☁️ Setup Cloudflared — Cloudflare Tunnel for Self-Hosted Services
Deploy Cloudflared on Ubuntu to expose your self-hosted services publicly through Cloudflare Tunnel — no open firewall ports, no static IP, HTTPS included automatically.
📦 Resources & Setup Scripts
Grab the automated bash script from GitHub to follow along with the video.
Quick Install:
wget https://raw.githubusercontent.com/mhmdali94/Docker/main/networking/cloudflared/cloudflared-ubuntu.sh
chmod +x cloudflared-ubuntu.sh
sudo bash cloudflared-ubuntu.sh
Tutorial Steps
1 Download the Script
wget https://raw.githubusercontent.com/mhmdali94/Docker/main/networking/cloudflared/cloudflared-ubuntu.sh
2 Make it Executable
chmod +x cloudflared-ubuntu.sh
3 Run the Installer
The script installs Docker if needed, then deploys cloudflared and prompts you to authenticate with your Cloudflare account to link the tunnel.
sudo bash cloudflared-ubuntu.sh
4 Create a Tunnel in Cloudflare Dashboard
In the Cloudflare Zero Trust dashboard, create a tunnel and add public hostname entries that map subdomains to your local services.
5 Verify Public Access
Your services are now reachable at your configured subdomains with no open inbound ports — Cloudflare handles TLS termination automatically.
Ports Used
| Port | Purpose |
|---|---|
| No inbound ports required | Outbound tunnel only — cloudflared initiates the connection |
Overview
Cloudflared is the official Cloudflare Tunnel client that creates an encrypted outbound connection from your server to Cloudflare's edge. Traffic arriving at your configured domain is routed through Cloudflare's network to your local service — with no inbound firewall ports open, no static IP needed, and automatic HTTPS. It's the simplest way to safely expose self-hosted services to the internet.
Why Use It
Cloudflared removes the most dangerous part of self-hosting: open firewall ports. By establishing an outbound tunnel, your server never accepts unsolicited inbound connections — all traffic is brokered by Cloudflare, which also provides DDoS protection, WAF, and automatic TLS. For most home self-hosters, it's the easiest and safest way to get a public HTTPS endpoint.
When You Need It
Who Should Use It
Real Use Cases
Main Features
How to Use After Installation
Security Best Practices
Ports and Firewall Notes
Cloudflared requires no inbound open ports — it establishes outbound connections to Cloudflare on ports 443 and 7844 (QUIC). Your firewall does not need any inbound rules modified. All external traffic enters through Cloudflare's edge, not your server's IP.
Backup and Maintenance
Common Mistakes
Troubleshooting
Alternatives
FRP (self-hosted, supports UDP, no Cloudflare dependency), Tailscale Funnel (VPN-based, simpler), ngrok (cloud, generous free tier, rate-limited), Bore (open-source, simpler). Cloudflared is the easiest option if you're already on Cloudflare — FRP is better if you want zero third-party dependency.
When Not to Use It
Don't use Cloudflare Tunnel for services with strict data sovereignty requirements — all traffic passes through Cloudflare's network. Don't use it for UDP-based services (game servers, WireGuard) — it only supports HTTP/TCP. And don't use it for bandwidth-intensive streaming services — the free plan prohibits using the CDN for video streaming.
PrismaTechWork Professional Help
PrismaTechWork provides end-to-end infrastructure services — from initial deployment and security hardening to ongoing monitoring, automated backups, and dedicated support. Whether you need a single-server setup or a multi-site network, our team ensures your infrastructure is built right, secured properly, and maintained reliably.
Frequently Asked Questions
Do I need a paid Cloudflare plan to use tunnels?
No. Cloudflare Tunnel is available on the free plan with no bandwidth limits (within reasonable use for non-video content). Cloudflare Zero Trust Access is also free for up to 50 users. You only need a domain managed on Cloudflare (which can be a free Cloudflare-registered domain).
Does Cloudflare Tunnel work behind CGNAT?
Yes. Since cloudflared only makes outbound connections, it works regardless of NAT type — CGNAT, double-NAT, or anything else. As long as the server can reach the internet outbound on port 443, the tunnel will work.
Is my traffic private from Cloudflare?
No. Cloudflare terminates TLS at its edge, so Cloudflare can see the contents of HTTP requests. For privacy-sensitive services, either use end-to-end encryption (encrypt at origin too) or use a self-hosted tunnel like FRP. Cloudflare's privacy policy applies to all traffic through their network.
Can I use Cloudflare Tunnel for a game server (UDP)?
No. Cloudflare Tunnel only supports HTTP and TCP traffic. For UDP-based services like game servers, WireGuard VPN, or DNS, use FRP instead, which supports UDP tunneling natively.
What is Cloudflare Zero Trust Access and should I use it?
Cloudflare Access is an identity layer you can add in front of tunneled services. Users must authenticate (email OTP, Google, GitHub SSO) before reaching your service. It's free for up to 50 users and is the best way to secure sensitive services (Portainer, admin panels) exposed through the tunnel.
How many services can I expose through one tunnel?
Unlimited. A single cloudflared tunnel can have many public hostname rules, each mapping a different subdomain to a different local service. For example: `jellyfin.yourdomain.com → localhost:8096` and `grafana.yourdomain.com → localhost:3000` through the same tunnel.
Can I run cloudflared on a Raspberry Pi?
Yes. Cloudflared supports ARM and ARM64 architectures, so it runs on Raspberry Pi 3, 4, and 5 without issues. The Docker image is multi-architecture. Resource usage is minimal — under 50 MB RAM for a typical tunnel.
How do I update cloudflared?
Run `docker compose pull && docker compose up -d`. Cloudflare regularly releases new versions with security patches and tunnel protocol improvements. Keep cloudflared updated — outdated versions may eventually lose connectivity as Cloudflare deprecates older protocol versions.
