Skip to content

Cloudflare Tunnel — Secure Origin Connectivity

DodaTech 4 min read

Cloudflare Tunnel creates a secure, encrypted tunnel from your origin server to the Cloudflare edge, allowing you to serve traffic without opening inbound ports or exposing a public IP address.

What You Will Learn

You will learn how to install and configure cloudflared, deploy tunnels for web applications and SSH access, and integrate tunnels with Cloudflare Access for Zero Trust authentication.

Why It Matters

Every public IP address is a potential attack vector. Cloudflare Tunnel eliminates the need for public IPs on your origin servers, reducing your attack surface to zero while simplifying firewall rules and network configuration.

Real-World Use Case

A SaaS company hosted their application on a bare-metal server behind NAT. Previously they needed a static public IP and complex firewall rules. After deploying Cloudflare Tunnel, they removed all inbound firewall rules, eliminated their public IP, and added Access policies for authentication — all with zero changes to their application code.

How Cloudflare Tunnel Works

Cloudflare Tunnel uses the cloudflared daemon to create multiple encrypted connections to Cloudflare's edge network. Traffic is routed through these connections without any inbound ports on the origin.

flowchart LR
  A[User] -->|Request| B[Cloudflare Edge]
  B -->|Encrypted Tunnel| C[cloudflared]
  C -->|Local Traffic| D[Origin Server]
  E[Internet] -.->|No Inbound Ports| D
  D -.->|Outbound Only| B

Installing cloudflared

Download and install the cloudflared client on your origin server.

# Download cloudflared for Linux (amd64)
wget -q https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64
chmod +x cloudflared-linux-amd64
sudo mv cloudflared-linux-amd64 /usr/local/bin/cloudflared

# Verify installation
cloudflared --version

Expected output:

cloudflared version 2025.10.0 (built 2025-10-15)

Creating a Tunnel

Authenticate cloudflared and create a named tunnel for your application.

# Authenticate with Cloudflare
cloudflared tunnel login

# Create a new tunnel named "my-app"
cloudflared tunnel create my-app

Expected output:

Tunnel credentials written to /home/user/.cloudflared/my-app.json.

Configuring and Running the Tunnel

Create a configuration file that maps your tunnel to a local service.

# Create config.yml for the tunnel
cat > ~/.cloudflared/my-app.yml << 'EOF'
tunnel: my-app
credentials-file: /home/user/.cloudflared/my-app.json

ingress:
  - hostname: app.example.com
    service: http://localhost:8080
  - service: http_status:404
EOF

# Start the tunnel
cloudflared tunnel run my-app

Expected output:

2025-06-23T10:00:00Z INF Starting tunnel tunnelID=abc-123
2025-06-23T10:00:01Z INF Connection established connIndex=0
2025-06-23T10:00:01Z INF Connection established connIndex=1

Routing DNS to the Tunnel

Point your DNS record to the tunnel using cloudflared or the API.

# Route a DNS record through the tunnel
cloudflared tunnel route dns my-app app.example.com

Expected output:

Created CNAME record app.example.com -> abc-123.cfargotunnel.com

Common Mistakes

Mistake Consequence
Forgetting to add ingress rules Tunnel connects but traffic is not routed
Using an expired credentials file Tunnel fails to authenticate with Cloudflare
Running cloudflared without Process manager Tunnel stops after SSH session ends
Not configuring load balancer health checks Unhealthy origins still receive traffic
Exposing the tunnel credentials file Anyone with the file can impersonate your origin

Practice Questions

  1. How does Cloudflare Tunnel eliminate the need for public IP addresses on origin servers?
  2. What is the purpose of the ingress rules in the cloudflared configuration file?
  3. Why should cloudflared be run as a system service rather than a foreground Process?

Challenge

Deploy Cloudflare Tunnel for a web application running on port 3000. Configure it as a systemd service that restarts automatically. Add a second ingress rule to serve a maintenance page when the application is down. Verify the tunnel survives a server reboot.

Real-World Task

Your organisation runs a suite of internal tools on a single server behind NAT. Deploy Cloudflare Tunnel to expose three different web applications on the same server, each on a different subdomain. Configure each subdomain to route to a different local port. Add Cloudflare Access policies to restrict each application to the appropriate team.

FAQ

Does Cloudflare Tunnel work behind a corporate firewall?

Yes. cloudflared creates outbound connections to Cloudflare's edge on TCP port 7844 (or 443 as a fallback). As long as your server can make HTTPS outbound connections, the tunnel works. No inbound ports are required, making it compatible with strict corporate firewall rules.

What happens if the tunnel connection drops?

cloudflared maintains multiple redundant connections to Cloudflare's edge. If one connection drops, traffic is immediately routed through another. If all connections drop, cloudflared automatically reconnects. During the reconnection window, Cloudflare returns a 502 error or a maintenance page if configured.

Can I run multiple tunnels on the same server?

Yes. You can create multiple named tunnels on a single server, each routing to different local services. Each tunnel uses its own credentials file and configuration. This is useful when you want separate tunnels for management and application traffic or for different environments.


Built by the developers of Doda Browser, DodaZIP, and Durga Antivirus Pro — security-first tools for the modern web.

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro