Cloudflare Tunnel - DeveloPassion

# Cloudflare Tunnel [[Cloudflare]] Tunnel is a reverse-proxy daemon (`cloudflared`) that establishes outbound-only persistent connections from any host to Cloudflare's edge, then routes incoming HTTPS, SSH, RDP, or arbitrary TCP traffic to local services through that tunnel. The origin server never opens an inbound port, never exposes a public IP, and never needs a static DNS record. It is the modern alternative to ngrok, port forwarding, or VPNs for "I want this service reachable from the Internet, but I don't want a public IP." ## Why It Matters Self-hosting anything (homelab services, internal dashboards, dev preview environments) used to mean dealing with NAT, dynamic DNS, firewall rules, and the risk of exposing your home network. Tunnel sidesteps all of it: install `cloudflared`, authenticate, point it at `localhost:3000`, get a public HTTPS URL on your domain — with Cloudflare's DDoS protection, [[Cloudflare WAF]], and optional [[Cloudflare Access and Zero Trust]] policy gating in front. ## Common Use Cases - **Self-hosted services** behind a residential connection (Plex, Home Assistant, dev boxes) - **Internal dashboards** exposed to a team via Zero Trust policy - **SSH/RDP** to internal hosts without VPN, via Cloudflare's identity-aware proxy - **Replacing ngrok** for dev preview URLs that don't rotate - **Hybrid deployments** — bridging an on-prem service into a Cloudflare-fronted app ## Architecture Shape - `cloudflared` opens 4 outbound HTTP/2 connections to nearby Cloudflare POPs - Incoming requests are routed through any of those connections - Origin can be `localhost:port`, a Unix socket, or any reachable URL on the host - Tunnels are identified by a UUID and attached to one or more public hostnames ## References - Tunnel home: https://www.cloudflare.com/products/tunnel/ - Documentation: https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/ - `cloudflared` GitHub: https://github.com/cloudflare/cloudflared ## Related - [[Cloudflare]] - [[Cloudflare Access and Zero Trust]] - [[Cloudflare WAF]] - [[WireGuard]] - [[Tailscale]]