Secure Remote Access with Cloudflare Tunnels
Cloudflare Tunnels provide a secure way to expose your locally hosted applications and services to the internet without opening ports on your firewall or requiring a static IP address. This guide will show you how to set up Cloudflare Tunnels to securely access your home lab services from anywhere.
Why Use Cloudflare Tunnels?
- Security: No need to open ports on your firewall
- Simplicity: Works behind CGNAT, dynamic IPs, and complex network setups
- Performance: Traffic routed through Cloudflare’s global network
- Zero Trust: Integrate with Cloudflare Access for authentication
Prerequisites
- A Cloudflare account
- A domain managed by Cloudflare
- Docker installed (for containerized deployment)
- Services you want to expose (e.g., web apps, SSH, etc.)
Setting Up Cloudflare Tunnels
1. Install cloudflared
You can install cloudflared using Docker:
docker pull cloudflare/cloudflared:latestOr directly on your system:
# For Debian/Ubuntu
curl -L https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb -o cloudflared.deb
sudo dpkg -i cloudflared.deb
# For other systems, visit: https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/installation2. Authenticate cloudflared
Run the following command to authenticate:
cloudflared tunnel loginThis will open a browser window where you’ll need to log in to your Cloudflare account and select the domain you want to use with the tunnel.
3. Create a Tunnel
Create a new tunnel with a meaningful name:
cloudflared tunnel create homelabThis will generate a tunnel ID and credentials file at ~/.cloudflared/.
4. Configure your Tunnel
Create a config file at ~/.cloudflared/config.yml:
tunnel: <TUNNEL_ID>
credentials-file: /root/.cloudflared/<TUNNEL_ID>.json
ingress:
# Dashboard application
- hostname: dashboard.yourdomain.com
service: http://localhost:8080
# Grafana service
- hostname: grafana.yourdomain.com
service: http://localhost:3000
# SSH service
- hostname: ssh.yourdomain.com
service: ssh://localhost:22
# Catch-all rule, which responds with 404
- service: http_status:4045. Route Traffic to Your Tunnel
Configure DNS records to route traffic to your tunnel:
cloudflared tunnel route dns homelab dashboard.yourdomain.com
cloudflared tunnel route dns homelab grafana.yourdomain.com
cloudflared tunnel route dns homelab ssh.yourdomain.com6. Start the Tunnel
Run the tunnel:
cloudflared tunnel run homelabFor production deployments, you’ll want to set up cloudflared as a service:
# For systemd-based systems
sudo cloudflared service install
sudo systemctl start cloudflaredDocker Compose Example
For a containerized deployment, create a docker-compose.yml file:
version: '3.8'
services:
cloudflared:
image: cloudflare/cloudflared:latest
container_name: cloudflared
restart: unless-stopped
command: tunnel run
environment:
- TUNNEL_TOKEN=your_tunnel_token
volumes:
- ~/.cloudflared:/etc/cloudflaredSecurity Considerations
- Store your credentials file safely; it provides full access to your tunnel
- Consider using Cloudflare Access for additional authentication
- Regularly rotate credentials and update cloudflared
Advanced Configuration
Zero Trust Access
You can integrate Cloudflare Tunnels with Cloudflare Access to require authentication:
ingress:
- hostname: dashboard.yourdomain.com
service: http://localhost:8080
originRequest:
noTLSVerify: trueThen, create an Access application in the Cloudflare Zero Trust dashboard to protect this hostname.
Health Checks
Configure health checks to ensure your services are running:
ingress:
- hostname: dashboard.yourdomain.com
service: http://localhost:8080
originRequest:
healthCheckEnabled: true
healthCheckPath: /healthConclusion
Cloudflare Tunnels provide a secure, reliable way to access your home lab services remotely without exposing your home network to the internet. With the setup described in this guide, you can securely access your services from anywhere in the world.