Preface
I have installed and have been running cloudflared (remotely managed) tunnels on AX1800, AXT1800 and MT6000 and 3 different rPis and 3VPCs but I'm still learning Linux as a whole and a very green n00b in networking. So please bear with me. This is not a tutorial nor guide simply because I'm not qualified but it's just me sharing what I found out about using cloudflared tunnels with some GL-iNet routers that I have.
"This will not be over quickly. You will not enjoy this. I am not your King.", and so you've been warned.
.ipk's and compatibility
Cloudflared tunnel ipk's are not available in GL-iNet repos (as of 27SEP2024).
You have to find them yourself in OpenWrt repo's yourself. You can always add those repos if you want but I don't.
There will be new versions there but, currently, I am successful only with
1.openwrt-cloudflared_2023.8.2-46_arm_cortex-a7.ipk
for AX1800 and AXT1800 with the current (as of 27SEP2024) 4.6.4 release 1, based on OpenWrt 21.02-SNAPSHOT r16399+172-c67509efd7 and
2.cloudflared_2024.6.1-r3_aarch64_cortex-a53.ipk
for MT600 with the current (as of 27SEP2024) 4.6.4 release 1, OpenWrt 21.02-SNAPSHOT r15812+1075-46b6ee7ffc.
For MT6000, luci-app-cloudflared_2.0.1-20240113_all.ipk is found to be working but for AX1800 and AXT1800, luci-app-cloudflared is NOT installable.
Source for luci-app is also in OpenWrt repos.
Since mine are working, I don't find any reason to test for new versions of ipk's but you can try.
You can use curl/wget to get the ipk's via SSH or download directly to a windows computer and use WinSCP or similar tools to upload to router and run opkg install ./.ipk. I have a53 and a7 .ipk's and I can share if you can't find them yourself (a7 ipk is only available in some obscure Chinese repo) but I guess it may require Admins' approval or your trust in me to actually upload it here.
Possible Issues
In the beginning, MT6000 has no trouble installation but upon reboot, /etc/init.d/cloudflared service won't auto-boot (autorun at boot), however, AX1800 and AXT1800 have no problem during installation and reboot without any issue.
But then again, just after the recent install of firmware 4.6.4 rel 1, while AX1800 has no issue, while AXT1800 can be run manually but won't auto-run upon reboot (though they have similar specs and settings).
The only solution that I found with auto-run issue for both MT6000 and AXT1800 is, to factory-reset and re-install cloudflared ipk before doing any setting on freshly-resetted-routers. YMMV though.
References
There were many guides, tutorials and writeups that I read but in the end, I stuck with the following two:
Option1 has outdated information, only mentiond here so as to understand how the service file was created. I eventually followed Option2.
Usage of Cloudflared tunnels and benefits
1.My AX1800 was behind CGNAT and in a country under dictatorship and stupendous censorship not unlike tGFireWallofC (perhaps supported by the same organization), so I needed a way to get through to it. Out of the overlay network tools included with GL-iNet, only Zerotier works reliably while Tailscale has difficulty connecting.
Connection-speed-wise, Zerotier seems a bit slower than Cloudflared Tunnel. Again YMMV.
AFAIK, all 3 of them maybe using underlying WG protocol but no idea why only some are working, maybe because of DPI.
2a.With cloudflared tunnels, I don't have to open firewall ports nor need to port-forward as well as no issue with CGNAT(of course you can use ipv6 but I don't want to).
2b.If you set up Cloudflared Access (pretty easy to setup), OTP(to email) can be set to be required to access Web Admin UI and/or SSH. Once setup, you could even access SSH in web-browser (or VNC in web-browser to another computer on the same LAN - untested though).
Disadvantages and pitfalls
The drawbacks with CF Access setup is, the SSH client must have Cloudflared tunnel running on it. My solution is I just run cloudflared tunnel (windows version) on my Windows laptop and Cloudflare One app on Apple/Android devices (if and when required SSH access to server on routers). Windows service has problem with auto-run but I just used AlwaysUp application.
I have also changed SSH port and prohibit root login with password (in /etc/config/dropbear file) and setup SSH keys (/etc/dropbear/authorized_keys) for both SSH and SFTP/SCP access in addition to cloudflared tunnel's email OTP (no forwarding or opening ports) so I felt pretty secured. (User root can still login to Admin-Web-UI with password). SSH settings can be done via Admin-Web-UI too.
Now, the elephant in the room with the whole cloudflared tunnels is, to already have a domain name. That's the single most basic requirement with this whole cloudflared business. For me, this was a learning opportunity so, I just bought a domain name direct from Cloudflare. It is not very expensive as with other sellers, so for the sake of convenience and security and for starters/self-learners like me, it's worth it. To use remotely managed cloudflared tunnels, you also need to have a(n) (free) account with Cloudflare.
Access can be found in the screenshot above on the left panel.
Cloudflared tunnel SSH using Putty requires some proxy settings inside Putty but that is not very complicated. If required, I can share my Putty settings.
While using streaming service like Jellyfin/Plex with Cloudflare tunnels is (most likely to be) in violation of their ToS, that single running cloudflared tunnel can be used to access many services on/in the router/lan-subnet from outside(internet) via different sub-domain/cnames like ssh-ax1800.yourdomain.com or mt600admin.yourdomain.net or homeasssistant-rpi5.yourdomain.uk etc. The only caveat I found is that, UDP (and some TCP services) is not allowed, so tunnelling Tailscale/Wireguard is out of the question, besides, I found out it would just be redundant.
According to cloudflared documentations, I found that connection to SSH servers (apart from cloudflared tunnel host) in the same LAN subnet is possible (not tested though).
Some nginx proxy_pass tricks maybe required to get something like yourdomainname.co.hk/sshtoaxt1800 to work (to NOT require :portnumber in the url).
You could probably access HomeAssistant or VSCode/JupyterLab server running on rPi/home computer from outside from Starbucks on your iPad in web browser (I hosted and used a CodeServer in a VPS this way).
While it's not a requirement but good to already have, a very cheap(annually or bi-annually) 1CPU 1GB(or more)RAM (headless) Linux(Ubuntu or else) VPS (eg. on OVH, RackNerds, DigitalOcean etc.) running, you could even use some server monitor+ssh+sftp mobile apps eg. NeoServer, ServerBox, ShellBean etc., you could even monitor and access your routers on the go, from anywhere (not necessary but good to have and use frp).
You could do this with only glddns service (with open+forwarding ports) and/or own domainname and cloudflared tunnels (no portforwarding) and/or vps+domainname+frp=fast reverse proxy (with some open ports on VPS).
However, if you're behind CGNAT, glddns is NO Go.
ShadowSocks-libev can also be used (tunnel-server works as a port-forwarding tool) but it will require some open-ports.
Disclaimer
I am, by no means, affiliated with Cloudflare (nor any mobile application).
I don't profit a single dime from writing this post.
I wrote this up so that other n00bs like me, don't have to go through a lot of trouble finding information and got confused by difficult jargon and settings and to prevent them from having to do multiple factory-resets.
Oh, I'm also NOT working for GL-iNet but just a user of their routers that I bought with my own money.
Heck, I'm even thinking about getting a Banana Pi BPI R4 to learn OpenWrt as raw material as my next router.
Conclusion
Out of the 3 routers that I have from GL-iNet,
MT6000 is my favourite because it is quite powerful and I even run docker-guacamole on it. AXT1800 is my favourite travel router and I always bring it with me on trips.
AX1800 is also a very versatile one and I just wanted to add a USB card reader and an microSD card if and when I can (though I can't go back right now).
I planned to write up steps on installing cloudflared tunnels, however, when I go through the tutorial link that I provided above, I found them clear and concise enough, thus decided to share and emphasize only on what/how/why cloudflared tunnels are/used/for, so that other n00bs like me can get some ideas on what choices they have.
Therefore, if you encounter any problem installing it, let me know and I will share my experience with you.
PS: I will probably write up more on FRP and ShadowSocks-libev because I had trouble finding information about setting these up on GL-iNet routers.
Edit:@Sethide, I hope you find this useful. I appreciate that you appreciated me.
This is for you, bruh!
We glad to discuss as open mind.