AI-narrated version of this post using a synthetic voice. Great for accessibility or listening while busy.
If you’re self-hosting anything at home – a media server, a personal wiki, a family Nextcloud instance – you’ve probably stared at your router’s port-forwarding screen and felt uneasy. Opening inbound ports means exposing your home IP to the public internet. Your ISP may block ports 80 and 443 anyway. And if you’re on a dynamic IP, you’re constantly chasing DNS updates. Cloudflare Tunnel sidesteps all of that. Instead of punching holes in your firewall, your server reaches out to Cloudflare’s network over an encrypted connection, and traffic flows back through that outbound tunnel. No open ports. No home IP exposed. Free tier. This guide walks through the complete setup using cloudflared on a Linux host – the same process that works on a bare-metal Ubuntu box, a Proxmox VM, or a Raspberry Pi sitting in a Calgary basement.
How the Tunnel Actually Works
It helps to have a clear mental model before touching config files. The cloudflared daemon runs on your local machine and establishes persistent outbound connections – technically HTTP/2 multiplexed streams – to Cloudflare’s edge nodes. Cloudflare calls these connections “tunnels.” When a user visits your public hostname (say, wiki.yourdomain.com), Cloudflare receives that HTTPS request at its edge, routes it through the tunnel, and your cloudflared daemon forwards it to whatever local service you’ve specified (say, http://localhost:3000).
A few things worth noting about the free tier specifically:
- Bandwidth is unmetered for tunnels on the free plan – Cloudflare has not published a hard cap, though they do reserve the right to act on abuse.
- You need a domain registered with or at minimum using Cloudflare’s nameservers. A free Cloudflare account with a domain you already own works fine.
- Tunnel traffic is end-to-end encrypted between your server and Cloudflare’s edge. The segment from Cloudflare to your end-user is also HTTPS – Cloudflare handles TLS termination automatically with their managed certificates.
- You do not need Cloudflare to be your registrar. You just need to delegate DNS to Cloudflare nameservers.
What we found surprising when first setting this up: the tunnel configuration is stored in Cloudflare’s own systems, not just locally. That means if your server reboots and cloudflared restarts as a service, it pulls its routing config from the cloud automatically. No manual re-registration needed.
Prerequisites Before You Start
Get these in order before running a single command:
- A Cloudflare account – free tier at cloudflare.com. No credit card required.
- A domain with Cloudflare nameservers active – log into Cloudflare, add your domain, follow the NS delegation steps. This can take up to 24 hours to propagate, though in practice it’s usually under an hour.
- A Linux host running your local services – this guide was tested on Ubuntu 22.04 LTS and Debian 12. The
cloudflaredbinary is also available for ARM64, so a Raspberry Pi 4 running Raspberry Pi OS (64-bit) works identically. - Your local service already running –
cloudflaredis just a proxy. If Nextcloud isn’t running on port 80 or wherever you configured it, the tunnel won’t help. Confirm withcurl http://localhost:YOUR_PORTfirst.
Canadian note: if you’re hosting anything with personal data (health info, client records), review your obligations under PIPEDA and provincial equivalents. Cloudflare Tunnel puts Cloudflare in the data path, which means your traffic transits their infrastructure – typically US and EU data centres. For personal hobby hosting that’s generally fine, but it’s worth knowing before you route a business application through it. See the Office of the Privacy Commissioner of Canada for guidance.
Installing cloudflared on Linux
Cloudflare publishes official packages for Debian/Ubuntu and RPM-based distros. Avoid random GitHub forks or third-party repos – use the official Cloudflare package repository.
On Ubuntu 22.04 or Debian 12:
# Add Cloudflare's GPG key and repo
curl -fsSL https://pkg.cloudflare.com/cloudflare-main.gpg | sudo tee /usr/share/keyrings/cloudflare-main.gpg > /dev/null
echo "deb [signed-by=/usr/share/keyrings/cloudflare-main.gpg] https://pkg.cloudflare.com/cloudflared $(lsb_release -cs) main" | \
sudo tee /etc/apt/sources.list.d/cloudflared.list
sudo apt update
sudo apt install cloudflared
Verify the install:
cloudflared --version
# Should output something like: cloudflared version 2024.x.x
For ARM64 (Raspberry Pi 4 running 64-bit OS), the same repo works – the package manager pulls the correct architecture automatically. For a manual binary install if you prefer not to add the repo:
# Example for AMD64 - check releases page for current version
wget https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb
sudo dpkg -i cloudflared-linux-amd64.deb
The official release page is at github.com/cloudflare/cloudflared/releases.
Authenticating and Creating Your Tunnel
This is where most guides get rushed. Take it step by step.
Step 1: Authenticate cloudflared to your Cloudflare account
cloudflared tunnel login
This prints a URL. Open it in a browser, log into your Cloudflare account, and select the domain you want to use. Cloudflare issues a certificate file stored at ~/.cloudflared/cert.pem. That file authorizes this machine to create and manage tunnels for that domain.
Step 2: Create the tunnel
cloudflared tunnel create my-homelab
Replace my-homelab with whatever name makes sense. Cloudflare creates the tunnel object in their system and generates a credentials file – a JSON file stored at ~/.cloudflared/<TUNNEL-UUID>.json. The UUID is a long string like a1b2c3d4-e5f6-.... Note it down; you’ll reference it in the config.
Step 3: Write the config file
Create /etc/cloudflared/config.yml (or ~/.cloudflared/config.yml if you’re running as your own user rather than root):
tunnel: a1b2c3d4-e5f6-7890-abcd-ef1234567890
credentials-file: /root/.cloudflared/a1b2c3d4-e5f6-7890-abcd-ef1234567890.json
ingress:
- hostname: wiki.yourdomain.com
service: http://localhost:3000
- hostname: nextcloud.yourdomain.com
service: http://localhost:8080
- service: http_status:404
A few important notes on that config:
- The final catch-all rule (
service: http_status:404) is required. Without it,cloudflaredwill refuse to start, complaining about an incomplete ingress ruleset. - You can route multiple hostnames through a single tunnel. One tunnel, multiple services.
- The
servicevalue is whatever local address your app listens on. It can be HTTP or HTTPS. If it’s HTTPS with a self-signed cert locally, addoriginServerNameandnoTLSVerify: trueunderoriginRequest. - If the credentials file path is wrong,
cloudflaredexits immediately with an unhelpful error. Double-check the UUID matches.
Step 4: Create the DNS records
cloudflared tunnel route dns my-homelab wiki.yourdomain.com
cloudflared tunnel route dns my-homelab nextcloud.yourdomain.com
This creates CNAME records in Cloudflare’s DNS pointing each hostname to your tunnel’s Cloudflare address (<UUID>.cfargotunnel.com). You can also do this manually in the Cloudflare dashboard under DNS, but the CLI is faster and less error-prone.
Running cloudflared as a System Service
Running the tunnel in your terminal session is fine for testing. For production use on a homelab, you want it running as a systemd service that survives reboots.
If your config file is at /etc/cloudflared/config.yml:
sudo cloudflared service install
sudo systemctl enable cloudflared
sudo systemctl start cloudflared
Check the status:
sudo systemctl status cloudflared
You want to see active (running). Check the journal for connection confirmation:
sudo journalctl -u cloudflared -f
Look for lines mentioning Registered tunnel connection and the Cloudflare edge addresses it connected to (there will be multiple – cloudflared establishes four connections by default for redundancy). From our experience, the initial connection happens within 10-15 seconds on a normal residential connection.
At this point, open a browser and hit your public hostname. You should see your service. No port forwarding. No home IP in the DNS records – just Cloudflare’s infrastructure between you and the world.
Hardening the Setup
Getting it working is one thing. Running it responsibly on a homelab that might host family data is another.
Cloudflare Access for Authentication
By default, your tunneled service is public. Anyone who knows the URL can reach it. For services that have their own login (Nextcloud, Vaultwarden, Jellyfin), that’s often fine. But for services without authentication – like a local Grafana dashboard or Home Assistant – you should add Cloudflare Access in front of them.
Cloudflare Access is free for up to 50 users. In the Cloudflare dashboard, go to Zero Trust → Access → Applications → Add an application → Self-hosted. Set the domain to match your tunnel hostname and configure a policy – even just “allow email equals your@email.com” with a one-time PIN login is a substantial improvement over open access.
Locking Down the Origin
Your local service should ideally only accept connections from cloudflared running on the same machine. If it’s bound to localhost (127.0.0.1), that’s already handled – nothing external can reach it directly. Confirm with:
ss -tlnp | grep YOUR_PORT
You want to see 127.0.0.1:PORT in the output, not 0.0.0.0:PORT. The latter means the service is listening on all interfaces, which is a separate problem to fix in your app’s config.
Keep cloudflared Updated
If you installed via the Cloudflare apt repo, regular apt upgrade will pick up new versions. If you installed manually via .deb or binary, you need to check manually. Cloudflare does push breaking changes occasionally – the official changelog is worth bookmarking.
DNS-Only vs Proxied Records
The CNAME records created by cloudflared tunnel route dns are automatically set to Proxied (orange cloud) in Cloudflare’s dashboard. Leave them that way. If you accidentally switch a tunnel CNAME to DNS-only (grey cloud), the tunnel routing breaks because the CNAME value (uuid.cfargotunnel.com) won’t resolve the way Cloudflare expects it to.
Troubleshooting Common Issues
Tunnel connects but returns a 502 Bad Gateway: The cloudflared daemon can’t reach your local service. Confirm the service is running and the port in your config matches. Run curl -v http://localhost:YOUR_PORT directly on the server.
Service install fails with “config file not found”: The cloudflared service install command looks for the config at /etc/cloudflared/config.yml specifically when run as root. Create that directory and file if it doesn’t exist: sudo mkdir -p /etc/cloudflared.
DNS not resolving after running route dns: DNS propagation. Give it 5 minutes. Verify the CNAME actually exists in your Cloudflare dashboard under DNS for that domain.
ERR_TOO_MANY_REDIRECTS in browser: Your local service is probably sending its own HTTPS redirect, but cloudflared is connecting to it via HTTP. Either tell the app to serve HTTP locally (since TLS is handled by Cloudflare), or change the service line in your config to https://localhost:PORT with appropriate noTLSVerify settings.
Tunnel drops connections after a few hours: Usually a network issue between your server and Cloudflare’s edge – often an upstream router or ISP timing out idle connections. Try setting protocol: quic under your tunnel config, which uses UDP rather than TCP for the tunnel transport and tends to be more resilient in these scenarios. Check the official tunnel firewall requirements to confirm UDP 7844 is open outbound.
Our reading of the Cloudflare community forums suggests the QUIC protocol option resolves persistent-drop issues in the majority of residential setups where they appear.
Running a homelab without exposing your home IP to the internet is genuinely more accessible than it was five years ago, and Cloudflare Tunnel is one of the more straightforward ways to get there without buying dedicated hardware or paying for a VPS just to act as a proxy.
– Auburn AI editorial, Calgary AB
Related Auburn AI Products
Building a homelab or self-hosting content site? Auburn AI has practical kits:
- 500 Homelab and Self-Hosting Blog Titles ($27)
- Auburn AI Monitoring Stack ($37) – 6 production PowerShell scripts
- Podcast Automation Kit ($37)
- Browse all Auburn AI products