cloudflared — Cloudflare Tunnel Client for Exposing Services Without Opening Ports

Introduction

cloudflared is Cloudflare's connector for Cloudflare Tunnel (formerly Argo Tunnel). It runs on your server, establishes outbound connections to Cloudflare's edge, and relays incoming requests through that tunnel to your local service. No inbound firewall rules, no public IP, no port forwarding.

With over 13,000 GitHub stars, cloudflared is the way millions of developers expose home labs, dev machines, and self-hosted apps without worrying about NAT, dynamic DNS, or DDoS. The free Cloudflare plan includes unlimited tunnel usage.

What cloudflared Does

cloudflared authenticates to Cloudflare, registers a tunnel, and keeps persistent outbound connections alive. Incoming requests hit Cloudflare's edge (e.g., https://yourapp.yourdomain.com), get matched to your tunnel by hostname, and are relayed to your local service. Cloudflare Access lets you layer on authentication (SSO, device posture, etc.).

Architecture Overview

[Public Internet]
    |
[Cloudflare Edge (DDoS protection, CDN, WAF, SSL)]
    |
    |<-- Cloudflare Access (SSO, MFA, posture checks)
    |
[Tunnel]
    |
[cloudflared daemon (your server)]
    |
[Local services]
   http://localhost:3000 (app)
   ssh://localhost:22 (admin)
   tcp://localhost:5432 (database for trusted users)

Self-Hosting & Configuration

# ~/.cloudflared/config.yml
tunnel: myapp-uuid-here
credentials-file: /root/.cloudflared/myapp-uuid-here.json

ingress:
  - hostname: myapp.example.com
    service: http://localhost:3000
  - hostname: ssh.example.com
    service: ssh://localhost:22
  - hostname: api.example.com
    service: http://localhost:8080
    originRequest:
      noTLSVerify: true
  - service: http_status:404      # catch-all rule (required last)

# Run as a systemd service
sudo cloudflared service install eyJhIjoi...long-token-from-dashboard
sudo systemctl enable --now cloudflared

# Multiple instances for HA
# Run cloudflared on 2+ machines with the same config — Cloudflare load-balances

# Expose SSH through Access (zero-trust SSH, no public 22)
# 1. In Cloudflare Zero Trust dashboard, create an Access application for ssh.example.com
# 2. On client: cloudflared access ssh --hostname ssh.example.com --destination user@server
# 3. Or ~/.ssh/config ProxyCommand cloudflared access ssh --hostname %h

Key Features

• Zero inbound ports — only outbound 443 from your server
• Cloudflare edge benefits — DDoS protection, CDN, WAF, SSL automatic
• Cloudflare Access — SSO, MFA, device posture on any service
• HTTP, SSH, TCP, UDP, RDP, SMB — tunnel anything
• Free tier — unlimited usage with a Cloudflare account
• Multi-origin HA — run cloudflared on N machines, auto-balanced
• TLS origin verification — encrypt from edge to your server
• Systemd / Windows service / Docker — deploy everywhere

Comparison with Similar Tools

FAQ

Q: Do I have to use Cloudflare for DNS? A: For persistent tunnels with your own domain, yes — the domain must be on Cloudflare. For quick demos, use the free *.trycloudflare.com ephemeral URLs.

Q: Can cloudflared expose a database to the public? A: You can, but don't. Put it behind Cloudflare Access with SSO + MFA + device posture, so only trusted users/devices can reach it.

Q: Is there a bandwidth cost? A: Free tier includes unlimited tunnel bandwidth. Bandwidth costs only apply to Workers/R2/other Cloudflare products.

Q: cloudflared vs Tailscale? A: cloudflared exposes services to the public internet via Cloudflare edge. Tailscale creates a private mesh (devices talk to each other privately). Complementary — many teams use Tailscale for internal access + cloudflared for public services.

Sources

• GitHub: https://github.com/cloudflare/cloudflared
• Docs: https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/
• Company: Cloudflare
• License: Apache-2.0