Protect Your Privacy: Install Cloudflared on Raspberry Pi
DNS is the technology your internet connection uses to look up websites and connect to servers. But did you know that DNS leaves your online activity wide open for all to see? In this post, I’ll show you how you can protect your online privacy with a Raspberry Pi.
Cloudflared is a Linux program that can be installed on Raspberry Pi to secure DNS and protect privacy. Cloudflared works by encrypting DNS requests for the whole network.
This guide will walk you through the steps to install Cloudflared. As a bonus, I’ll also cover integrating it with the Pi-Hole ad blocker for lightning-fast and secure browsing. Read on to learn how to turn the Raspberry Pi into your personal privacy champion!
If you’re looking to quickly progress on Raspberry Pi, you can check out my e-book here. It’s a 30-day challenge where you learn one new thing every day until you become a Raspberry Pi expert. The first third of the book teaches you the basics, but the following chapters include projects you can try on your own.
The Problem: Why Is DNS Insecure?
The Domain Name System (DNS) is used to find addresses on the internet. The problem is that DNS is inherently insecure.
What Is DNS?
When you look up a website like raspberrytips.com, your internet connection asks a DNS resolver to convert the textual name to a numerical IP address. It’s how your PC finds a server on the internet to load the site you want.
Why Should You Care About DNS Security?
DNS came about in the 1980s when public internet access was in its earliest stages—fast forward decades later, and that same design is still used for everything you do online.
A new problem becomes obvious: DNS is outdated when it comes to security and privacy.
- DNS requests are sent in plaintext. In other words, they’re readable by anyone.
- DNS doesn’t require authentication. It doesn’t check who sent what or whether the response came from a legitimate source.
These weaknesses mean your ISP or third-party trackers can spy on your internet activity. It also means malicious actors can hijack your DNS requests to carry out their attacks.
The Solution: DNS Encryption
If DNS is insecure, what can you do about it? The answer is DNS encryption. DNS encryption encodes requests so that they can only be read by the parties intended. It’s like putting a lock on your DNS traffic.
There are currently a few methods for DNS encryption, such as DNS-over-HTTPS and DNS-over-TLS. In this guide, we’ll be enabling DNS-over-HTTPS (DoH).
DNS Encryption Using Raspberry Pi
Now that you understand how DNS encryption works, how do you get it? One great way to access this technology for free is to have your Raspberry Pi run a program called Cloudflared.
The Cloudflared project is officially maintained by Cloudflare, one of the largest CDN (Content Delivery Network) providers. The Cloudflared program creates tunnels for secure networking.
It's a free PDF guide containing every Raspberry Pi Linux command you should know!
Download now
It can do lots of fancy things, but for our purposes, we will install Cloudflared on Raspberry Pi to secure your DNS and keep your internet traffic private.
Once installed, your Pi will act as an intermediary between your devices and the internet. Instead of having to configure every device on your network one by one, your Pi will enable DNS encryption for all of them—protecting your PC and your mobile devices.
What Do I Need to Run Cloudflared?
- Raspberry Pi: A model with a 64-bit processor, like the Pi 5, Pi 4, or Pi 3 will work.
Support for 32-bit models is not working at this time. - 24/7 run time: Your Pi has to run 24/7 to process internet requests.
Make sure you use a stable setup (like the Pironman 5). You can add a backup battery if needed (like the one I tested here). - Ethernet connection: DNS resolution should be fast and stable, so your Pi should be connected to your router by Ethernet.
- Router access: You’ll have to get into your router’s admin panel to change DNS settings.
- Cloudflared: Instructions to install this program will be provided below.
Note: This guide may be better suited to intermediate or advanced users. You’ll need some knowledge of networking, router settings, and the Linux command line.
Are There Any Downsides?
Will setting up DNS encryption make my internet slower? No.
Using Cloudflared is faster than a VPN and doesn’t slow down my connection.
It’s faster than the default situation of using my ISP’s DNS. That’s because Cloudflare’s DNS is the fastest public resolver in the world.
However, this benefit does come with a trade-off. Your Pi must be on 24/7 to manage your DNS requests. If your Pi goes down, your Internet connection will stop working. But don’t worry, I’ll show you how to mitigate this problem.
That said, I’ve been running Cloudflared since I first got my Raspberry Pi 4B. My internet was only knocked out once—my fault for not updating the program for years. I’ll show you how to enable auto-updates to avoid this issue.
How to Install Cloudflared on Raspberry Pi
Now that you understand how DNS works, you’re ready to get DNS encryption. In this section, you’ll install Cloudflared from the official Cloudflare GitHub. Then, you’ll configure it to enable DNS encryption and run on startup.
Install Cloudflared
Note: The instructions below are for Raspberry Pis with 64-bit processors, such as the Pi 5, Pi 4, Pi 3, Pi 2 (v1.2), and Pi Zero 2. Sorry, Cloudflared doesn’t work properly on 32-bit models as of this writing.
To install Cloudflared, open a terminal, and enter these commands:
- Download using wget:
wget https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-arm64
- Move the files to install them on your system:
sudo mv -f ./cloudflared-linux-arm64 /usr/local/bin/cloudflared
- Make the program executable:
sudo chmod +x /usr/local/bin/cloudflared
- Check if it’s installed:
cloudflared -v
Are you a bit lost in the Linux command line? Check this article first for the most important commands to remember and a free downloadable cheat sheet so you can have the commands at your fingertips.
Configure Cloudflared
Next, you’ll create a config file for Cloudflared. This file is where you’ll specify using DNS servers with encryption. Here’s how:
- Create the config file with Nano:
sudo nano /etc/default/cloudflared
- Paste the following line in to use Cloudflare’s DoH encryption:
CLOUDFLARED_OPTS=--address 0.0.0.0 --port 53 --upstream https://1.1.1.1/dns-query --upstream https://1.0.0.1/dns-query
- Create a new user to run the service:
sudo useradd -s /usr/sbin/nologin -r -M cloudflared
- Give your service account ownership of the program and config file:
sudo chown cloudflared:cloudflared /etc/default/cloudflared
sudo chown cloudflared:cloudflared /usr/local/bin/cloudflared
Run Cloudflared on Startup
Then, you’ll want to make sure Cloudflared runs on startup:
- Create a startup script:
sudo nano /etc/systemd/system/cloudflared.service
- Paste the following lines:
[Unit]
Description=cloudflared DNS over HTTPS proxy
After=syslog.target network-online.target[Service]
AmbientCapabilities=CAP_NET_BIND_SERVICE
CapabilityBoundingSet=CAP_NET_BIND_SERVICEType=simple
User=cloudflared
EnvironmentFile=/etc/default/cloudflared
ExecStart=/usr/local/bin/cloudflared proxy-dns $CLOUDFLARED_OPTS
Restart=on-failure
RestartSec=10
KillMode=process
[Install]
WantedBy=multi-user.target - Save & exit (CTRL+x, y, Enter).
- Enable the Cloudflared service to run at startup:
sudo systemctl enable cloudflared
sudo systemctl start cloudflared
sudo systemctl status cloudflared
Test Cloudflared Service
Finally, let’s test that Cloudflared resolves DNS requests as intended:
- Install the dnsutils package to get the dig utility:
sudo apt install dnsutils
- Run a test with the dig command:
dig @127.0.0.1 -p 53 raspberrytips.com
Running this command asks your Pi to resolve a website for you using Cloudflared. If you get a “connection refused” error, then something’s wrong: go back and check on your installation and configuration above.
A successful test should return a full response like this:
Congrats! You’ve successfully installed Cloudflared with DNS encryption. But wait, you’re not done yet! You have to tell your router to use your Pi for DNS. I’ll show you how in the next section.
It's a free PDF guide containing every Raspberry Pi Linux command you should know!
Download now
Post-Installation: Send All DNS Requests to Your Pi
Now that you’ve got Cloudflared working, it’s time to protect all devices on your network with DNS encryption. In this section, you’ll go to your router’s admin panel. From there, you’ll tell it to send all DNS requests to your Pi.
Change the DNS Server on Your Router
To complete the steps below, you’ll need access to your router’s admin panel. A common way is to open a web browser and enter your router’s local network address (e.g., 192.168.1.1)—the exact IP will depend on your router’s setup.
It's a free PDF guide containing every Raspberry Pi Linux command you should know!
Download now
If you haven’t already done so, assign your Raspberry Pi a local static IP address. You’ll probably have to reboot your Pi for the new address to take effect. I’ve assigned my Pi a static IP of “192.168.1.69” for our example below.
In your router’s admin interface, find the “DNS Server” or “Name Server” section. Most likely, this section is currently blank. Blank means that you’re using your ISP’s DNS by default.
In the name server section, add your Pi’s local IP address. Save.
Now your router will use your Pi as the DNS server for your internet connection. When a device on your network requests something like a webpage, your router will send this DNS request to your Pi. The Pi will then use Cloudflared to encrypt the request.
Let’s test if your internet is still working with this new change. On your PC or another device on your network, open a website. Does it load? If yes, you’ve set it up correctly!
If websites won’t load, then you’ve probably configured something incorrectly. If you need your internet to work again while you troubleshoot, go review your router’s DNS settings, clear the settings and save to return it to default.
Check if DNS Encryption is Working
But how do you know if encryption is active? To check if DNS encryption is working, open this Cloudflare help page. If DNS encryption is working, the line “Using DNS over HTTPS” should say “Yes.”
That’s all there is to it! I salute you for safeguarding your right to privacy. Others might think you’re paranoid, but all signs point to DNS security becoming a standard.
It's a free PDF guide containing every Raspberry Pi Linux command you should know!
Download now
If you are looking for exclusive tutorials, I post a new course each month, available for premium members only. Join the community to get access to all of them right now!
Optional Steps
This section is optional but covers bonus ways to configure Cloudflared.
Set a Backup DNS
In the rare event that your Pi + Cloudflared setup goes down, your internet access will stop working. During these situations, add an extra DNS server as a backup in your router to keep your internet running smoothly.
In the example above, I added the Quad9 public DNS server (9.9.9.9) as a backup. You’ll want to remove this line once you’re confident that your Pi + Cloudflared setup is working again (because the backup server doesn’t encrypt DNS).
Automate Cloudflared Updates
My internet access went down once because I forgot to update Cloudflared for a couple of years. So now, I update Cloudflared automatically with the script below. It simply downloads the newest files and then copies them over.
Here’s how to automate updates for Cloudflared:
- Create a script that will run as a cron job once a month:
sudo nano /etc/cron.monthly/cloudflared-updater
- Paste these lines:
#!/bin/bash
wget https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-arm64
sudo systemctl stop cloudflared
sudo mv -f ./cloudflared-linux-arm /usr/local/bin/cloudflared
sudo chmod +x /usr/local/bin/cloudflared
sudo systemctl start cloudflared
cloudflared -vsudo systemctl status cloudflared
- Save & exit.
- Make the script executable:
sudo chmod +x /etc/cron.monthly/cloudflared-updater
- Transfer ownership to the root user for proper permissions:
sudo chown root:root /etc/cron.monthly/cloudflared-updater
- Do a test run from your home directory:
cd ~
sudo /etc/cron.monthly/cloudflared-updater
Use Pi-Hole With Cloudflared
This section is for those already running Pi-Hole on Raspberry Pi. Perhaps like me, you want the speed of Pi-Hole ad-block and DNS caching but also want to use DNS encryption.
Here’s how to get Pi-Hole and cloudflared to work together:
- Install Pi-Hole by following our guide.
- Modify your cloudflared configuration to use port 5053 instead:
- Open the cloudflared configuration:
sudo nano /etc/default/cloudflared
- Change this line to specify the port:
CLOUDFLARED_OPTS=--port 5053 --upstream https://1.1.1.1/dns-query --upstream https://1.0.0.1/dns-query
- Reboot your Pi:
sudo reboot
- Open the cloudflared configuration:
- Open the Pi-Hole admin panel in a web browser (e.g., 192.168.1.69/admin).
- Go to Settings > DNS.
- Uncheck all public Upstream DNS Servers in the left column. See the screenshot below.
- Checkmark Custom 1 (IPv4) in the right column, and in the blank space, enter:
127.0.0.1#5053
This setting tells Pi-Hole to send DNS requests to your cloudflared service on port 5053. - Make sure you scroll down and hit Save.
You’re all done. Now your Pi will block ads, cache DNS requests, and provide DNS encryption at the same time. What an amazing device!
Whenever you’re ready, here are other ways I can help you:
The RaspberryTips Community: If you want to hang out with me and other Raspberry Pi fans, you can join the community. I share exclusive tutorials and behind-the-scenes content there. Premium members can also visit the website without ads.
Master your Raspberry Pi in 30 days: If you are looking for the best tips to become an expert on Raspberry Pi, this book is for you. Learn useful Linux skills and practice multiple projects with step-by-step guides.
The Raspberry Pi Bootcamp: Understand everything about the Raspberry Pi, stop searching for help all the time, and finally enjoy completing your projects.
Master Python on Raspberry Pi: Create, understand, and improve any Python script for your Raspberry Pi. Learn the essentials step-by-step without losing time understanding useless concepts.
You can also find all my recommendations for tools and hardware on this page.