reverse proxy self-hosted services with cloudflare tunnel


Cloudflare Tunnel (once known as Argo Tunnel) is a mix between a reverse proxy and a TCP-based tunnel that links local TCP ports (e.g., a service that binds to and TCP port 23456) and proxies all requests to and from Cloudflare at its edges to port 443.

Cloudflare Tunnels have recently become free to all.

The solution is not so different to using a service such as frp, and it escapes CGNAT as well.

Advantages over a self-hosted solution:


Documentation is available at Cloudflare, but some steps and concepts can be made clearer.

Binary, .deb, and .rpm are available for x86-64, x86, and ARMv6 and ARM64.

Install (Ubuntu/Debian):

wget -q
dpkg -i cloudflared-stable-linux-amd64.deb

Login with:

cloudflared login

Visit the URL and authorize your domain.

cloudflared tunnel create your-tunnel-name

Tunnel credentials get written to a file named like /root/.cloudflared/123456-abcdef.json.

Create /root/.cloudflared/config.yml

tunnel: 123456-abcdef
credentials-file: /root/.cloudflared/123456-abcdef.json

  - hostname:
    service: http://localhost:80
  - service: http_status:404

Cloudflared can create the DNS entry for you:

cloudflared tunnel route dns your-tunnel-name

To try out the tunnel:

cloudflared tunnel run

And visit the app at

To make the tunnel permanent at system start:

cloudflared service install

Configuration will be moved to /etc/cloudflared/config.yml.

For Ubuntu/Debian, start the service with:

systemctl start cloudflared

More info:

Additional bits that weren’t explained by Cloudflare or weren’t clear to me:

I do not use a commenting system anymore, but I would be glad to read your feedback. Feel free to contact me.