Cloudflare Tunnel Setup on Ubuntu.md

Cloudflare Tunnels Setup Guide for Ubuntu

Overview

Cloudflare Tunnels provide a secure way to expose your local services to the internet without opening ports 80/443 on your firewall. Traffic flows through Cloudflare's network directly to your services via an encrypted tunnel.

Prerequisites

• Ubuntu server
• Cloudflare account with a domain added
• Admin/sudo access on your server

Step 1: Installation

Download and install the latest cloudflared package:

wget -q https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb
sudo dpkg -i cloudflared-linux-amd64.deb

Step 2: Authentication

Authenticate with Cloudflare and select your domain:

cloudflared tunnel login

This will open a browser window to authorize the connection to your Cloudflare account.

Step 3: Create a Tunnel

Create your tunnel with a memorable name:

cloudflared tunnel create your_tunnel_name

Important: Save the UUID provided - you'll need it for configuration. You can also list all tunnels later with:

cloudflared tunnel list

Step 4: Configuration

Navigate to the cloudflared directory and create a config file:

cd /etc/cloudflared
sudo nano config.yml

Add the basic configuration:

tunnel: <your_tunnels_uuid>
credentials-file: /home/username/.cloudflared/<UUID>.json
origincert: /home/username/.cloudflared/cert.pem

Step 5: Configure Traffic Routing

Add ingress rules to route traffic to your internal services. Update your config.yml:

tunnel: <your_tunnels_uuid>
credentials-file: /home/username/.cloudflared/<UUID>.json
origincert: /home/username/.cloudflared/cert.pem
ingress:
  - hostname: yourdomain.com
    service: http://localhost:8080
  - hostname: subdomain.yourdomain.com
    service: http://192.168.1.100:3000
  - service: http_status:404

Key Points:

• Replace hostnames with your actual domains/subdomains
• Update service URLs to point to your internal services
• The final http_status:404 rule is mandatory

Step 6: Create DNS Records

Create DNS records for each hostname using the CLI:

cloudflared tunnel route dns <tunnel_name_or_uuid> yourdomain.com
cloudflared tunnel route dns <tunnel_name_or_uuid> subdomain.yourdomain.com

These records will appear in your Cloudflare DNS dashboard automatically.

Step 7: Test the Tunnel

Start the tunnel to test your configuration:

cloudflared tunnel run <tunnel_name_or_uuid>

If successful, you should see confirmation that the tunnel is running and can access your services via the configured hostnames.

Step 8: Run as a System Service

Install cloudflared as a systemd service for automatic startup:

sudo cloudflared --config /etc/cloudflared/config.yml service install

Now you can manage it like any other systemd service:

sudo systemctl start cloudflared
sudo systemctl enable cloudflared
sudo systemctl status cloudflared

Security Benefits

• No open ports: Ports 80/443 can remain closed on your firewall
• DDoS protection: Traffic passes through Cloudflare's network first
• Encrypted tunnel: All traffic between Cloudflare and your server is encrypted
• Access control: Can be combined with Cloudflare Access for additional security

Troubleshooting Tips

• Check service status: sudo systemctl status cloudflared
• View logs: sudo journalctl -u cloudflared -f
• Verify tunnel status in Cloudflare dashboard under "Zero Trust" > "Networks" > "Tunnels"
• Ensure your local services are running and accessible internally

Notes

• Tunnel names cannot be changed after creation
• All traffic goes through Cloudflare - consider privacy implications
• Free service with no bandwidth limits
• Supports HTTP, HTTPS, SSH, and other TCP protocols