banner cloudflared lock key over cybercloud

Protect Your Privacy: Install Cloudflared on Raspberry Pi

DNS is the technology your internet connection uses to look up websites and connect to servers. But did you know that DNS leaves your online activity wide open for all to see? In this post, I’ll show you how you can protect your online privacy with a Raspberry Pi.

Cloudflared is a Linux program that can be installed on Raspberry Pi to secure DNS and protect privacy. Cloudflared works by encrypting DNS requests for the whole network.

This guide will walk you through the steps to install Cloudflared. As a bonus, I’ll also cover integrating it with the Pi-Hole ad blocker for lightning-fast and secure browsing. Read on to learn how to turn the Raspberry Pi into your personal privacy champion!

If you’re looking to quickly progress on Raspberry Pi, you can check out my e-book here. It’s a 30-day challenge where you learn one new thing every day until you become a Raspberry Pi expert. The first third of the book teaches you the basics, but the following chapters include projects you can try on your own.

Want the best experience? Become a premium member for ad-free browsing, access exclusive content, and ask questions in our private forums. Your membership helps support the site!

The Problem: Why Is DNS Insecure?

The Domain Name System (DNS) is used to find addresses on the internet. The problem is that DNS is inherently insecure.

What Is DNS?

When you look up a website like raspberrytips.com, your internet connection asks a DNS resolver to convert the textual name to a numerical IP address. It’s how your PC finds a server on the internet to load the site you want.

diagram showing DNS resolution process

Why Should You Care About DNS Security?

DNS came about in the 1980s when public internet access was in its earliest stages—fast forward decades later, and that same design is still used for everything you do online.

A new problem becomes obvious: DNS is outdated when it comes to security and privacy.

  • DNS requests are sent in plaintext. In other words, they’re readable by anyone.
  • DNS doesn’t require authentication. It doesn’t check who sent what or whether the response came from a legitimate source.
diagram showing dns insecure by sending data via plaintext

These weaknesses mean your ISP or third-party trackers can spy on your internet activity. It also means malicious actors can hijack your DNS requests to carry out their attacks.

The Solution: DNS Encryption

If DNS is insecure, what can you do about it? The answer is DNS encryption. DNS encryption encodes requests so that they can only be read by the parties intended. It’s like putting a lock on your DNS traffic.

diagram showing PC with DNS encryption

There are currently a few methods for DNS encryption, such as DNS-over-HTTPS and DNS-over-TLS. In this guide, we’ll be enabling DNS-over-HTTPS (DoH).

DNS Encryption Using Raspberry Pi

Now that you understand how DNS encryption works, how do you get it? One great way to access this technology for free is to have your Raspberry Pi run a program called Cloudflared.

The Cloudflared project is officially maintained by Cloudflare, one of the largest CDN (Content Delivery Network) providers. The Cloudflared program creates tunnels for secure networking.

Download Your Essential Linux Commands Guide!
It's a free PDF guide containing every Raspberry Pi Linux command you should know!
Download now

It can do lots of fancy things, but for our purposes, we will install Cloudflared on Raspberry Pi to secure your DNS and keep your internet traffic private.

Once installed, your Pi will act as an intermediary between your devices and the internet. Instead of having to configure every device on your network one by one, your Pi will enable DNS encryption for all of them—protecting your PC and your mobile devices.

diagram showing Pi acting as dns encryption device

What Do I Need to Run Cloudflared?

  • Raspberry Pi: A model with a 64-bit processor, like the Pi 5, Pi 4, or Pi 3 will work.
    Support for 32-bit models is not working at this time.
  • 24/7 run time: Your Pi has to run 24/7 to process internet requests.
    Make sure you use a stable setup (like the Pironman 5). You can add a backup battery if needed (like the one I tested here).
  • Ethernet connection: DNS resolution should be fast and stable, so your Pi should be connected to your router by Ethernet.
  • Router access: You’ll have to get into your router’s admin panel to change DNS settings.
  • Cloudflared: Instructions to install this program will be provided below.

Note: This guide may be better suited to intermediate or advanced users. You’ll need some knowledge of networking, router settings, and the Linux command line.

Are There Any Downsides?

Will setting up DNS encryption make my internet slower? No.
Using Cloudflared is faster than a VPN and doesn’t slow down my connection.
It’s faster than the default situation of using my ISP’s DNS. That’s because Cloudflare’s DNS is the fastest public resolver in the world.

However, this benefit does come with a trade-off. Your Pi must be on 24/7 to manage your DNS requests. If your Pi goes down, your Internet connection will stop working. But don’t worry, I’ll show you how to mitigate this problem.

That said, I’ve been running Cloudflared since I first got my Raspberry Pi 4B. My internet was only knocked out once—my fault for not updating the program for years. I’ll show you how to enable auto-updates to avoid this issue.

How to Install Cloudflared on Raspberry Pi

Now that you understand how DNS works, you’re ready to get DNS encryption. In this section, you’ll install Cloudflared from the official Cloudflare GitHub. Then, you’ll configure it to enable DNS encryption and run on startup.

Install Cloudflared

Note: The instructions below are for Raspberry Pis with 64-bit processors, such as the Pi 5, Pi 4, Pi 3, Pi 2 (v1.2), and Pi Zero 2. Sorry, Cloudflared doesn’t work properly on 32-bit models as of this writing.

To install Cloudflared, open a terminal, and enter these commands:

  • Download using wget:
    wget https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-arm64
  • Move the files to install them on your system:
    sudo mv -f ./cloudflared-linux-arm64 /usr/local/bin/cloudflared
  • Make the program executable:
    sudo chmod +x /usr/local/bin/cloudflared
  • Check if it’s installed:
    cloudflared -v
command line showing cloudflared executable permissions and path is accessible

Are you a bit lost in the Linux command line? Check this article first for the most important commands to remember and a free downloadable cheat sheet so you can have the commands at your fingertips.

Configure Cloudflared

Next, you’ll create a config file for Cloudflared. This file is where you’ll specify using DNS servers with encryption. Here’s how:

  • Create the config file with Nano:
    sudo nano /etc/default/cloudflared
  • Paste the following line in to use Cloudflare’s DoH encryption:
    CLOUDFLARED_OPTS=--address 0.0.0.0 --port 53 --upstream https://1.1.1.1/dns-query --upstream https://1.0.0.1/dns-query
  • Create a new user to run the service:
    sudo useradd -s /usr/sbin/nologin -r -M cloudflared
  • Give your service account ownership of the program and config file:
    sudo chown cloudflared:cloudflared /etc/default/cloudflared
    sudo chown cloudflared:cloudflared /usr/local/bin/cloudflared
command line showing summary of cloudflared configuration files

Run Cloudflared on Startup

Then, you’ll want to make sure Cloudflared runs on startup:

  • Create a startup script:
    sudo nano /etc/systemd/system/cloudflared.service
  • Paste the following lines:
    [Unit]
    Description=cloudflared DNS over HTTPS proxy
    After=syslog.target network-online.target


    [Service]
    AmbientCapabilities=CAP_NET_BIND_SERVICE
    CapabilityBoundingSet=CAP_NET_BIND_SERVICE

    Type=simple
    User=cloudflared
    EnvironmentFile=/etc/default/cloudflared
    ExecStart=/usr/local/bin/cloudflared proxy-dns $CLOUDFLARED_OPTS
    Restart=on-failure
    RestartSec=10
    KillMode=process


    [Install]
    WantedBy=multi-user.target
  • Save & exit (CTRL+x, y, Enter).
  • Enable the Cloudflared service to run at startup:
    sudo systemctl enable cloudflared
    sudo systemctl start cloudflared
    sudo systemctl status cloudflared
cloudflared system service status showing enabled and active on port 53

Test Cloudflared Service

Finally, let’s test that Cloudflared resolves DNS requests as intended:

  • Install the dnsutils package to get the dig utility:
    sudo apt install dnsutils
  • Run a test with the dig command:
    dig @127.0.0.1 -p 53 raspberrytips.com

Running this command asks your Pi to resolve a website for you using Cloudflared. If you get a “connection refused” error, then something’s wrong: go back and check on your installation and configuration above.

A successful test should return a full response like this:

cloudflared dig test with successful response

Congrats! You’ve successfully installed Cloudflared with DNS encryption. But wait, you’re not done yet! You have to tell your router to use your Pi for DNS. I’ll show you how in the next section.

Download Your Essential Linux Commands Guide!
It's a free PDF guide containing every Raspberry Pi Linux command you should know!
Download now

Post-Installation: Send All DNS Requests to Your Pi

Now that you’ve got Cloudflared working, it’s time to protect all devices on your network with DNS encryption. In this section, you’ll go to your router’s admin panel. From there, you’ll tell it to send all DNS requests to your Pi.

Change the DNS Server on Your Router

To complete the steps below, you’ll need access to your router’s admin panel. A common way is to open a web browser and enter your router’s local network address (e.g., 192.168.1.1)—the exact IP will depend on your router’s setup.

Download Your Essential Linux Commands Guide!
It's a free PDF guide containing every Raspberry Pi Linux command you should know!
Download now
route command to find router ip address

If you haven’t already done so, assign your Raspberry Pi a local static IP address. You’ll probably have to reboot your Pi for the new address to take effect. I’ve assigned my Pi a static IP of “192.168.1.69” for our example below.

In your router’s admin interface, find the “DNS Server” or “Name Server” section. Most likely, this section is currently blank. Blank means that you’re using your ISP’s DNS by default.

In the name server section, add your Pi’s local IP address. Save.

router name server section showing Pi IP added

Now your router will use your Pi as the DNS server for your internet connection. When a device on your network requests something like a webpage, your router will send this DNS request to your Pi. The Pi will then use Cloudflared to encrypt the request.

Let’s test if your internet is still working with this new change. On your PC or another device on your network, open a website. Does it load? If yes, you’ve set it up correctly!

If websites won’t load, then you’ve probably configured something incorrectly. If you need your internet to work again while you troubleshoot, go review your router’s DNS settings, clear the settings and save to return it to default.

Check if DNS Encryption is Working

But how do you know if encryption is active? To check if DNS encryption is working, open this Cloudflare help page. If DNS encryption is working, the line “Using DNS over HTTPS” should say “Yes.”

DNS encryption showing DoH active

That’s all there is to it! I salute you for safeguarding your right to privacy. Others might think you’re paranoid, but all signs point to DNS security becoming a standard.

Download Your Essential Linux Commands Guide!
It's a free PDF guide containing every Raspberry Pi Linux command you should know!
Download now

🛠 This tutorial doesn't work anymore? Report the issue here, so that I can update it!

If you are looking for exclusive tutorials, I post a new course each month, available for premium members only. Join the community to get access to all of them right now!

Optional Steps

This section is optional but covers bonus ways to configure Cloudflared.

Set a Backup DNS

In the rare event that your Pi + Cloudflared setup goes down, your internet access will stop working. During these situations, add an extra DNS server as a backup in your router to keep your internet running smoothly.

In the example above, I added the Quad9 public DNS server (9.9.9.9) as a backup. You’ll want to remove this line once you’re confident that your Pi + Cloudflared setup is working again (because the backup server doesn’t encrypt DNS).

Automate Cloudflared Updates

My internet access went down once because I forgot to update Cloudflared for a couple of years. So now, I update Cloudflared automatically with the script below. It simply downloads the newest files and then copies them over.

Here’s how to automate updates for Cloudflared:

  • Create a script that will run as a cron job once a month:
    sudo nano /etc/cron.monthly/cloudflared-updater
  • Paste these lines:
    #!/bin/bash
    wget https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-arm64
    sudo systemctl stop cloudflared
    sudo mv -f ./cloudflared-linux-arm /usr/local/bin/cloudflared
    sudo chmod +x /usr/local/bin/cloudflared
    sudo systemctl start cloudflared
    cloudflared -v

    sudo systemctl status cloudflared
  • Save & exit.
  • Make the script executable:
    sudo chmod +x /etc/cron.monthly/cloudflared-updater
  • Transfer ownership to the root user for proper permissions:
    sudo chown root:root /etc/cron.monthly/cloudflared-updater
  • Do a test run from your home directory:
    cd ~
    sudo /etc/cron.monthly/cloudflared-updater
cloudflared update script as a monthly cron job

Use Pi-Hole With Cloudflared

This section is for those already running Pi-Hole on Raspberry Pi. Perhaps like me, you want the speed of Pi-Hole ad-block and DNS caching but also want to use DNS encryption.

Here’s how to get Pi-Hole and cloudflared to work together:

  • Install Pi-Hole by following our guide.
  • Modify your cloudflared configuration to use port 5053 instead:
    • Open the cloudflared configuration:
      sudo nano /etc/default/cloudflared
    • Change this line to specify the port:
      CLOUDFLARED_OPTS=--port 5053 --upstream https://1.1.1.1/dns-query --upstream https://1.0.0.1/dns-query
    • Reboot your Pi:
      sudo reboot
  • Open the Pi-Hole admin panel in a web browser (e.g., 192.168.1.69/admin).
  • Go to Settings > DNS.
  • Uncheck all public Upstream DNS Servers in the left column. See the screenshot below.
  • Checkmark Custom 1 (IPv4) in the right column, and in the blank space, enter:
    127.0.0.1#5053
    This setting tells Pi-Hole to send DNS requests to your cloudflared service on port 5053.
  • Make sure you scroll down and hit Save.
pi-hole admin panel with cloudflared setup

You’re all done. Now your Pi will block ads, cache DNS requests, and provide DNS encryption at the same time. What an amazing device!

Whenever you’re ready, here are other ways I can help you:

The RaspberryTips Community: If you want to hang out with me and other Raspberry Pi fans, you can join the community. I share exclusive tutorials and behind-the-scenes content there. Premium members can also visit the website without ads.

Master your Raspberry Pi in 30 days: If you are looking for the best tips to become an expert on Raspberry Pi, this book is for you. Learn useful Linux skills and practice multiple projects with step-by-step guides.

The Raspberry Pi Bootcamp: Understand everything about the Raspberry Pi, stop searching for help all the time, and finally enjoy completing your projects.

Master Python on Raspberry Pi: Create, understand, and improve any Python script for your Raspberry Pi. Learn the essentials step-by-step without losing time understanding useless concepts.

You can also find all my recommendations for tools and hardware on this page.

How would you rate this article?

Click on a star to rate it!

Average rating / 5. Vote count:

No votes so far! Be the first to rate this post.

As you found this post useful...

Spread the word!

We are sorry that this post was not useful for you!

Let us improve this post!

Tell us how we can improve this post?

Similar Posts