# cloudflared — Cloudflare Tunnel Client for Exposing Services Without Opening Ports > cloudflared is the client daemon for Cloudflare Tunnel. Expose a local web app, SSH, or any TCP service to the internet through Cloudflare's edge — no public IP, no open ports, zero-trust access policies. ## Install Save in your project root: # cloudflared — Cloudflare Tunnel Client ## Quick Use ```bash # Install brew install cloudflare/cloudflare/cloudflared # macOS # Linux: download .deb or .rpm from github.com/cloudflare/cloudflared/releases # Quick try-out (ephemeral tunnel, no Cloudflare account needed) cloudflared tunnel --url http://localhost:3000 # -> https://random-subdomain.trycloudflare.com # Persistent tunnel (needs Cloudflare account + domain on Cloudflare) cloudflared tunnel login cloudflared tunnel create myapp cloudflared tunnel route dns myapp myapp.example.com cloudflared tunnel run myapp ``` ## Introduction cloudflared is Cloudflare's connector for Cloudflare Tunnel (formerly Argo Tunnel). It runs on your server, establishes outbound connections to Cloudflare's edge, and relays incoming requests through that tunnel to your local service. No inbound firewall rules, no public IP, no port forwarding. With over 13,000 GitHub stars, cloudflared is the way millions of developers expose home labs, dev machines, and self-hosted apps without worrying about NAT, dynamic DNS, or DDoS. The free Cloudflare plan includes unlimited tunnel usage. ## What cloudflared Does cloudflared authenticates to Cloudflare, registers a tunnel, and keeps persistent outbound connections alive. Incoming requests hit Cloudflare's edge (e.g., https://yourapp.yourdomain.com), get matched to your tunnel by hostname, and are relayed to your local service. Cloudflare Access lets you layer on authentication (SSO, device posture, etc.). ## Architecture Overview ``` [Public Internet] | [Cloudflare Edge (DDoS protection, CDN, WAF, SSL)] | |<-- Cloudflare Access (SSO, MFA, posture checks) | [Tunnel] | [cloudflared daemon (your server)] | [Local services] http://localhost:3000 (app) ssh://localhost:22 (admin) tcp://localhost:5432 (database for trusted users) ``` ## Self-Hosting & Configuration ```yaml # ~/.cloudflared/config.yml tunnel: myapp-uuid-here credentials-file: /root/.cloudflared/myapp-uuid-here.json ingress: - hostname: myapp.example.com service: http://localhost:3000 - hostname: ssh.example.com service: ssh://localhost:22 - hostname: api.example.com service: http://localhost:8080 originRequest: noTLSVerify: true - service: http_status:404 # catch-all rule (required last) ``` ```bash # Run as a systemd service sudo cloudflared service install eyJhIjoi...long-token-from-dashboard sudo systemctl enable --now cloudflared # Multiple instances for HA # Run cloudflared on 2+ machines with the same config — Cloudflare load-balances # Expose SSH through Access (zero-trust SSH, no public 22) # 1. In Cloudflare Zero Trust dashboard, create an Access application for ssh.example.com # 2. On client: cloudflared access ssh --hostname ssh.example.com --destination user@server # 3. Or ~/.ssh/config ProxyCommand cloudflared access ssh --hostname %h ``` ## Key Features - **Zero inbound ports** — only outbound 443 from your server - **Cloudflare edge benefits** — DDoS protection, CDN, WAF, SSL automatic - **Cloudflare Access** — SSO, MFA, device posture on any service - **HTTP, SSH, TCP, UDP, RDP, SMB** — tunnel anything - **Free tier** — unlimited usage with a Cloudflare account - **Multi-origin HA** — run cloudflared on N machines, auto-balanced - **TLS origin verification** — encrypt from edge to your server - **Systemd / Windows service / Docker** — deploy everywhere ## Comparison with Similar Tools | Feature | cloudflared | ngrok | frp | Tailscale Funnel | headscale | |---|---|---|---|---|---| | Free tier | Unlimited | Limited | Self-host VPS | 20 devices | Self-host | | Zero-trust auth | Yes (Access) | Paid | Manual | Via Tailscale ACLs | Limited | | DDoS/WAF | Yes (CF edge) | Basic | No | No | No | | SSL automatic | Yes | Yes | Via LE | Via LE | Via LE | | Need a domain | Yes (on CF) | No | No | No | No | | Best For | Custom domain + free tier | Quick dev tunnels | Full control | Private mesh + optional public | Self-hosted Tailscale | ## FAQ **Q: Do I have to use Cloudflare for DNS?** A: For persistent tunnels with your own domain, yes — the domain must be on Cloudflare. For quick demos, use the free `*.trycloudflare.com` ephemeral URLs. **Q: Can cloudflared expose a database to the public?** A: You can, but don't. Put it behind Cloudflare Access with SSO + MFA + device posture, so only trusted users/devices can reach it. **Q: Is there a bandwidth cost?** A: Free tier includes unlimited tunnel bandwidth. Bandwidth costs only apply to Workers/R2/other Cloudflare products. **Q: cloudflared vs Tailscale?** A: cloudflared exposes services to the public internet via Cloudflare edge. Tailscale creates a private mesh (devices talk to each other privately). Complementary — many teams use Tailscale for internal access + cloudflared for public services. ## Sources - GitHub: https://github.com/cloudflare/cloudflared - Docs: https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/ - Company: Cloudflare - License: Apache-2.0 --- Source: https://tokrepo.com/en/workflows/071802a4-3859-11f1-9bc6-00163e2b0d79 Author: AI Open Source