net/cloudflared: rework to use FreeBSD port with enhancements

Reworks the original plugin by Alan Martines to address the architectural
feedback on PR opnsense#5406: the custom binary installer is replaced with
PLUGIN_DEPENDS= cloudflared, delegating binary management entirely to pkg
via the FreeBSD ports tree. The plugin is now a pure configuration wrapper.

Binary and service:
- Remove install_binary.sh and bundled rc.d script; use FreeBSD port
- Pass tunnel token via TUNNEL_TOKEN env var (cloudflared_env in rc.subr)
  so it does not appear in ps aux; /etc/rc.conf.d/cloudflared chmod 600
- Add config.yml template; move options out of rc.conf.d command args
- Hardcode no-autoupdate: true (pkg manages the binary; self-update
  is inappropriate)

New features:
- Transport protocol selector: Auto (QUIC with HTTP/2 fallback, default),
  QUIC-only (UDP 7844), HTTP/2-only (TCP 443)
- Automatic outbound firewall rule for TCP/UDP 7844 via cloudflared_firewall()
  hook; UDP active for Auto and QUIC-only modes, TCP for Auto and HTTP/2-only
- quic-disable-pmtu-discovery option: workaround for intermittent QUIC
  stream errors on networks where ICMP is filtered
- Log viewer tab with client-side pagination (25/50/100/200 lines/page,
  Older/Newer navigation) and Follow mode for live tailing
- Crash recovery: monitor.sh syshook and cron job restart cloudflared if
  it exits unexpectedly; sentinel file suppresses watchdog after intentional
  stop
- newwanip/newwanip6 hook to restart on WAN IP change if daemon exits

Reliability fixes:
- Improve tunnel health detection: cross-check Prometheus metrics against
  log output to catch stale ha_connections; report accurate down state

Other:
- Security notice in UI: tunnel traffic bypasses OPNsense firewall rules
- Translations for 20 languages in addition to the original pt_BR
  (machine generated)
- BSD license headers on all scripts
- README.md entry

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: insanityinside

README.md

@@ -49,6 +49,7 @@ misc/theme-rebellion -- A suitably dark theme
 misc/theme-tukan -- The tukan theme - blue/white
 misc/theme-vicuna -- The vicuna theme - blue sapphire
 net/chrony -- Chrony time synchronisation
+net/cloudflared -- Cloudflare tunnel
 net/freeradius -- RADIUS Authentication, Authorization and Accounting Server
 net/frr -- The FRRouting Protocol Suite
 net/ftp-proxy -- Control ftp-proxy processes

net/cloudflared/LICENSE

@@ -1,6 +1,6 @@
 BSD 2-Clause License
 
-Copyright (c) 2026, Alan Martines
+Copyright (c) 2026, Alan Martines, Richard Aspden
 
 Redistribution and use in source and binary forms, with or without
 modification, are permitted provided that the following conditions are met:

net/cloudflared/Makefile

@@ -2,7 +2,7 @@ PLUGIN_NAME=        cloudflared
 PLUGIN_VERSION=     0.1.0
 PLUGIN_REVISION=    1
 PLUGIN_COMMENT=     Cloudflare Tunnel (cloudflared) integration
-PLUGIN_MAINTAINER=  alancpmartines@hotmail.com
-PLUGIN_DEPENDS=     fetch
+PLUGIN_MAINTAINER=  rick+github@insanityinside.net
+PLUGIN_DEPENDS=     cloudflared
 
 .include "../../Mk/plugins.mk"

net/cloudflared/pkg-descr

@@ -2,16 +2,19 @@ Cloudflare Tunnel (cloudflared) integration for OPNsense.
 
 Provides a native MVC interface to manage token-based Cloudflare Zero
 Trust tunnels without opening firewall ports or requiring a static IP.
-Follows Method 1: Token-based Setup using binaries from the kjake
-FreeBSD fork of cloudflared.
+Uses the cloudflared binary from the FreeBSD ports collection
+(net/cloudflared).
 
 Features:
 - Token-based tunnel authentication via Cloudflare Zero Trust
-- Integrated binary installer with automatic FreeBSD version and
-  architecture detection
+- Transport protocol selection: Auto (QUIC with HTTP/2 fallback),
+  QUIC-only, or HTTP/2-only
+- Automatic outbound firewall rules for QUIC (UDP 7844) and HTTP/2 (TCP 7844)
 - QUIC kernel tuning (kern.ipc.maxsockbuf, net.inet.udp.recvspace)
 - Post-quantum encryption support (--post-quantum)
 - Real-time tunnel health status in the UI
+- Log viewer with pagination and live follow mode
+- Automatic crash recovery and restart on WAN IP change
 - Appears in System: Diagnostics: Services
 
-WWW: https://github.com/AlanMartines/os-cloudflared
+WWW: https://github.com/cloudflare/cloudflared

net/cloudflared/src/etc/cron.d/cloudflared

@@ -0,0 +1,9 @@
+# DO NOT EDIT THIS FILE -- OPNsense auto-generated file
+#
+# User-defined crontab files can be loaded via /etc/cron.d
+# or /usr/local/etc/cron.d and follow the same format as
+# /etc/crontab, see the crontab(5) manual page.
+SHELL=/bin/sh
+PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
+#minute	hour	mday	month	wday	who	command
+*	*	*	*	*	root	/usr/local/opnsense/scripts/OPNsense/Cloudflared/monitor.sh

net/cloudflared/src/etc/inc/plugins.inc.d/cloudflared.inc

@@ -2,6 +2,7 @@
 
 /*
  * Copyright (C) 2026 Alan Martines <alancpmartines@hotmail.com>
+ * Copyright (C) 2026 Richard Aspden <rick+github@insanityinside.net>
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -32,6 +33,79 @@ function cloudflared_enabled()
     return (string)$model->general->enabled == '1';
 }
 
+function cloudflared_configure()
+{
+    return [
+        'newwanip'  => ['cloudflared_configure_newwanip:10'],
+        'newwanip6' => ['cloudflared_configure_newwanip:10'],
+    ];
+}
+
+function cloudflared_configure_newwanip($verbose = false)
+{
+    if (!cloudflared_enabled()) {
+        return;
+    }
+    if (file_exists('/var/run/cloudflared.stopped')) {
+        return;
+    }
+    $pidfile = '/var/run/cloudflared.pid';
+    if (file_exists($pidfile)) {
+        $pid = (int)trim(file_get_contents($pidfile));
+        if ($pid > 0 && posix_kill($pid, 0)) {
+            return;
+        }
+    }
+    $backend = new \OPNsense\Core\Backend();
+    $backend->configdRun('cloudflared start');
+}
+
+function cloudflared_firewall($fw)
+{
+    if (!cloudflared_enabled()) {
+        return;
+    }
+
+    $model = new \OPNsense\Cloudflared\Cloudflared();
+    $protocol = (string)$model->general->protocol;
+
+    if ($protocol !== 'http2') {
+        $fw->registerFilterRule(
+            1,
+            [
+                'descr'     => 'Allow Cloudflare Tunnel QUIC (autogenerated)',
+                'direction' => 'out',
+                'from'      => '(self)',
+                'to'        => 'any',
+                'to_port'   => '7844',
+                'protocol'  => 'udp',
+                'type'      => 'pass',
+                'quick'     => true,
+                'statetype' => 'keep',
+                '#ref'      => 'ui/cloudflared/general/index',
+            ]
+        );
+    }
+
+    if ($protocol !== 'quic') {
+        $fw->registerFilterRule(
+            1,
+            [
+                'descr'     => 'Allow Cloudflare Tunnel HTTP/2 (autogenerated)',
+                'direction' => 'out',
+                'from'      => '(self)',
+                'to'        => 'any',
+                'to_port'   => '7844',
+                'protocol'  => 'tcp',
+                'type'      => 'pass',
+                'quick'     => true,
+                'statetype' => 'keep',
+                '#ref'      => 'ui/cloudflared/general/index',
+            ]
+        );
+    }
+}
+
 function cloudflared_services()
 {
     $services = [];

net/cloudflared/src/opnsense/mvc/app/controllers/OPNsense/Cloudflared/Api/ServiceController.php

@@ -1,21 +1,44 @@
 <?php
 
+/*
+ * Copyright (C) 2026 Alan Martines <alancpmartines@hotmail.com>
+ * Copyright (C) 2026 Richard Aspden <rick+github@insanityinside.net>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
 namespace OPNsense\Cloudflared\Api;
 
 use OPNsense\Base\ApiMutableServiceControllerBase;
 use OPNsense\Core\Backend;
 
 class ServiceController extends ApiMutableServiceControllerBase
 {
-    protected static $internalServiceClass = 'OPNsense\Cloudflared\Cloudflared';
+    protected static $internalServiceClass = '\OPNsense\Cloudflared\Cloudflared';
     protected static $internalServiceEnabled = 'general.enabled';
     protected static $internalServiceTemplate = 'OPNsense/Cloudflared';
     protected static $internalServiceName = 'cloudflared';
 
-    /**
-     * Reconfigura o serviço: cria diretórios, recarrega templates,
-     * aplica sysctl tunables e reinicia o serviço.
-     */
     public function reconfigureAction()
     {
         if ($this->request->isPost()) {
@@ -37,20 +60,11 @@ public function tunnelStatusAction()
         return $data;
     }
 
-    public function installAction()
+    public function logAction()
     {
-        if ($this->request->isPost()) {
-            $backend = new Backend();
-            $response = $backend->configdRun("cloudflared install_binary");
-            if ($response === null) {
-                return ['response' => 'ERROR: configd did not respond. Run "service configd restart" on OPNsense.'];
-            }
-            $response = trim($response);
-            if ($response === '' || $response === 'FAILED') {
-                return ['response' => 'ERROR: Action not found. Run "service configd restart" on OPNsense to reload actions.'];
-            }
-            return ['response' => $response];
-        }
-        return ['response' => 'error'];
+        $backend = new Backend();
+        $raw = $backend->configdRun("cloudflared log");
+        $lines = $raw !== null ? explode("\n", rtrim($raw)) : [];
+        return ['lines' => $lines, 'total' => count($lines)];
     }
 }

net/cloudflared/src/opnsense/mvc/app/controllers/OPNsense/Cloudflared/Api/SettingsController.php

@@ -1,12 +1,38 @@
 <?php
 
+/*
+ * Copyright (C) 2026 Alan Martines <alancpmartines@hotmail.com>
+ * Copyright (C) 2026 Richard Aspden <rick+github@insanityinside.net>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
 namespace OPNsense\Cloudflared\Api;
 
 use OPNsense\Base\ApiMutableModelControllerBase;
-use OPNsense\Cloudflared\Cloudflared;
 
 class SettingsController extends ApiMutableModelControllerBase
 {
     protected static $internalModelName = 'Cloudflared';
-    protected static $internalModelClass = 'OPNsense\Cloudflared\Cloudflared';
+    protected static $internalModelClass = '\OPNsense\Cloudflared\Cloudflared';
 }

net/cloudflared/src/opnsense/mvc/app/controllers/OPNsense/Cloudflared/IndexController.php

@@ -1,29 +1,30 @@
 <?php
 
-/**
- *    Copyright (C) 2026 Alan Martines <alancpmartines@hotmail.com>
- *    All rights reserved.
+/*
+ * Copyright (C) 2026 Alan Martines <alancpmartines@hotmail.com>
+ * Copyright (C) 2026 Richard Aspden <rick+github@insanityinside.net>
+ * All rights reserved.
  *
- *    Redistribution and use in source and binary forms, with or without
- *    modification, are permitted provided that the following conditions are met:
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
  *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
  *
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
- *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- *    ARISING IN ANY WAY OUT OF THE USE of THIS SOFTWARE, EVEN IF ADVISED OF THE
- *    POSSIBILITY OF SUCH DAMAGE.
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
  */
 
 namespace OPNsense\Cloudflared;

net/cloudflared/src/opnsense/mvc/app/controllers/OPNsense/Cloudflared/forms/general.xml

@@ -11,18 +11,24 @@
         <type>password</type>
         <help>The token for your Cloudflare Tunnel. Get it from one.dash.cloudflare.com > Access > Tunnels.</help>
     </field>
-    <field>
-        <id>Cloudflared.general.no_autoupdate</id>
-        <label>Disable Auto-Update</label>
-        <type>checkbox</type>
-        <help>Pass --no-autoupdate to cloudflared. Recommended when managing updates manually via the Install/Update Binary button.</help>
-    </field>
     <field>
         <id>Cloudflared.general.post_quantum</id>
         <label>Enable Post-Quantum Encryption</label>
         <type>checkbox</type>
         <help>Pass --post-quantum to enable post-quantum cryptography for the tunnel connection.</help>
     </field>
+    <field>
+        <id>Cloudflared.general.quic_disable_pmtu_discovery</id>
+        <label>Disable QUIC PMTU Discovery</label>
+        <type>checkbox</type>
+        <help>Pass --quic-disable-pmtu-discovery to cloudflared. Workaround for intermittent "failed to accept QUIC stream" errors on networks where ICMP is filtered and path MTU discovery does not work correctly.</help>
+    </field>
+    <field>
+        <id>Cloudflared.general.protocol</id>
+        <label>Protocol</label>
+        <type>dropdown</type>
+        <help>Transport protocol for the tunnel connection. Auto tries QUIC first and falls back to HTTP/2 if unavailable. Outbound firewall rules are automatically added: UDP 7844 for Auto and QUIC modes, TCP 7844 for Auto and HTTP/2 modes.</help>
+    </field>
     <field>
         <id>Cloudflared.general.kern_ipc_maxsockbuf</id>
         <label>Max Socket Buffer (kern.ipc.maxsockbuf)</label>