Introduction

In our previous guide, we explored setting up Cloudflare Tunnel directly on a Raspberry Pi. This time, we’ll take it a step further by containerizing our setup using Docker and integrating Dynamic DNS for better maintainability and reliability.

Architecture Overview

Cloudflare Docker Architecture

The architecture consists of several key components:

  • Docker containers providing isolated environments
  • Cloudflared tunnel ensuring secure connectivity
  • Dynamic DNS client tracking IP changes
  • All services running on a Raspberry Pi

Docker Compose Configuration

Let’s start with our Docker Compose configuration:

version: '3.8'

services:
  cloudflared:
    container_name: cloudflared
    image: cloudflare/cloudflared:latest
    restart: unless-stopped
    command: tunnel run
    environment:
      - TUNNEL_TOKEN=${TUNNEL_TOKEN}
    volumes:
      - ./cloudflared:/etc/cloudflared
    networks:
      - tunnel-net

  ddns-updater:
    container_name: ddns-updater
    image: qmcgaw/ddns-updater
    restart: unless-stopped
    environment:
      - DELAY=300
      - CLOUDFLARE_TOKEN=${CF_API_TOKEN}
      - ZONE_ID=${CF_ZONE_ID}
      - RECORD_ID=${CF_RECORD_ID}
    volumes:
      - ./ddns:/updater/data
    networks:
      - tunnel-net

networks:
  tunnel-net:
    driver: bridge

Installation Steps

1. Setting Up Docker

First, install Docker and Docker Compose on your Raspberry Pi:

# Install Docker
curl -sSL https://get.docker.com | sh

# Install Docker Compose
sudo apt-get install -y docker-compose

# Add your user to docker group
sudo usermod -aG docker $USER

2. Preparing the Environment

Create the project structure:

# Create project directory
mkdir cloudflare-docker && cd cloudflare-docker

# Create required directories
mkdir -p cloudflared ddns

3. Environment Variables

Create a .env file:

TUNNEL_TOKEN=your-tunnel-token
CF_API_TOKEN=your-cloudflare-api-token
CF_ZONE_ID=your-zone-id
CF_RECORD_ID=your-record-id

4. Starting the Containers

docker-compose up -d

Dynamic DNS Configuration

The DDNS updater performs several crucial functions:

  1. Regular public IP checks
  2. Cloudflare DNS updates on IP changes
  3. Logging of all updates

DDNS Configuration Example

settings:
  provider: cloudflare
  domain: example.com
  host: raspberry
  ttl: 120
  ip_version: ipv4

Monitoring and Management

Viewing Logs

# Cloudflared logs
docker logs -f cloudflared

# DDNS logs
docker logs -f ddns-updater

Checking Service Status

docker-compose ps

Security Best Practices

  1. API Token Permissions

    • Create tokens with minimal required permissions
    • DNS Zone edit permissions are sufficient

  2. Container Security

    • Use latest container images
    • Limit exposed ports
    • Run as non-root user

  3. Network Security

    • Restrict inter-container communication
    • Use bridge networking
    • Use host network only when necessary

Troubleshooting Guide

Common Issues and Solutions

  1. Container Startup Issues
# Check container status
docker inspect cloudflared

# View logs
docker logs cloudflared
  1. DNS Update Problems
# Check DDNS updater logs
docker logs ddns-updater

# Verify API token
curl -X GET "https://api.cloudflare.com/client/v4/user/tokens/verify" \
     -H "Authorization: Bearer $CF_API_TOKEN"

Performance Optimization

  1. Container Resource Limits
services:
  cloudflared:
    deploy:
      resources:
        limits:
          cpus: '0.50'
          memory: 256M
  1. DNS TTL Optimization
  • Lower TTL values for faster updates
  • Higher TTL values for reduced DNS server load

Advanced Features

Automatic Container Updates

Using Watchtower for automatic updates:

services:
  watchtower:
    image: containrrr/watchtower
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    command: --interval 86400 --cleanup

Health Checks

Adding health checks to your services:

services:
  cloudflared:
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:2000/health"]
      interval: 30s
      timeout: 10s
      retries: 3

Conclusion

This containerized setup provides several benefits:

  • Isolated and maintainable environment
  • Automated IP updates
  • Easy management and monitoring
  • Enhanced security

The combination of Docker containers and Cloudflare Tunnel creates a robust and secure remote access solution for your Raspberry Pi.

Next Steps

Consider these enhancements:

  • Setting up monitoring with Prometheus and Grafana
  • Implementing backup solutions
  • Adding automated testing
  • Integrating with CI/CD pipelines

For questions or feedback, please leave a comment below.