software

Cloudflare Tunnel

Creates an outbound encrypted tunnel from a local server to Cloudflare's network, enabling public access to self hosted services without port forwarding.

Cloudflare Tunnel is a service that creates an outbound encrypted connection from a local server to Cloudflare's network. Public traffic to a domain managed through Cloudflare is routed through that tunnel to the application running at home, with no inbound ports required on the home router.

The problem it solves

Exposing a home lab service to the internet normally requires a public IP address and an open port on the router. Many home internet connections use dynamic IPs, and opening ports creates direct attack surface. Cloudflare Tunnel sidesteps both problems. The local cloudflared daemon initiates the connection outbound, and Cloudflare handles the public side, including SSL termination and DDoS protection.

How it works

A small daemon called cloudflared runs on the local server as a Docker container or system service. It maintains a persistent outbound tunnel to Cloudflare. DNS for the domain points to Cloudflare, which proxies incoming HTTPS traffic through the tunnel to the local application. SSL/TLS is handled automatically by Cloudflare at the edge.

What it requires

Cloudflare Tunnel requires a domain managed through Cloudflare. At the time of writing, tunnels are available on the free Cloudflare plan for personal use. Unlike a VPN approach, traffic routed through Cloudflare Tunnel passes through Cloudflare's infrastructure, which is a consideration depending on what is being exposed. The cloudflared daemon is open source under the Apache 2.0 licence and available at github.com/cloudflare/cloudflared.