Cloudflare Tunnel: Expose Your Home Network to the Internet Securely

It’s common for homes nowadays to have private home lab hosting services, like a media server or FTP server. In some cases, users would want to make these private services accessible anywhere on the internet.

Not every internet subscription comes with a dedicated public IP address. But even so, configuring your internal network to be accessible publicly is not typically a simple task for most home users.

So what’s the alternative? You should consider using the Cloudflare tunnel, part of the Cloudflare Zero Trust, which exposes your private network to the Cloudflare global network. There are several subscription options to Cloudflare Zero Trust, but the free option should be sufficient for a home lab.

Stay with me, and I will show you how to set up Cloudflare Tunnel and use your private services online!

ADVERTISEMENT

Requirements

To follow along, make sure you have these prerequisites.

  • A server in your internal network. This server can be any computer that hosts your private services. This demo uses an Ubuntu Server 20.04.
  • Docker is installed on your server. Although Cloudflare Tunnel (cloudflared) can run as a standalone service, installing it as a Docker container makes it more convenient and consistent across platforms.
  • You must already have a DNS domain in your Cloudflare account. This example will use the DNS domain org870b.ga.

Create a Cloudflare Tunnel

Suppose you already have a Cloudflare account, follow these steps to create a new tunnel.

  1. Login to your Cloudflare account and click on the Zero Trust link.
    cloudflare tunnel
  2. Click AccessTunnelsCreate a Tunnel.
    create cloudflare tunnel
  3. Next, type a descriptive name for the tunnel you’re creating. In this example, we’ll name the tunnel homelab to indicate that this tunnel we are creating for our home lab network. Once you’ve entered the tunnel name, click Save tunnel.
    cloudflare tunnel ssh

Install the Cloudflare Tunnel Connector

After saving the new Cloudflare tunnel, the next step requires installing the Cloudflare Tunnel connector on your server.

  1. On the Choose your environment, select the operating system of your server. The connector can be installed on Windows, Mac, Linux, and as a Docker container. In this example, I’ll install the connector as a Docker application.
    cloudflare ssh tunnel
  2. The instructions or command to install the connector for your chosen environment appears below. In this example, there’s only one command to execute to run the Cloudflare tunnel connector as a Docker container. Copy this command.
    cloudflared tunnel run
  3. Before running the docker run command, let’s insert the -d option to run the container in detached mode, and the –name <name> argument to name the container.
    tunnel cloudflare
  4. Now, run the command in your server’s terminal. As you can see below, Docker downloads the cloudflare/cloudflared image from the Docker Hub and starts the new container.
    cloudflare tunnel setup
  5. Let’s confirm that the Cloudflare Tunnel container is running.
    docker ps -f 'name=homelab_tunnel'

    cloudflare tunnel config

  6. Go back to your Cloudflare Zero Trust Tunnel page, and you should see that the connector status is not connected. Click Next.
    install cloudflare tunnel connector

Expose a Web Application Through the Cloudflare Tunnel

In my home lab setup, Cockpit is installed on my Ubuntu server and accessible on https://192.168.1.20:9090.

Note. How to Install Cockpit on Ubuntu for Web-Based System Management?

cloudflare tunnel ssh access

In this example, let’s expose this web application through the Cloudflare tunnel network and make it accessible to the internet.

  1. Enter the subdomain that you want to assign to the service. In this example, let’s call it cockpit.
  2. Choose the domain from the dropdown list.
    Note. You must already have a DNS domain configured in Cloudflare DNS for this step. Otherwise, there will be no domain available in the list.
  3. Choose HTTPS from the Type selection.
  4. Enter the web service URL inside the URL box. This URL is the internal address of the web service, such as 192.168.1.20:9090 for Cockpit.
  5. Click on Additional application settings.
    Cloudflare Tunnel SSH Access
  6. Expand TLS and enable the No TLS Verify switch. Lastly, click Save tunnel.

    Note. This step is applicable only if the service you’re exposing is using HTTPS and the certificate is not from a public certificate provider.

    cloudflared

  7. At this point, you now have a Cloudflare tunnel:
    • Named homelab with one configured route to cokcpit.org870b.ga.
    • The tunnel status is Healthy.
    • The connector status is Connected.
      docker cloudflareAnd a proxied CNAME record pointing to the Cloudflare Argo Tunnel FQDN (<tunnel-id>.cfargotunnel.com>)
      ssh cloudflare
  8. Finally, test whether you can access the web application on the internet by opening the public hostname in a web browser. As you can see below, opening the https://cockpit.org870b.ga URL loads the Cockpit interface of my internal server.
    cloudflared ubuntu

Add a Cloudflare Tunnel SSH Access

Apart from web-based applications, you can also expose non-HTTP services through different protocols. One example is SSH access.

Exposing your server’s SSH access via Cloudflare Tunnel, you only need to create the public hostname in the existing tunnel. No need to open new ports in the firewall.

  1. First, open your list of tunnels and click configure next to the tunnel name.
    docker cloudflare
  2. Click the Public Hostname tab and click Add a public hostname.
    cloudflare tunnel docker
  3. Enter the subdomain and select the domain. Choose SSH as the service type, and enter the server’s internal IP address name and port in the URL field.
    As you can see below, this example has the following values.

    • Subdomain+Domain = terminal.org870.ga
    • Type = SSH
    • URL = 192.168.1.20:22
  4. Click Save hostname.
    cloudflare dns docker
  5. You now have an SSH public hostname added to your Cloudflare Tunnel.
    install cloudflare ubuntu

Connect using the Native SSH Client

To connect to the Cloudflare Tunnel SSH endpoint you created, you must first install the cloudflared binary to your client computer.

  1. Open a browser on your computer and open the Cloudflare Tunnel downloads page at https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/installation/.
  2. On the page, download the cloudflared binary for your computer’s operating system. In this example, I’ll download the executable for Windows since I’m using a Windows 11 computer.
    ubuntu cloudflare
  3. After downloading the file, move it to a convenient directory. In this example, we’ve moved the file to C:\Tools\cloudflared-windows-amd64.exe.
    tunnel cloudflare docker
  4. Next, edit your SSH client configuration. Open the file ~/.ssh/config in your text editor. Append the following configuration entry for your Cloudflare Tunnel SSH public hostname.
  5. Make sure to replace terminal.org870b.ga with your SSH public hostname and C:\Tools\cloudflared-windows-amd64.exe with your correct executable location.
    Host terminal.org870b.ga
    
    ProxyCommand C:\Tools\cloudflared-windows-amd64.exe access ssh --hostname %h

    tunnel cloudflare windows

  6. Save and close the config file.
  7. Open a terminal (PowerShell on Windows) and run the following command:
    ssh <username>@<public-hostname>

    tunnel cloudflare docker ssh

Conclusion

Cloudflare Tunnel really changes the game. Imagine hosting many applications inside your home network and then configuring which ones to make available to the internet.

For example, you can host your own password manager instance and make it available even when traveling and not connected to your home network! You can make your media server available online and share it with your family and friends across different locations.

ADVERTISEMENT
I enjoy technology and developing websites. Since 2012 I'm running a few of my own websites, and share useful content on gadgets, PC administration and website promotion.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.