How to Set Up a Cloudflare Zero Trust Tunnel on a Home Network

A Cloudflare Zero Trust Tunnel allows you to securely expose your home network applications to the internet without requiring port forwarding. This makes your setup not only more secure but also easier to configure, especially when dealing with restrictive firewalls or NAT.

In this blog, we’ll walk you through the steps to set up a Cloudflare Zero Trust Tunnel on your Debian-based home server and answer some frequently asked questions (FAQs).

 

Short Note

If you don’t need to read all this, just follow these steps exactly, and your tunnel will be ready to host anything from your home:

  1. Go to the Cloudflare dashboard and navigate to Zero Trust > Access.
  2. Select Tunnels and click Create Tunnel.
  3. Run the provided command on your Debian machine to establish the tunnel.
  4. Specify the port your application uses—no need for port forwarding.

What is a Cloudflare Zero Trust Tunnel?

A Cloudflare Zero Trust Tunnel (formerly Argo Tunnel) creates a secure, outbound-only connection between your server and Cloudflare’s network. It allows external access to your applications while keeping your server’s IP address private. This eliminates the need for traditional methods like port forwarding, reducing security risks and simplifying configuration.

The Problem: Exposing Applications Without Port Forwarding

Traditionally, exposing applications to the internet required configuring port forwarding on your router. This approach has several downsides:

  • Security Risks: Open ports can expose your server to malicious attacks.
  • Complex Setup: Configuring NAT and firewall rules can be complicated, especially for non-technical users.
  • ISP Restrictions: Some ISPs block inbound traffic, making port forwarding impossible.

The Solution: Cloudflare Zero Trust Tunnel

With Cloudflare Zero Trust Tunnel, you can securely expose your home network applications to the internet without worrying about port forwarding. The tunnel establishes an outbound-only connection to Cloudflare, ensuring that your server remains hidden from direct exposure.

Steps to Set Up a Cloudflare Zero Trust Tunnel

Step 1: Prerequisites

  1. Cloudflare Account: Sign up for a free Cloudflare account if you don’t already have one.
  2. Domain Added to Cloudflare: Add your domain to Cloudflare DNS.
  3. Debian Machine: A Debian 12 server or similar environment where the application is running.

Step 2: Install Cloudflared

  1. Update your package list: 
    sudo apt update
  2. Download and install the Cloudflared binary: 
    wget https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb
sudo dpkg -i cloudflared-linux-amd64.deb
  3. Verify the installation: 
    cloudflared --version

Step 3: Create a Tunnel

  1. Log in to Cloudflare from your terminal: 
    cloudflared login

    This will open a browser for authentication.

  2. Create a tunnel and give it a name: 
    cloudflared tunnel create my-home-network

    This will generate a tunnel ID and credentials file, typically stored in /root/.cloudflared.

Step 4: Configure the Tunnel

  1. Create or edit the configuration file for the tunnel: 
    sudo nano /etc/cloudflared/config.yml
  2. Add the following configuration (modify as needed): 
    tunnel: <tunnel-id>
credentials-file: /root/.cloudflared/<tunnel-id>.json

ingress:
  - hostname: myapp.example.com
    service: http://localhost:8082  # Replace with your application’s local port
  - service: http_status:404

    Replace <tunnel-id> with your tunnel ID and myapp.example.com with your subdomain.

Step 5: Start the Tunnel

Run the tunnel with the following command:

cloudflared tunnel run my-home-network

Step 6: Verify DNS Configuration

  1. Log in to your Cloudflare dashboard and navigate to DNS.
  2. Ensure that the hostname (e.g., myapp.example.com) is a CNAME record pointing to the tunnel.

Step 7: Test Your Setup

Visit your application using the configured hostname. For example:

http://myapp.example.com

If everything is set up correctly, you should see your application served securely through the tunnel.

Advantages of Using Cloudflare Zero Trust Tunnel

  1. Enhanced Security: No exposed ports on your router or server.
  2. Ease of Use: Simplified setup without needing NAT or port forwarding.
  3. Global Access: Your application is served through Cloudflare’s global network, ensuring low latency and high availability.
  4. Additional Features: Easily integrate with Cloudflare’s features like Access Policies, DDoS protection, and analytics.

Interactive FAQ

Q1: Do I need to configure port forwarding on my router?

A1: No. The Cloudflare Zero Trust Tunnel eliminates the need for port forwarding by creating an outbound-only connection from your server to Cloudflare.

Q2: Can I use this with any application?

A2: Yes, as long as the application is accessible via a local IP and port. You can configure the tunnel to forward requests to the application’s local address.

Q3: What if I need SSL/TLS for my application?

A3: Cloudflare automatically handles SSL/TLS for the hostname configured in the tunnel. Ensure that your DNS settings are correct and the proxy is enabled (orange cloud in Cloudflare DNS).

Q4: How do I make the tunnel run automatically on boot?

A4: Create a systemd service:

  1. Create a new service file: 
    sudo nano /etc/systemd/system/cloudflared.service
  2. Add the following: 
    [Unit]
Description=Cloudflare Tunnel
After=network.target

[Service]
Type=simple
ExecStart=/usr/local/bin/cloudflared tunnel run my-home-network
Restart=on-failure
User=root

[Install]
WantedBy=multi-user.target
  3. Enable and start the service: 
    sudo systemctl enable cloudflared
sudo systemctl start cloudflared

Q5: How do I troubleshoot 502 Bad Gateway errors?

A5:

  • Verify that your application is running and accessible locally.
  • Check the cloudflared logs: 
    cloudflared tunnel logs
  • Ensure the port in the config.yml matches the port your application uses.
  • Confirm that your DNS settings are correctly pointing to the tunnel.

Q6: Can I use this setup for multiple applications?

A6: Yes. Add additional ingress rules in the config.yml file for each application. For example:

ingress:
  - hostname: app1.example.com
    service: http://localhost:8081
  - hostname: app2.example.com
    service: http://localhost:8082
  - service: http_status:404

Q7: Is this setup free?

A7: Yes, the basic features of Cloudflare’s Zero Trust Tunnel are free. However, additional features like advanced security policies or analytics may require a paid plan.

Trusted by some of the biggest brands

We’re Waiting To Help You

Get in touch with us today and let’s start transforming your business from the ground up.

Book A Consultation