This guide provides a step-by-step walkthrough to configure a Cloudflare Tunnel for securely exposing internal services to the internet without opening ports on your firewall.
Before you begin, ensure you have:
cloudflared installed on your server.cloudflaredInstall cloudflared:
sudo apt update
sudo apt install -y cloudflared
Alternatively, download the latest binary from Cloudflare's official installation guide.
Verify the installation:
cloudflared --version
Ensure the version is displayed, confirming the installation.
Authenticate cloudflared:
cloudflared login
A browser window will open. Log in to your Cloudflare account and select the domain you want to use.
Upon successful authentication, a certificate file (cert.pem) will be saved at:
/root/.cloudflared/cert.pem
Create a new tunnel:
cloudflared tunnel create home-tunnel
Replace home-tunnel with your desired tunnel name.
Save credentials:
The tunnel ID will be displayed, and a credentials file will be saved at:
/home/josh/.cloudflared/<TUNNEL_ID>.json
Ensure you note the tunnel ID for future configuration.
Create/Edit the Tunnel Configuration File:
sudo nano /root/.cloudflared/config.yml
Add the following configuration:
tunnel: <TUNNEL_ID>
credentials-file: /home/josh/.cloudflared/<TUNNEL_ID>.json
ingress:
- hostname: <SUBDOMAIN>.<DOMAIN>
service: http://<LOCAL_IP>:<PORT>
- service: http_status:404
Replace:
<TUNNEL_ID>: The tunnel ID from Step 3.<SUBDOMAIN>.<DOMAIN>: The subdomain you want to expose (e.g., plex.kitpro.us).<LOCAL_IP>:<PORT>: The internal service's IP and port (e.g., 10.10.0.55:32400).Save and exit the file.
Run the tunnel:
cloudflared tunnel run home-tunnel
Optional: Run the tunnel as a service:
cloudflared service install
sudo systemctl enable --now cloudflared
This ensures the tunnel starts automatically on system boot.
<SUBDOMAIN> (e.g., plex for plex.kitpro.us).<TUNNEL_ID>.cfargotunnel.com.Your service is now securely accessible via the subdomain you configured. Cloudflare handles the tunneling, ensuring your internal network remains protected without exposing any ports.
cert.pem file and renew it if needed.