cloudflared — Cloudflare Tunnel Client for Exposing Services Without Opening Ports
cloudflared is the client daemon for Cloudflare Tunnel. Expose a local web app, SSH, or any TCP service to the internet through Cloudflare's edge — no public IP, no open ports, zero-trust access policies.
%20by%20%E2%80%9ELisa%20Wischofsky%E2%80%9D%2C%20licensed%20under%20%E2%80%9ECC0%201.0%E2%80%9D%20(https%3A%2F%2Fcreativecommons.org%2Fpublicdomain%2Fzero%2F1.0%2F)%3C%2Fdc%3Arights%3E%3C%2Frdf%3ADescription%3E%3C%2Frdf%3ARDF%3E%3C%2Fmetadata%3E%3Cmask%20id%3D%22viewboxMask%22%3E%3Crect%20width%3D%22980%22%20height%3D%22980%22%20rx%3D%22490%22%20ry%3D%22490%22%20x%3D%220%22%20y%3D%220%22%20fill%3D%22%23fff%22%20%2F%3E%3C%2Fmask%3E%3Cg%20mask%3D%22url(%23viewboxMask)%22%3E%3Crect%20fill%3D%22url(%23backgroundLinear)%22%20width%3D%22980%22%20height%3D%22980%22%20x%3D%220%22%20y%3D%220%22%20%2F%3E%3Cdefs%3E%3ClinearGradient%20id%3D%22backgroundLinear%22%20gradientTransform%3D%22rotate(24%200.5%200.5)%22%3E%3Cstop%20stop-color%3D%22%23FEF3E2%22%2F%3E%3Cstop%20offset%3D%221%22%20stop-color%3D%22%23FFD7BA%22%2F%3E%3C%2FlinearGradient%3E%3C%2Fdefs%3E%3Cg%20transform%3D%22translate(10%20-60)%22%3E%3Cpath%20d%3D%22m405%20197-2%207-4%2012c17-4%2033-6%2050-7%2020-1%2041%200%2062%203%2018%202%2036%207%2054%2011l57%2017c15%204%2030%208%2046%2010%204%201%207%201%2010%204l-3%204c-2%203-5%203-8%205%2010%207%2019%2015%2027%2023l16%2020c3%204%206%209%207%2014v5l-13%207c4%2012%208%2024%208%2037%200%2010%201%2021-3%2031-1%203-1%206-4%207-4%201-7-2-9-5a328%20328%200%200%201-42-64l-14-3%206%2010c1%201%203%203%202%205-1%203-4%203-7%204-14%203-30%201-44-2-22-6-43-14-64-23l-24-13c-5-1-9-4-13-6-3-1-6-2-7-5l6-7-2-3c-3-1-7%201-11%201-6%200-12%201-17%203l2-12c0-2-3-4-4-2-4%202-6%205-9%208l-10%2012-3%201-24-6-8%201c-2%201-2%203%200%204%203%204%206%207%208%2012%200%209-5%2017-10%2024-9%2011-19%2021-31%2029l-21%2014c-4%202-6%205-6%208l-1%2029c0%203%200%206-2%209-15%2015-28%2032-34%2053-4%2015-3%2029-2%2044v21l-1%209c-1%204-4%207-8%208-10%203-20%208-32%208-5%200-7%204-12%202s-6-7-8-11c-21-46-31-96-27-147%202-29%209-58%2022-84%2011-23%2026-44%2045-61a194%20194%200%200%201%2057-34l5-2a176%20176%200%200%201%2048-40c2-1%205-1%206%201Z%22%20fill%3D%22%23000000%22%2F%3E%3Cpath%20d%3D%22M528%20244c41%206%2080%2022%20113%2047%2028%2021%2050%2049%2065%2081%2013%2028%2020%2060%2019%2091-1%2015-3%2030-8%2044h-2l1-21c1-30-2-59-13-87-10-30-28-57-50-79-42-40-98-62-156-63a243%20243%200%200%200-196%2094%20207%20207%200%200%200-40%20139l2%2025c8%200%2019%200%2025%207l-3%203-17%201c-12%201-24%205-33%2013a64%2064%200%200%200-17%2039c-5%2032%2012%2065%2039%2083%2016%2010%2036%2015%2055%209%204-2%209-5%2014-3%203%201%204%204%205%207a251%20251%200%200%200%2090%20100c8%207%2018%2013%2028%2018%2018%208%2038%2014%2057%2019l32%208c5%201%209%201%2013%203l-4%201c-25%202-48-3-72-10-12-3-23-7-34-12a306%20306%200%200%201-84-63l2%2028c1%2017%200%2035-6%2052-4%2012-11%2024-19%2034-10%2010-22%2019-34%2026-10%207-21%2014-32%2018l-16%205%209-9%2031-20%2022-17a95%2095%200%200%200%2032-56c2-14%202-28%202-43v-27c-10-14-22-29-27-46-17%208-38%207-55-1-17-7-32-19-43-33-12-17-19-36-21-56s2-40%2015-56c9-10%2022-18%2035-21-4-14-6-29-6-44a234%20234%200%200%201%2083-173%20249%20249%200%200%201%20199-55Z%22%20fill%3D%22%23000%22%2F%3E%3Cpath%20d%3D%22M653%20320c22%2022%2040%2049%2050%2079%2011%2028%2014%2057%2013%2087l-1%2021-5%2015-2%2013%202%2056c0%2021%201%2042-1%2063l-3%2047c-2%2016-7%2031-14%2045-11%2018-26%2033-44%2044-13%208-27%2012-41%2016l-38%2011-17%203c0%201%201%202%203%202%208%205%2017%205%2026%204-3%207-4%2014-2%2022%203%207%2011%2011%2017%2014%2012%206%2024%207%2036%209%207%206%2014%2014%2016%2024%202%208%202%2016-2%2023-5%2010-14%2018-24%2023-13%208-27%2014-42%2018a468%20468%200%200%201-222-1c-17-4-33-9-48-17-12-6-23-13-32-22-5-7-9-14-10-23%2011-4%2022-11%2032-18%2012-7%2024-16%2034-26%208-10%2015-22%2019-34%206-17%207-35%206-52l-2-28%2022%2023c19%2015%2040%2030%2062%2040%2011%205%2022%209%2034%2012%2024%207%2047%2012%2072%2010l4-1c-4-2-8-2-13-3l-32-8c-19-5-39-11-57-19l-29-17c-11-9-23-17-33-27a251%20251%200%200%201-56-74c-1-3-2-6-5-7-5-2-10%201-14%203-19%206-39%201-55-9a88%2088%200%200%201-39-83c1-14%207-28%2017-39%209-8%2021-12%2033-13l17-1%203-3c-6-7-17-7-25-7l-2-25a207%20207%200%200%201%2040-139%20243%20243%200%200%201%20196-94c58%201%20114%2023%20156%2063Z%22%20fill%3D%22%23ffffff%22%2F%3E%3Cpath%20d%3D%22M710%20522c3%200%203%204%204%206%203%2011%204%2023%205%2034l2%2021c1%2022%202%2043%201%2065-1%2021-1%2044-5%2065a136%20136%200%200%201-80%2099c-15%207-31%2011-48%2013v15c1%203%203%204%205%206%2012%206%2023%208%2036%2011%2012%203%2024%205%2036%2011-3%203-7%204-11%204-7%201-15-1-23-1-12-2-24-3-36-9-6-3-14-7-17-14-2-8-1-15%202-22-9%201-18%201-26-4-2%200-3-1-3-2l17-3%2038-11c14-4%2028-8%2041-16%2018-11%2033-26%2044-44%207-14%2012-29%2014-45l3-47c2-21%201-42%201-63l-2-56%202-13ZM252%20549c8%200%2017%201%2023%207%205%204%2010%209%2012%2015%201%203%200%206-2%208l-13%208c-7%206-7%2019%200%2025%206%205%2014%208%2021%2011%202%200%205%201%206%203-1%202-3%203-5%203-10%200-20-3-28-9-5-3-8-8-9-13-2-8-2-17%204-24%204-6%2011-9%2018-12-4-5-7-11-14-13-7-3-15-3-22-5l9-4Z%22%20fill%3D%22%23000%22%2F%3E%3Cpath%20d%3D%22M681%20495c3%200%207%200%2010%202%202%201%202%202%201%204l-9%203-24%205c-1%206-1%2013-4%2019-2%205-6%209-11%209s-9-3-11-7c-3-5-5-11-6-18-4%200-9%201-12-1-1-3%203-4%205-4%2012-5%2026-7%2039-9%207-2%2015-2%2022-3ZM496%20502c5%200%2011%200%2016%203l3%203c-7%202-13%204-20%204-2%209-4%2017-9%2025-2%203-5%206-9%205-5-1-10-4-13-9-4-5-8-11-8-18l-56%202c-2-1-6%200-6-3%203-3%208-3%2012-4l33-4c19-2%2038-4%2057-4Z%22%20fill%3D%22%23000000%22%2F%3E%3Cpath%20d%3D%22m650%20510-6%2017c-4-4-6-10-9-15l15-2ZM484%20513l-6%2018-4-2c-5-4-8-10-12-15l18-1h4Z%22%20fill%3D%22%23fff%22%2F%3E%3Cpath%20d%3D%22M494%20368c5%200%209%203%2011%207%208%208%2015%2018%2020%2028%202%205%204%2010%203%2015-1%202-2%204-4%203l-5-6c-4-8-10-15-16-22%200%204%201%2010-1%2013-1%204-4%206-8%206-5%200-10-4-14-7l-13-5c-2%201-4%203-6%202l-11-2-20-2-18%202c3-4%208-6%2013-8%2010-5%2021-5%2032-4%203%201%206-2%2010-1%2010%200%2017%204%2025%2010l-4-19c-1-4%201-9%206-10ZM637%20383c3%201%205%202%205%205%200%204-3%208-5%2013%204-2%207-5%2011-5%203%201%204%203%206%206%205-2%2012-4%2018-2%203%201%204%203%205%205-3%203-6%205-10%206-5%202-11%204-16%204-3%200-5-2-7-3l-10%206c-3%200-6-1-7-4l-1-8-8%2015-4%206c-2%200-3%200-4-2-2-3%201-8%202-11%203-8%208-16%2014-23%203-3%206-7%2011-8Z%22%20fill%3D%22%23000000%22%2F%3E%3Cpath%20d%3D%22m591%20528%202%202%207%2022c4%208%2010%2015%2015%2023%204%206%206%2013%205%2020-1%206-4%2012-9%2016-7%207-16%2012-25%2016-5%203-11%204-17%202l5-4c11-9%2025-14%2036-24%202-2%204-6%204-9-1-7-5-11-8-16-5-9-10-16-13-25-2-7-4-16-2-23Z%22%20fill%3D%22%23000000%22%2F%3E%3Cpath%20d%3D%22M607%20684c3%202%202%206%201%209-2%208-4%2015-9%2022-5%205-10%2010-17%2012-10%204-22%202-31-3-4-2-9-5-11-9-1-1-2-3-1-4%202-2%205-3%208-3%209%201%2018%206%2027%207%207%201%2013-3%2017-8%205-6%208-15%2012-22%201-2%202-2%204-1Z%22%20fill%3D%22%23000000%22%2F%3E%3Cpath%20d%3D%22M404%20197c2%202%200%205-1%207l-4%2012a338%20338%200%200%201%20135%200c28%206%2055%2014%2082%2022%2017%205%2033%209%2051%2012%204%200%208%201%2011%204l-4%205-7%204c15%2011%2030%2024%2041%2039%204%206%208%2012%2010%2019%201%203-1%204-3%206l-18%207c-18%207-38%205-57%201%202%204%203%207%206%209%201%202%203%203%202%206s-5%203-7%204c-14%203-30%201-44-2-22-6-44-14-65-24l-39-19-5-4%207-7-2-3-15%201-14%203%203-12c1-2-1-3-3-3l-5%204-13%2013-3%205-5-1c-8-3-17-5-25-5-3%200-6%201-5%204%203%205%207%207%209%2013%200%208-5%2017-10%2024-9%2011-19%2021-30%2029l-22%2014c-4%202-6%204-6%208l-1%2030c0%203%200%207-3%209-14%2014-27%2032-32%2051-4%2014-4%2027-3%2041v27c-1%202-1%206-4%207l-7-2-19-7a85%2085%200%200%201-38-40c-6-13-10-26-13-40a228%20228%200%200%201%203-104%20178%20178%200%200%201%2072-102c13-10%2028-19%2044-24l4-3a162%20162%200%200%201%2046-39c3-1%205-1%206%201Z%22%20fill%3D%22%23000000%22%2F%3E%3C%2Fg%3E%3Cg%20transform%3D%22translate(10%20-60)%22%3E%3C%2Fg%3E%3C%2Fg%3E%3C%2Fsvg%3E){kind=small}
Safe staging for this asset
This asset is staged first. The copied prompt tells the agent to inspect the staged files and ask before activating scripts, MCP config, or global config.
npx -y tokrepo@latest install 071802a4-3859-11f1-9bc6-00163e2b0d79 --target codexStages files first; activation requires review of the staged README and plan.
What it is
cloudflared is the client daemon for Cloudflare Tunnel. It creates encrypted outbound connections from your local machine to Cloudflare's network, allowing you to expose a local web app, SSH server, RDP, or any TCP service to the internet without opening inbound firewall ports, configuring NAT, or managing a VPN. Cloudflare handles DNS, TLS certificates, and DDoS protection automatically.
Developers who need to share local development servers, expose self-hosted services, or set up secure remote access to machines behind NAT benefit most. cloudflared replaces tools like ngrok for permanent tunnel setups with Cloudflare's global network.
How it saves time or tokens
Traditional approaches to exposing local services require port forwarding, dynamic DNS, TLS certificate management, and firewall configuration. cloudflared handles all of this with a single command. The tunnel is outbound-only, so no inbound ports need to be opened -- this simplifies network security significantly. Cloudflare's free tier includes unlimited tunnels, DDoS protection, and automatic TLS.
How to use
- Install cloudflared:
# macOS
brew install cloudflared
# Linux
curl -L https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64 -o cloudflared
chmod +x cloudflared- Authenticate with your Cloudflare account:
cloudflared tunnel login- Create and run a tunnel:
cloudflared tunnel create my-app
cloudflared tunnel route dns my-app myapp.example.com
cloudflared tunnel run --url http://localhost:3000 my-appYour local app on port 3000 is now available at myapp.example.com with HTTPS.
Example
# config.yml for persistent tunnel configuration
tunnel: my-app
credentials-file: /root/.cloudflared/my-app.json
ingress:
- hostname: app.example.com
service: http://localhost:3000
- hostname: api.example.com
service: http://localhost:8080
- hostname: ssh.example.com
service: ssh://localhost:22
- service: http_status:404# Quick expose without a named tunnel (temporary)
cloudflared tunnel --url http://localhost:8080Related on TokRepo
- DevOps Tools -- Infrastructure and deployment tools
- Self-Hosted Solutions -- Tools for self-hosting services securely
Common pitfalls
- Quick tunnels (without
tunnel create) generate random hostnames and are temporary. For persistent access, create a named tunnel and configure DNS routing. - cloudflared must stay running for the tunnel to work. Use a process manager (systemd, launchd, PM2) to keep it alive in production.
- Cloudflare requires you to own the domain and manage its DNS through Cloudflare. You cannot route tunnel traffic to domains on other DNS providers.
Frequently Asked Questions
Yes. Cloudflare Tunnel is included in Cloudflare's free tier. You can create unlimited tunnels at no cost. The free tier includes DDoS protection and automatic TLS. Some advanced access control features require Cloudflare Zero Trust (paid plans).
Both expose local services to the internet. cloudflared integrates with Cloudflare's network (CDN, DDoS, WAF) and supports custom domains on the free tier. ngrok provides more developer-focused features like request inspection. cloudflared is free for unlimited tunnels; ngrok's free tier has usage limits.
Yes. cloudflared supports TCP tunnels including SSH. Configure an SSH service in your ingress rules and use 'cloudflared access ssh' on the client side to connect through the tunnel without opening port 22.
Yes, in most cases. cloudflared makes outbound HTTPS connections on port 443, which is typically allowed by corporate firewalls. No inbound ports need to be opened. Some very restrictive proxies that inspect TLS traffic may interfere.
Yes. Use the config.yml ingress rules to route different hostnames to different local services. One cloudflared process can serve multiple services on different subdomains through a single tunnel.
Citations (3)
- cloudflared GitHub Repository— cloudflared is the client daemon for Cloudflare Tunnel
- Cloudflare Tunnel Documentation— Cloudflare Tunnel creates encrypted outbound connections
- Cloudflare Tunnel Product Page— Free tier includes unlimited tunnels with DDoS protection
Related on TokRepo
Discussion
Related Assets
Bore — Simple Self-Hosted TCP Tunnel to Localhost
A minimal Rust CLI tool for exposing local ports to the internet through a self-hosted relay server, offering a lightweight alternative to ngrok with no account required.
Another Redis Desktop Manager — Fast Cross-Platform Redis GUI Client
Another Redis Desktop Manager (ARDM) is a free, open-source Redis GUI client for Linux, macOS, and Windows. It handles millions of keys without crashing and supports cluster mode, sentinel, SSH tunnels, and TLS connections.
OkHttp — Modern HTTP Client for Java and Kotlin
A reliable and efficient HTTP client for the JVM and Android with connection pooling, transparent GZIP, response caching, and WebSocket support.
Got — Human-Friendly HTTP Client for Node.js
Got is a lightweight, feature-rich HTTP client for Node.js with built-in retry logic, pagination, caching, and hooks for composable request pipelines.