoH) - Pi-hole documentation

--

apt install cloudflared
nano /etc/default/cloudflared

Paste:

CLOUDFLARED_OPTS=--port 5353 --upstream https://1.1.1.1/dns-query --upstream https://1.0.0.1/dns-query --upstream https://[2606:4700:4700::1111]/dns-query --upstream https://[2606:4700:4700::1001]/dns-query
nano /etc/systemd/system/cloudflared.service

Paste:

[Unit]
Description=cloudflared DNS over HTTPS proxy
After=syslog.target network-online.target

[Service]
EnvironmentFile=/etc/default/cloudflared
ExecStart=/usr/local/bin/cloudflared proxy-dns $CLOUDFLARED_OPTS
Restart=on-failure
RestartSec=10
KillMode=process

[Install]
WantedBy=multi-user.target
systemctl enable cloudflared
systemctl start cloudflared

Then in pihole add "127.0.0.1#5353" as your custom DNS server

3 Likes

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.