Cloudflare Tunnel — Secure Origin Connectivity
Cloudflare Tunnel creates a secure, encrypted tunnel from your origin server to the Cloudflare edge, allowing you to serve traffic without opening inbound ports or exposing a public IP address.
What You Will Learn
You will learn how to install and configure cloudflared, deploy tunnels for web applications and SSH access, and integrate tunnels with Cloudflare Access for Zero Trust authentication.
Why It Matters
Every public IP address is a potential attack vector. Cloudflare Tunnel eliminates the need for public IPs on your origin servers, reducing your attack surface to zero while simplifying firewall rules and network configuration.
Real-World Use Case
A SaaS company hosted their application on a bare-metal server behind NAT. Previously they needed a static public IP and complex firewall rules. After deploying Cloudflare Tunnel, they removed all inbound firewall rules, eliminated their public IP, and added Access policies for authentication — all with zero changes to their application code.
How Cloudflare Tunnel Works
Cloudflare Tunnel uses the cloudflared daemon to create multiple encrypted connections to Cloudflare's edge network. Traffic is routed through these connections without any inbound ports on the origin.
flowchart LR A[User] -->|Request| B[Cloudflare Edge] B -->|Encrypted Tunnel| C[cloudflared] C -->|Local Traffic| D[Origin Server] E[Internet] -.->|No Inbound Ports| D D -.->|Outbound Only| B
Installing cloudflared
Download and install the cloudflared client on your origin server.
# Download cloudflared for Linux (amd64)
wget -q https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64
chmod +x cloudflared-linux-amd64
sudo mv cloudflared-linux-amd64 /usr/local/bin/cloudflared
# Verify installation
cloudflared --version
Expected output:
cloudflared version 2025.10.0 (built 2025-10-15)
Creating a Tunnel
Authenticate cloudflared and create a named tunnel for your application.
# Authenticate with Cloudflare
cloudflared tunnel login
# Create a new tunnel named "my-app"
cloudflared tunnel create my-app
Expected output:
Tunnel credentials written to /home/user/.cloudflared/my-app.json.
Configuring and Running the Tunnel
Create a configuration file that maps your tunnel to a local service.
# Create config.yml for the tunnel
cat > ~/.cloudflared/my-app.yml << 'EOF'
tunnel: my-app
credentials-file: /home/user/.cloudflared/my-app.json
ingress:
- hostname: app.example.com
service: http://localhost:8080
- service: http_status:404
EOF
# Start the tunnel
cloudflared tunnel run my-app
Expected output:
2025-06-23T10:00:00Z INF Starting tunnel tunnelID=abc-123
2025-06-23T10:00:01Z INF Connection established connIndex=0
2025-06-23T10:00:01Z INF Connection established connIndex=1
Routing DNS to the Tunnel
Point your DNS record to the tunnel using cloudflared or the API.
# Route a DNS record through the tunnel
cloudflared tunnel route dns my-app app.example.com
Expected output:
Created CNAME record app.example.com -> abc-123.cfargotunnel.com
Common Mistakes
| Mistake | Consequence |
|---|---|
| Forgetting to add ingress rules | Tunnel connects but traffic is not routed |
| Using an expired credentials file | Tunnel fails to authenticate with Cloudflare |
| Running cloudflared without Process manager | Tunnel stops after SSH session ends |
| Not configuring load balancer health checks | Unhealthy origins still receive traffic |
| Exposing the tunnel credentials file | Anyone with the file can impersonate your origin |
Practice Questions
- How does Cloudflare Tunnel eliminate the need for public IP addresses on origin servers?
- What is the purpose of the ingress rules in the cloudflared configuration file?
- Why should cloudflared be run as a system service rather than a foreground Process?
Challenge
Deploy Cloudflare Tunnel for a web application running on port 3000. Configure it as a systemd service that restarts automatically. Add a second ingress rule to serve a maintenance page when the application is down. Verify the tunnel survives a server reboot.
Real-World Task
Your organisation runs a suite of internal tools on a single server behind NAT. Deploy Cloudflare Tunnel to expose three different web applications on the same server, each on a different subdomain. Configure each subdomain to route to a different local port. Add Cloudflare Access policies to restrict each application to the appropriate team.
FAQ
Built by the developers of Doda Browser, DodaZIP, and Durga Antivirus Pro — security-first tools for the modern web.
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro