Table of Contents

Cloudflare Zero Trust Docker

Using host networking may not be the most secure way, but it is what was needed to get WARP routing when using quic to be able to proxy UDP traffic for proper DNS lookups on the private networks.

Install

docker pull cloudflare/cloudflared:latest
docker run --network host -d --restart=unless-stopped  cloudflare/cloudflared:latest tunnel --no-autoupdate run --token <CLOUDFLARE_TUNNEL_TOKEN>

Update

running_container=$(docker container ls -f ancestor=cloudflare/cloudflared:latest -q)
running_image=$(docker image ls --filter=reference=cloudflare/cloudflared -q)
running_token=$(docker inspect $running_container --format='{{(index .Config.Cmd 4)}}')
docker pull cloudflare/cloudflared:latest
docker run --network host -d --restart=unless-stopped  cloudflare/cloudflared:latest tunnel --no-autoupdate run --token $running_token
docker container ls -f ancestor=cloudflare/cloudflared:latest -a # verify two running
docker container ls -f ancestor=$running_image -a # verify two running
docker stop $running_container
#
# reconnect if disconnected
#
old_image=$(docker image ls --filter=reference=cloudflare/cloudflared --filter=dangling=true --format {{.ID}})
old_container=$(docker container ls -f ancestor=$old_image -f status=exited -q)
docker rm $old_container
sleep 5
docker image prune