├── LICENSE
├── README.md
├── cloudflared
├── cloudflared-setup.sh
├── config.yml
├── install.sh
├── nat-dns-redirect.sh
└── uninstall.sh


/LICENSE:
--------------------------------------------------------------------------------
 1 | This is free and unencumbered software released into the public domain.
 2 | 
 3 | Anyone is free to copy, modify, publish, use, compile, sell, or
 4 | distribute this software, either in source code form or as a compiled
 5 | binary, for any purpose, commercial or non-commercial, and by any
 6 | means.
 7 | 
 8 | In jurisdictions that recognize copyright laws, the author or authors
 9 | of this software dedicate any and all copyright interest in the
10 | software to the public domain. We make this dedication for the benefit
11 | of the public at large and to the detriment of our heirs and
12 | successors. We intend this dedication to be an overt act of
13 | relinquishment in perpetuity of all present and future rights to this
14 | software under copyright law.
15 | 
16 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
17 | EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
18 | MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
19 | IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR
20 | OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
21 | ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
22 | OTHER DEALINGS IN THE SOFTWARE.
23 | 
24 | For more information, please refer to <http://unlicense.org>
25 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # ubnt-cloudflared
 2 | Install Cloudflare's DNS proxy on UniFi® gateways. This setup will survive reboots and re-provisions.
 3 | 
 4 | Only working for IPv4 at the moment.
 5 | 
 6 | Increase privacy on your network and prevent your ISP to eavesdrop your DNS requests to build your internet browsing history !
 7 | 
 8 | ## Hardware
 9 | ### Tested
10 | * UniFi Security Gateway 3P
11 | 
12 | ### Should work on (but not tested)
13 | * All EdgeRouter models
14 | * All UniFi Security Gateway models
15 | 
16 | ## Guide
17 | ### Installing
18 | In a ssh session run the following command :
19 | ```sh
20 | bash <(curl -s https://raw.githubusercontent.com/Twanislas/ubnt-cloudflared/master/install.sh)
21 | ```
22 | 
23 | ### Updating
24 | Just run the install script again ;)
25 | 
26 | ### Uninstall
27 | In a ssh session run the following command :
28 | ```sh
29 | bash <(curl -s https://raw.githubusercontent.com/Twanislas/ubnt-cloudflared/master/uninstall.sh)
30 | ```
31 | 
32 | ### Redirecting NAT DNS requests
33 | See the example in `nat-dns-redirect.sh`. You will have to adapt to your configuration and networks and place this script in `/config/scripts/post-config.d/` on the gateway so it will be run on every provision.
34 | 
35 | ## Contributing
36 | * Please fork and submit PR's if you have any improvements.
37 | 	* Implementing IPv6 features would help greatly
38 | * Feel free to submit issues !
39 | * Testing this on hardware I did not test yet would be wonderful !
40 | 
41 | ## Credits
42 | * https://bendews.com/posts/implement-dns-over-https/
43 | * https://developers.cloudflare.com/1.1.1.1/dns-over-https/cloudflared-proxy/
44 | * https://github.com/yon2004/ubnt_cloudflared
45 | * https://community.ubnt.com/t5/UniFi-Routing-Switching/Scripts-on-USG/td-p/1402210
46 | * https://community.ubnt.com/t5/UniFi-Routing-Switching/Deploying-USG-scripts-through-controller/td-p/2140097
47 | 


--------------------------------------------------------------------------------
/cloudflared:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Twanislas/ubnt-cloudflared/2c1e9046c42abc68cd87ef07dfacbcd982e17c23/cloudflared


--------------------------------------------------------------------------------
/cloudflared-setup.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/vbash
 2 | source /opt/vyatta/etc/functions/script-template
 3 | 
 4 | # Pull files
 5 | mkdir -p /etc/cloudflared
 6 | mkdir -p /opt/cloudflared
 7 | if [ ! -f /etc/cloudflared/config.yml ] || [ "$1" = "pull" ]; then
 8 | 	/usr/bin/curl -sf https://raw.githubusercontent.com/Twanislas/ubnt-cloudflared/master/config.yml --output /etc/cloudflared/config.yml
 9 | fi
10 | if [ ! -f /opt/cloudflared/cloudflared ] || [ "$1" = "pull" ]; then
11 | 	sudo /usr/bin/curl -sf https://raw.githubusercontent.com/Twanislas/ubnt-cloudflared/master/cloudflared --output /opt/cloudflared/cloudflared
12 | fi
13 | /bin/chmod +x /opt/cloudflared/cloudflared
14 | /opt/cloudflared/cloudflared service install
15 | /etc/init.d/cloudflared restart
16 | 
17 | # System config 
18 | configure
19 | 
20 | # Use local DNS proxy
21 | delete service dns forwarding options
22 | set service dns forwarding options "no-resolv"
23 | set service dns forwarding options "server=127.0.0.1#5053"
24 | delete system name-server
25 | set system name-server 127.0.0.1
26 | 
27 | # Block outgoing DNS packets and log them
28 | delete firewall name WAN_OUT rule 1000
29 | 
30 | set firewall name WAN_OUT rule 1000 action drop
31 | set firewall name WAN_OUT rule 1000 description "Block all outgoing DNS requests on WAN_OUT"
32 | set firewall name WAN_OUT rule 1000 protocol tcp_udp
33 | set firewall name WAN_OUT rule 1000 destination port 53
34 | set firewall name WAN_OUT rule 1000 log enable
35 | 
36 | commit
37 | save
38 | exit
39 | 


--------------------------------------------------------------------------------
/config.yml:
--------------------------------------------------------------------------------
1 | no-autoupdate: true
2 | proxy-dns: true
3 | proxy-dns-upstream:
4 |  - https://1.1.1.1/dns-query
5 |  - https://1.0.0.1/dns-query
6 | proxy-dns-port: 5053
7 | 


--------------------------------------------------------------------------------
/install.sh:
--------------------------------------------------------------------------------
1 | #!/bin/vbash
2 | set -e
3 | 
4 | echo "Installing cloudflared"
5 | sudo /usr/bin/curl -sf https://raw.githubusercontent.com/Twanislas/ubnt-cloudflared/master/cloudflared-setup.sh --output /config/scripts/post-config.d/cloudflared-setup.sh
6 | sudo /bin/chmod +x /config/scripts/post-config.d/cloudflared-setup.sh
7 | sudo /config/scripts/post-config.d/cloudflared-setup.sh pull
8 | 


--------------------------------------------------------------------------------
/nat-dns-redirect.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/vbash
 2 | source /opt/vyatta/etc/functions/script-template
 3 | 
 4 | # Redirect outgoing DNS packets and log them
 5 | configure
 6 | 
 7 | delete service nat rule 1000
 8 | delete service nat rule 1001
 9 | delete service nat rule 1002
10 | 
11 | set service nat rule 1000 description 'Redirect DNS request from MGMT to gateway'
12 | set service nat rule 1000 type destination
13 | set service nat rule 1000 protocol tcp_udp
14 | set service nat rule 1000 destination port 53
15 | set service nat rule 1000 destination address !10.0.255.254
16 | set service nat rule 1000 inbound-interface eth1
17 | set service nat rule 1000 inside-address address 10.0.255.254
18 | set service nat rule 1000 log enable
19 | 
20 | set service nat rule 1001 description 'Redirect DNS request from LAN to gateway'
21 | set service nat rule 1001 type destination
22 | set service nat rule 1001 protocol tcp_udp
23 | set service nat rule 1001 destination port 53
24 | set service nat rule 1001 destination address !172.16.255.254
25 | set service nat rule 1001 inbound-interface eth1.2
26 | set service nat rule 1001 inside-address address 172.16.255.254
27 | set service nat rule 1001 log enable
28 | 
29 | set service nat rule 1002 description 'Redirect DNS request from GUESTS to gateway'
30 | set service nat rule 1002 type destination
31 | set service nat rule 1002 protocol tcp_udp
32 | set service nat rule 1002 destination port 53
33 | set service nat rule 1002 destination address !192.168.0.254
34 | set service nat rule 1002 inbound-interface eth1.3
35 | set service nat rule 1002 inside-address address 192.168.0.254
36 | set service nat rule 1002 log enable
37 | 
38 | commit
39 | save
40 | exit
41 | 


--------------------------------------------------------------------------------
/uninstall.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/vbash
 2 | source /opt/vyatta/etc/functions/script-template
 3 | 
 4 | # Stop cloudflared and remove files
 5 | sudo /etc/init.d/cloudflared stop
 6 | sudo /opt/cloudflared/cloudflared service uninstall
 7 | sudo rm -rf /etc/cloudflared /opt/cloudflared /config/scripts/post-config.d/cloudflared-setup.sh /var/log/cloudflared*
 8 | 
 9 | # Reset default DNS config
10 | configure
11 | delete service dns forwarding options
12 | delete system name-server
13 | set system name-server 1.1.1.1
14 | set system name-server 1.0.0.1
15 | delete firewall name WAN_OUT rule 1000
16 | commit
17 | save
18 | exit
19 | 
20 | echo "Do not forget to remove any custom NAT DNS redirections you made !"
21 | 


--------------------------------------------------------------------------------