I have written this guide with the assumption that you’re using a debian or Ubuntu based environment.
First SSH onto your system and running the follow commands to install Cloudflared:
wget https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-arm64
sudo cp ./cloudflared-linux-arm64 /usr/local/bin/cloudflared
sudo chmod +x /usr/local/bin/cloudflared
cloudflared -vVerify installation by running:
cloudflared --version
Next we will configure cloudflared to run on startup under it’s own service account. Run:
sudo useradd -r -M -s /usr/sbin/nologin -c "Cloudflared user" cloudflared
Verify that user has been created with the help of grep command and /etc/passwd:
grep '^cloudflared' /etc/passwd
or
id cloudflared
if using Ubuntu.
Now lockdown the account:
sudo passwd -l cloudflared
sudo chage -E 0 cloudflared
Next we will need to do the initial configuration of cloudflared.
Create a file named /etc/default/cloudflared using your preferred text editor (such as nano or vi)
sudo nano /etc/default/cloudflared
Add the following text:
## args for cloudflared ## ## 5353 is localhost:5353. This is where dns queries are sent by pi-hole ## ## 1.1.1.1 and 1.0.0.1 are Cloudflare DNS servers ## CLOUDFLARED_OPTS=--port 5353 --upstream https://1.1.1.1/dns-query --upstream https://1.0.0.1/dns-query
If you wish to change the upstream to your cloudflare for teams, you can do this here, simply replace “–upstream https://1.1.1.1/dns-query –upstream https://1.0.0.1/dns-query” with –upstream “https://xxxxxxx.cloudflare-gateway.com/dns-query”, you’ll want to keep the secondary upstream in there as a failsafe.
This can be found under the Gateway location you created in Cloudflare for Teams.
Set up permission using chown command:
sudo chown -v cloudflared:cloudflared /usr/local/bin/cloudflared /etc/default/cloudflared
Now we need to create the systemd startup script:
sudo nano /lib/systemd/system/cloudflared.service
Add the following text:
[Unit] Description=cloudflared DoH proxy After=syslog.target network-online.target [Service] Type=simple User=cloudflared EnvironmentFile=/etc/default/cloudflared ExecStart=/usr/local/bin/cloudflared proxy-dns $CLOUDFLARED_OPTS Restart=on-failure RestartSec=10 KillMode=process [Install] WantedBy=multi-user.target
Once this is done, we now need to enable and start the cloudflared service.
sudo systemctl enable cloudflared
sudo systemctl start cloudflared
echo $?
sudo systemctl status cloudflared
Verify that cloudflared is working:
dig -p 5353 nathanchadwick.tech @127.0.0.1
You will now want to go to the web interface of your Pi-Hole and set the DNS to 127.0.0.1#5353 as the cloudflared service is running on 127.0.0.1 on port 5353.
Click on the Settings > DNS > Choose Custom 1 (IPv4) under Upstream DNS Servers and enter “127.0.0.1#5353” > Scroll down and click on the Save button.