Greg Vedders
  • About
  • Tags
  • Posts

Exposing Services Safely with Cloudflared Tunnels

Learn how Cloudflare Tunnels (cloudflared) allow you to safely expose local services to the Internet without opening firewall ports.

posts
April 27, 2025 • 4 min read • 762 words

Self-hosting applications and services is more popular than ever, but it comes with a big challenge: how do you safely expose those services to the Internet without compromising your network?

Traditionally, exposing a service involved opening ports on your firewall or router. While simple, this method can create major security risks if not configured perfectly. Exposing open ports directly to the Internet increases the attack surface for bad actors to find and exploit vulnerabilities.

Fortunately, there’s a modern solution that removes much of that risk: Cloudflare Tunnels, powered by the lightweight tool cloudflared.


What is Cloudflared?

cloudflared is a simple command-line tool created by Cloudflare that securely connects your local services to Cloudflare’s network.

With cloudflared, you don’t have to open any inbound firewall ports.
Instead, cloudflared creates an outbound tunnel from your server to Cloudflare. Cloudflare then handles incoming traffic securely and forwards it down your tunnel.

✅ No public IP address needed.
✅ No firewall port forwarding needed.
✅ Stronger security by default.


Why Use Cloudflared Tunnels Instead of Opening Ports?

Here’s why using Cloudflare Tunnels is a smarter and safer approach:

  • No Exposed IP: Attackers cannot directly scan or attack your IP because inbound access isn’t allowed.
  • Automatic TLS: Connections are encrypted end-to-end without needing to manually configure HTTPS certificates.
  • Access Control: You can layer Cloudflare Access on top for login authentication without touching your internal server.
  • DDoS Protection: Your service is behind Cloudflare’s DDoS protection and global CDN network.
  • Ease of Setup: Minimal configuration required compared to traditional firewall and reverse proxy setups.

In short, security improves while complexity goes down.


How Easy is it to Set Up?

Setting up a Cloudflare Tunnel is surprisingly quick.

Install cloudflared

On Ubuntu/Debian

You need to add Cloudflare’s official repository first:

sudo apt install curl gnupg
curl -fsSL https://pkg.cloudflare.com/cloudflare-main.gpg | sudo gpg --dearmor -o /usr/share/keyrings/cloudflare-main.gpg
echo 'deb [signed-by=/usr/share/keyrings/cloudflare-main.gpg] https://pkg.cloudflare.com/cloudflared stable main' | sudo tee /etc/apt/sources.list.d/cloudflared.list
sudo apt update
sudo apt install cloudflared

On Fedora/RedHat

sudo dnf install cloudflared

Or, if not available in your repo:

sudo rpm -i https://pkg.cloudflare.com/cloudflared/cloudflared-stable-x86_64.rpm

Using Docker

Running cloudflared in Docker is also extremely easy:

docker run -d --name cloudflared \
  --restart unless-stopped \
  -v ~/.cloudflared:/etc/cloudflared \
  cloudflare/cloudflared:latest tunnel run my-tunnel-name

Docker handles updates easily, and you can bind your config.yml into the container for multi-service setups.


Setting Up a Cloudflare Tunnel Through the Web Interface

While cloudflared offers a simple command-line method, you can also create and manage tunnels entirely through the Cloudflare web dashboard.
This approach is incredibly easy, especially if you prefer a visual interface over CLI commands.

1. Log In to the Cloudflare Dashboard

Visit dash.cloudflare.com and log in to your Cloudflare account.


2. Navigate to “Zero Trust” > “Access” > “Tunnels”

  • In the left-hand menu, find Zero Trust.
  • Click into Access → Tunnels.

This is where you manage your Cloudflare Tunnels.


3. Create a New Tunnel

  • Click Create a Tunnel.
  • Enter a name for your tunnel (e.g., home-server, self-hosted-dashboard, etc.).

Cloudflare will generate credentials and instructions automatically.


4. Install and Connect Cloudflared (One-Time Step)

If you haven’t already installed cloudflared on your server, Cloudflare will guide you to:

  • Download the cloudflared binary for your system.
  • Authenticate by running:
cloudflared tunnel login

Once authenticated, your device will be linked to your Cloudflare account.


5. Configure Public Hostnames (Routes)

After creating the tunnel:

  • You can add public hostnames that route to your internal services.
  • Example:
    • Public hostname: app.example.com
    • Service: http://localhost:8080

Cloudflare automatically handles DNS, SSL/TLS certificates, and secure routing!


6. Run the Tunnel

Finally, you can run the tunnel service:

cloudflared tunnel run your-tunnel-name

or set up cloudflared to run as a service so it starts automatically on reboot.

Your internal app is now securely exposed through Cloudflare without any inbound firewall ports!


Real-World Example

Imagine you’re hosting a dashboard locally on port 8080.

Instead of opening ports on your router:

  • You install cloudflared.
  • Create a tunnel.
  • Point your domain like dashboard.example.com to localhost:8080 through the Cloudflare Tunnel.

Your service is live and safe without ever exposing your home IP!


Final Thoughts

Using cloudflared tunnels completely changes the game for self-hosters, small businesses, and hobbyists.
Instead of worrying about firewall rules, NAT, SSL certificates, and attack surfaces, you can expose services securely and easily through Cloudflare.

It’s free to get started, battle-tested at Internet scale, and far safer than the old-school port forwarding approach.

If you’re still opening ports manually, it might be time to close them — and open a secure Cloudflare Tunnel instead.


Thinking about getting started? Installing cloudflared might be the easiest, and most secure, networking decision you make all year.

Share this post
← Older How to Select the Right Backup Version and Search for Indicators of Compromise (IoCs) During a Ransomware Recovery Newer → Building a Stable SOC Monitoring Wall with Open Tools

About

Greg Vedders writes about information security, troubleshooting, photography, and the occasional unexpected fix.

Recent Posts

  • Automating CatPosters.us With a Gemini and WordPress Bot
  • Teaching Git: What I Covered in Class
  • Introducing Signage Suite — Self-Hosted Wall Displays in PHP
  • Rebuilding gregvedders.com Without a Hugo Theme
  • Hardening a Public Honeypot Server

Tags

Cloudflare AI Cloudflared Tunnels Security Networking Self-Hosting

Related Posts

  • How It Really Works The "Magic" Behind CatPosters.us
  • Advanced Splunk Techniques for Beginners
  • Searching for Threats in Firewall Logs Using Splunk
  • Understanding Current Security Risks: 2024 Update
© Greg Vedders 2026