Contents

Create Locally-Managed Cloudflare Tunnel

Cloudflare Tunnel provides you with a secure way to connect your resources to Cloudflare without a publicly routable IP address. With Tunnel, you do not send traffic to an external IP — instead, a lightweight daemon in your infrastructure (cloudflared) creates outbound-only connections to Cloudflare’s global network. Cloudflare Tunnel can connect HTTP web servers, SSH servers, remote desktops, and other protocols safely to Cloudflare. This way, your origins can serve traffic through Cloudflare without being vulnerable to attacks that bypass Cloudflare.

How it works

Cloudflared establishes outbound connections (tunnels) between your resources and Cloudflare’s global network. Tunnels are persistent objects that route traffic to DNS records. Within the same tunnel, you can run as many cloudflared processes (connectors) as needed. These processes will establish connections to Cloudflare and send traffic to the nearest Cloudflare data center.

https://developers.cloudflare.com/assets/handshake_hufad68abf6107ffc2ef859ebe1b42b6e2_299675_1768x1102_resize_q75_box-3f75968f.jpg

Prerequisites

Before you start, make sure you:

1. Install cloudflared

Windows

  1. Download cloudflared on your machine. Visit the downloads page to find the right package for your OS.
  2. Rename the executable to cloudflared.exe
  3. In PowerShell, change directory to your Downloads folder and run .\cloudflared.exe --version. It should output the version of cloudflared. Note that cloudflared.exe could be cloudflared-windows-amd64.exe or cloudflared-windows-386.exe if you have not renamed it.
1
PS C:\Users\Administrator\Downloads\cloudflared-stable-windows-amd64> .\cloudflared.exe --version

macOS

To download and install cloudflared:

1
brew install cloudflared

Alternatively, you can download the latest Darwin amd64 release directly.

Linux

Debian and Ubuntu APT

Use the apt package manager to install cloudflared on compatible machines.

  1. Add Cloudflare’s package signing key:
1
2
sudo mkdir -p --mode=0755 /usr/share/keyrings
curl -fsSL https://pkg.cloudflare.com/cloudflare-main.gpg | sudo tee /usr/share/keyrings/cloudflare-main.gpg >/dev/null
  1. Add Cloudflare’s apt repo to your apt repositories:
1
echo "deb [signed-by=/usr/share/keyrings/cloudflare-main.gpg] https://pkg.cloudflare.com/cloudflared $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/cloudflared.list
  1. Update repositories and install cloudflared:
1
sudo apt-get update && sudo apt-get install cloudflared

RHEL RPM

Use the rpm package manager to install cloudflared on compatible machines.

  1. Add Cloudflare’s repository:
1
curl -fsSL https://pkg.cloudflare.com/cloudflared-ascii.repo | sudo tee /etc/yum.repos.d/cloudflared.repo
  1. Update repositories and install cloudflared:
1
sudo yum update && sudo yum install cloudflared

Arch Linux

cloudflared is in the Arch Linux community repository. Use pacman to install cloudflared on compatible machines.

1
pacman -Syu cloudflared

Other

Alternatively you can download the cloudflared binary or the linux packages to your machine and install manually. Visit the downloads page to find the right package for your OS.

Build from source

To build the latest version of cloudflared from source:

1
2
3
4
git clone https://github.com/cloudflare/cloudflared.git
cd cloudflared
make cloudflared
go install github.com/cloudflare/cloudflared/cmd/cloudflared

Depending on where you installed cloudflared, you can move it to a known path as well.

1
mv /root/cloudflared/cloudflared /usr/bin/cloudflared

2. Authenticate cloudflared

1
cloudflared tunnel login

Running this command will:

  • Open a browser window and prompt you to log in to your Cloudflare account. After logging in to your account, select your hostname.
  • Generate an account certificate, the cert.pem file, in the default cloudflared directory.

3. Creae a tunnel and give it a name

1
cloudflared tunnel create <NAME>

Running this command will:

From the output of the command, take note of the tunnel’s UUID and the path to your tunnel’s credentials file.

Confirm that the tunnel has been successfully created by running:

1
cloudflared tunnel list

4. Create a configuration file

  1. In your .cloudflared directory, create a config.yml file using any text editor. This file will configure the tunnel to route traffic from a given origin to the hostname of your choice.

  2. Add the following fields to the file:

If you are connecting an application:

1
2
3
url: http://localhost:8000
tunnel: <Tunnel-UUID>
credentials-file: /root/.cloudflared/<Tunnel-UUID>.json

If you are connecting a private network:

1
2
3
4
tunnel: <Tunnel-UUID>
credentials-file: /root/.cloudflared/<Tunnel-UUID>.json
warp-routing:
    enabled: true
  1. Confirm that the configuration file has been successfully created by running:
1
cat config.yml

5. Start routing traffic

  1. Now assign a CNAME record that points traffic to your tunnel subdomain:

    • If you are connecting an application, route the service to a public hostname:
    1
    
    $ cloudflared tunnel route dns <UUID or NAME> <hostname>
    
    • If you are connecting a private network, route an IP address or CIDR through the tunnel:
    1
    
    $ cloudflared tunnel route ip add <IP/CIDR> <UUID or NAME>
    
  2. Confirm that the route has been successfully established:

    1
    
    $ cloudflared tunnel route ip show
    

6. Run the tunnel

Run the tunnel to proxy incoming traffic from the tunnel to any number of services running locally on your origin.

1
$ cloudflared tunnel run <UUID or NAME>

If your configuration file has a custom name or is not in the .cloudflared directory, add the --config flag and specify the path.

1
$ cloudflared tunnel --config /path/your-config-file.yml run <UUID or NAME>

Cloudflare Tunnel can install itself as a system service on Linux and Windows and as a launch agent on macOS. For more information, refer to run as a service.

7. Check the tunnel

Your tunnel configuration is complete! If you want to get information on the tunnel you just created, you can run:

1
$ cloudflared tunnel info <UUID or NAME>

You can now route traffic to your tunnel using Cloudflare DNS or determine who can reach your tunnel with Cloudflare Access.

Useful commands

Use these commands to manage local tunnels through the CLI.

Manage tunnels

Command Description
cloudflared tunnel login Prompts a browser window where you can authenticate your tunnel to your Cloudflare account.
cloudflared tunnel list Displays all active tunnels, their creation time, and associated connections. Use the -d flag to include deleted tunnels.
cloudflared tunnel create <NAME or UUID> Creates a tunnel, registers it with the Cloudflare edge and generates a credential file to run this tunnel.
cloudflared tunnel route Routes traffic through a tunnel.
cloudflared tunnel route lb <NAME or UUID> <load balancer name> <load balancer pool> Creates a Load Balancer with an origin pool that points to the tunnel.
cloudflared tunnel route ip add <IP/CIDR> <NAME or UUID> Adds any network route space (represented as a CIDR) to your routing table. That network space becomes reachable for requests egressing from a user’s machine as long as it is using Cloudflare WARP and is enrolled in the same account that is running the tunnel chosen here. Further, those requests will be proxied to the specified tunnel, and reach an IP in the given CIDR, as long as that IP is reachable from the tunnel. To assign the IP route to a specific Virtual Network, use the --vnet option.
cloudflared tunnel route ip show (or list) Shows your organization’s private routing table. You can use additional flags to filter the results.
cloudflared tunnel route ip delete Deletes the row for a given CIDR from your routing table. That portion of your network will no longer be reachable by the WARP client.
cloudflared tunnel route ip get <IP/CIDR> Checks which row of the routing table will be used to proxy a given IP. This helps check and validate your configuration.
cloudflared tunnel route dns Creates a DNS CNAME record hostname that points to the tunnel.
cloudflared tunnel --config path/config.yaml run <NAME or UUID> Runs a tunnel, creating highly available connections between your server and the Cloudflare edge. You can provide name or UUID of the tunnel to run either as the last command line argument or in the configuration file using tunnel: <NAME>.
cloudflared tunnel info <NAME or UUID> Displays details about the active connectors for a given tunnel identified by name of UUID.
cloudflared tunnel cleanup <NAME or UUID> Deletes connections for tunnels with the given UUIDs or names. This is useful if you get an error trying to delete or run a tunnel after cloudflared is not shut down gracefully (for example, if a kill command is issued).
cloudflared tunnel cleanup --connector-id <CONNECTOR-ID> <NAME or UUID> Disconnects and deletes a cloudflared replica with the given connector ID. You can view all replicas for a tunnel by running cloudflared tunnel info <NAME or UUID>.
cloudflared tunnel delete <NAME or UUID> Deletes tunnels with the given name or UUID. A tunnel cannot be deleted if it has active connections. To delete the tunnel unconditionally, use the -f flag.
cloudflared tunnel vnet add <NAME or UUID> Creates a Virtual Network to which IP routes can be assigned. To make this Virtual Network the default for your Zero Trust organization, use the -d flag.
cloudflared tunnel vnet delete <NAME or UUID> Deletes the Virtual Network with the given name or UUID. Before you can delete a Virtual Network, you must first delete all IP routes assigned to the Virtual Network.
cloudflared tunnel vnet list Displays all active Virtual Networks, the default Virtual Network, and their creation times.
cloudflared tail <UUID> Start a session to livestream logs from a specific tunnel. For more information, refer to Tunnel logs.

Manage cloudflared

Command Description
cloudflared update Looks for a new version on the official download server. If a new version exists, it updates the agent binary and quits. Otherwise, no action is performed. This command only works if cloudflared was installed from GitHub binaries or from source. For more information, refer to the update instructions.
cloudflared version Prints the cloudflared version number and build date.
cloudflared help Shows a list of commands or help for cloudflared.

References