Sign in Subscribe
By Sahil Kapoor -

Cloudflare Tunnel

A secure tunneling service that exposes locally running services to the internet through Cloudflare's network — without opening firewall ports, configuring NAT, or having a static IP.

Cloudflare Tunnel (formerly Argo Tunnel) creates an outbound-only encrypted connection from your server to Cloudflare's edge. Your origin server makes the connection out; Cloudflare routes incoming requests to it. No inbound ports, no dynamic DNS, no server IP exposed — your server is completely hidden behind Cloudflare.

How It Works

  1. Install cloudflared (the tunnel daemon) on your server
  2. Authenticate with your Cloudflare account: cloudflared tunnel login
  3. Create a tunnel: cloudflared tunnel create my-app
  4. Configure routing (which hostname routes to which local port)
  5. Run the tunnel: cloudflared tunnel run my-app

Cloudflare issues you a unique subdomain (e.g., randomstring.cfargotunnel.com) and you can CNAME your own domain to it. Traffic flows: browser → Cloudflare edge → encrypted tunnel → cloudflared → local service.

What It Solves

  • NAT traversal — exposes a service on a home network or private cloud without router configuration
  • No static IP required — the tunnel reconnects even if your ISP changes your IP
  • DDoS protection — Cloudflare absorbs attacks before they reach your origin
  • TLS termination — Cloudflare handles HTTPS certificates automatically
  • Zero Trust access — combine with Cloudflare Access for identity-based access control (no VPN needed)

Cloudflare Tunnel vs Tailscale

Tailscale connects devices in a private mesh — for SSH, database connections, internal APIs. Cloudflare Tunnel exposes a service to the public internet — for web apps, webhooks, public APIs. For internal-only access, Tailscale; for public-facing services on a private machine, Cloudflare Tunnel. Many teams use both.

Cloudflare Tunnel vs Traefik/Nginx

Traefik and Nginx are reverse proxies that route traffic between services — they assume you already have inbound connectivity. Cloudflare Tunnel solves the connectivity problem so you don't need open ports for those proxies to receive traffic.

Use Cases

  • Expose a local dev server to share with clients or for webhook testing
  • Run a web service on a home server without ISP restrictions on port 80/443
  • Secure access to internal tools with Cloudflare Access (SSO, MFA) — no VPN
  • Multi-origin load balancing and failover via Cloudflare Load Balancing
  • Tailscale — private mesh networking (vs public exposure)
  • Traefik — reverse proxy that pairs well with tunnels for internal routing
  • Caddy — web server with automatic HTTPS; often used alongside Cloudflare Tunnel
  • Wireguard — alternative tunnel protocol for lower-level connectivity

Subscribe to Sahil's Playbook

Clear thinking on product, engineering, and building at scale. No noise. One email when there's something worth sharing.
[email protected]
Subscribe
Mastodon