Video tutorial coming soon.
Deploy Cloudflared on Ubuntu to expose your self-hosted services publicly through Cloudflare Tunnel — no open firewall ports, no static IP, HTTPS included automatically.
Grab the automated bash script from GitHub to follow along with the video.
wget https://raw.githubusercontent.com/mhmdali94/Docker/main/networking/cloudflared/cloudflared-ubuntu.sh
chmod +x cloudflared-ubuntu.sh
sudo bash cloudflared-ubuntu.shwget https://raw.githubusercontent.com/mhmdali94/Docker/main/networking/cloudflared/cloudflared-ubuntu.shchmod +x cloudflared-ubuntu.shThe script installs Docker if needed, then deploys cloudflared and prompts you to authenticate with your Cloudflare account to link the tunnel.
sudo bash cloudflared-ubuntu.shIn the Cloudflare Zero Trust dashboard, create a tunnel and add public hostname entries that map subdomains to your local services.
Your services are now reachable at your configured subdomains with no open inbound ports — Cloudflare handles TLS termination automatically.
| Port | Purpose |
|---|---|
| No inbound ports required | Outbound tunnel only — cloudflared initiates the connection |
Cloudflared is the official Cloudflare Tunnel client that creates an encrypted outbound connection from your server to Cloudflare's edge. Traffic arriving at your configured domain is routed through Cloudflare's network to your local service — with no inbound firewall ports open, no static IP needed, and automatic HTTPS. It's the simplest way to safely expose self-hosted services to the internet.
Cloudflared removes the most dangerous part of self-hosting: open firewall ports. By establishing an outbound tunnel, your server never accepts unsolicited inbound connections — all traffic is brokered by Cloudflare, which also provides DDoS protection, WAF, and automatic TLS. For most home self-hosters, it's the easiest and safest way to get a public HTTPS endpoint.
Cloudflared requires no inbound open ports — it establishes outbound connections to Cloudflare on ports 443 and 7844 (QUIC). Your firewall does not need any inbound rules modified. All external traffic enters through Cloudflare's edge, not your server's IP.
FRP (self-hosted, supports UDP, no Cloudflare dependency), Tailscale Funnel (VPN-based, simpler), ngrok (cloud, generous free tier, rate-limited), Bore (open-source, simpler). Cloudflared is the easiest option if you're already on Cloudflare — FRP is better if you want zero third-party dependency.
Don't use Cloudflare Tunnel for services with strict data sovereignty requirements — all traffic passes through Cloudflare's network. Don't use it for UDP-based services (game servers, WireGuard) — it only supports HTTP/TCP. And don't use it for bandwidth-intensive streaming services — the free plan prohibits using the CDN for video streaming.
PrismaTechWork provides end-to-end infrastructure services — from initial deployment and security hardening to ongoing monitoring, automated backups, and dedicated support. Whether you need a single-server setup or a multi-site network, our team ensures your infrastructure is built right, secured properly, and maintained reliably.
No. Cloudflare Tunnel is available on the free plan with no bandwidth limits (within reasonable use for non-video content). Cloudflare Zero Trust Access is also free for up to 50 users. You only need a domain managed on Cloudflare (which can be a free Cloudflare-registered domain).
Yes. Since cloudflared only makes outbound connections, it works regardless of NAT type — CGNAT, double-NAT, or anything else. As long as the server can reach the internet outbound on port 443, the tunnel will work.
No. Cloudflare terminates TLS at its edge, so Cloudflare can see the contents of HTTP requests. For privacy-sensitive services, either use end-to-end encryption (encrypt at origin too) or use a self-hosted tunnel like FRP. Cloudflare's privacy policy applies to all traffic through their network.
No. Cloudflare Tunnel only supports HTTP and TCP traffic. For UDP-based services like game servers, WireGuard VPN, or DNS, use FRP instead, which supports UDP tunneling natively.
Cloudflare Access is an identity layer you can add in front of tunneled services. Users must authenticate (email OTP, Google, GitHub SSO) before reaching your service. It's free for up to 50 users and is the best way to secure sensitive services (Portainer, admin panels) exposed through the tunnel.
Unlimited. A single cloudflared tunnel can have many public hostname rules, each mapping a different subdomain to a different local service. For example: `jellyfin.yourdomain.com → localhost:8096` and `grafana.yourdomain.com → localhost:3000` through the same tunnel.
Yes. Cloudflared supports ARM and ARM64 architectures, so it runs on Raspberry Pi 3, 4, and 5 without issues. The Docker image is multi-architecture. Resource usage is minimal — under 50 MB RAM for a typical tunnel.
Run `docker compose pull && docker compose up -d`. Cloudflare regularly releases new versions with security patches and tunnel protocol improvements. Keep cloudflared updated — outdated versions may eventually lose connectivity as Cloudflare deprecates older protocol versions.