Cloudflare Tunnel
Cloudflare Tunnel for secure external access without port forwarding.
Overview
Cloudflared is Cloudflare's lightweight daemon that creates secure tunnels between your local services and Cloudflare's global network without requiring public IP addresses or complex firewall configurations. Originally developed as part of Cloudflare's Argo Tunnel service, cloudflared establishes outbound-only connections that tunnel traffic through Cloudflare's edge network, eliminating the need for traditional port forwarding or VPN solutions. The daemon runs as a connector service that authenticates with Cloudflare's infrastructure using secure tokens and maintains persistent connections to route traffic to your internal applications.
This Docker configuration deploys cloudflared as a containerized tunnel client that connects your local Docker network to Cloudflare's edge servers. The setup creates a secure bridge between your internal services and the internet, routing all traffic through Cloudflare's global network with built-in DDoS protection, SSL termination, and traffic filtering. Cloudflared handles the complex networking automatically, establishing multiple redundant connections to ensure high availability and performance.
This stack is ideal for developers running homelab environments, system administrators managing internal tools, and organizations requiring secure remote access without exposing infrastructure directly to the internet. The containerized approach provides isolation and portability while maintaining the security benefits of Cloudflare's Zero Trust architecture, making it valuable for teams needing secure access to development environments or internal applications.
Key Features
- Zero Trust network access with no inbound firewall rules required
- Automatic SSL certificate provisioning and renewal through Cloudflare
- Built-in DDoS protection and traffic filtering at Cloudflare's edge
- Multiple protocol support including HTTP, HTTPS, SSH, RDP, and arbitrary TCP
- Cloudflare Access integration for identity-based access controls
- Geographic traffic routing through Cloudflare's global edge network
- Real-time tunnel health monitoring and automatic failover
- Internal DNS resolution for private network services
Common Use Cases
- 1Exposing homelab services like Plex, Home Assistant, or NAS interfaces securely
- 2Providing remote access to development environments without VPN complexity
- 3Creating secure staging environment access for client demonstrations
- 4Enabling remote work access to internal company tools and dashboards
- 5Bypassing restrictive ISP or corporate firewall policies for legitimate services
- 6Protecting self-hosted applications with enterprise-grade security features
- 7Establishing secure CI/CD pipeline access to internal deployment targets
Prerequisites
- Active Cloudflare account with a registered domain name
- Tunnel token generated from Cloudflare Zero Trust dashboard (one.dash.cloudflare.com)
- Docker Engine 20.10+ with Docker Compose support
- Minimum 256MB RAM allocation for the cloudflared container
- Stable internet connection for maintaining tunnel connectivity
- Basic understanding of DNS configuration and subdomain management
For development & testing. Review security settings, change default credentials, and test thoroughly before production use. See Terms
docker-compose.yml
docker-compose.yml
1services: 2 cloudflared: 3 image: cloudflare/cloudflared:latest4 container_name: cloudflared5 command: tunnel --no-autoupdate run6 environment: 7 - TUNNEL_TOKEN=${TUNNEL_TOKEN}8 restart: unless-stopped9 networks: 10 - cloudflared-network1112networks: 13 cloudflared-network: 14 driver: bridge.env Template
.env
1# Cloudflare Tunnel2TUNNEL_TOKEN=your-tunnel-token-from-cloudflareUsage Notes
- 1Create tunnel at one.dash.cloudflare.com
- 2Get token from tunnel configuration
- 3Configure public hostnames in dashboard
- 4No port forwarding required
- 5Supports internal DNS
Quick Start
terminal
1# 1. Create the compose file2cat > docker-compose.yml << 'EOF'3services:4 cloudflared:5 image: cloudflare/cloudflared:latest6 container_name: cloudflared7 command: tunnel --no-autoupdate run8 environment:9 - TUNNEL_TOKEN=${TUNNEL_TOKEN}10 restart: unless-stopped11 networks:12 - cloudflared-network1314networks:15 cloudflared-network:16 driver: bridge17EOF1819# 2. Create the .env file20cat > .env << 'EOF'21# Cloudflare Tunnel22TUNNEL_TOKEN=your-tunnel-token-from-cloudflare23EOF2425# 3. Start the services26docker compose up -d2728# 4. View logs29docker compose logs -fOne-Liner
Run this command to download and set up the recipe in one step:
terminal
1curl -fsSL https://docker.recipes/api/recipes/cloudflared-tunnel/run | bashTroubleshooting
- tunnel connection failed: Verify TUNNEL_TOKEN environment variable is correctly set and token hasn't expired in Cloudflare dashboard
- service unreachable through tunnel: Check that target service is accessible from cloudflared container network and public hostname configuration matches internal service ports
- certificate errors on custom domains: Ensure domain is properly added to Cloudflare account and SSL/TLS encryption mode is set to 'Full' or 'Full (strict)'
- tunnel frequently disconnecting: Check Docker container logs for authentication errors and verify system time synchronization for token validation
- internal DNS resolution failing: Confirm services are on same Docker network or use Docker service names instead of localhost references in tunnel configuration
Community Notes
Loading...
Loading notes...
Download Recipe Kit
Get all files in a ready-to-deploy package
Includes docker-compose.yml, .env template, README, and license
Ad Space
Shortcuts: C CopyF FavoriteD Download