Setting up a Cloudflare Tunnel provides a secure way to remotely access devices on your home network without exposing them directly to the public internet. This guide covers how to set up a Cloudflare Tunnel on a Raspberry Pi to access it from anywhere while keeping the connection encrypted.
Why Set Up a Tunnel?
Exposing devices directly can leave them vulnerable to attacks. A Cloudflare Tunnel establishes an outbound-only connection from your device to the Cloudflare network. This prevents unwanted access while enabling you to securely connect through Cloudflare’s network.
Some key benefits of using a tunnel include:
- Security – Encrypts connections and hides device IP addresses.
- Remote Access – Enables accessing home devices remotely through the secured tunnel.
- Ease of Use – Setting up tunnels is quick and doesn’t require changing routers or firewall rules.
Before getting started, make sure you have the following ready:
- Raspberry Pi OS installed on your Raspberry Pi. The latest Bullseye release is recommended.
- Your Raspberry Pi connected to your home network with internet connectivity.
- A Cloudflare account created and a domain added. You’ll use this in tunnel creation steps.
Step 1 – Install cloudflared
cloudflared is the software that will create a tunnel from your Raspberry Pi to Cloudflare’s edge. SSH into your Pi and run the following to install it:
sudo apt update
sudo apt install cloudflared
When prompted, press Y to confirm installing cloudflared. The latest version will be installed with all dependencies handled automatically.
Step 2 – Authenticate cloudflared
Run the following command to authenticate cloudflared into your Cloudflare account. Simply follow the login prompt:
cloudflared tunnel login
This will create a certificate file that will allow this device to create tunnels associated with your Cloudflare account.
Step 3 – Create a Tunnel
Now we can create a tunnel with this command:
cloudflared tunnel create <TUNNEL_NAME>
Replace <TUNNEL_NAME> with a name for your tunnel, like raspberrypi.
Make note of the Tunnel ID, Tunnel Secret and Tunnel Name that get returned in the command output after running the above command. We’ll need those soon.
Step 4 – Configure Tunnel Routing
To route traffic to a service running on your Raspberry Pi, create a YAML file named tunnel.yml with content like this:
– hostname: ssh.mydomain.com
– service: http_status:404
Replace TUNNEL_ID with your tunnel ID and TUNNEL_NAME with the name you chose previously.
This config will route ssh.mydomain.com traffic to your Pi’s SSH server on port 22. You can add additional services by adding items like the SSH ingress above.
Step 5 – Run the Tunnel
Start your tunnel with this command, using your config file:
cloudflared tunnel run –config tunnel.yml
You’ll see cloudflared output logs as it connects and starts routing traffic. Your tunnel is now online!
Step 6 – Connecting to Tunneled Services
You can now connect to your tunneled SSH server using ssh.mydomain.com, with traffic encrypted through Cloudflare’s network automatically. No need to expose SSH directly or manually manage firewall rules.
This works for any other services added to tunnel.yml. Subdomains get TLS certificates issued automatically from Cloudflare as part of the tunnel setup.
- Cloudflare tunnels provide secure remote access to home devices and services.
- Install cloudflared and authenticate it into your Cloudflare account.
- Create tunnels with hostnames and route traffic to local services.
- Manage tunnels easily instead of configuring firewalls.
Setting up Cloudflare tunnels only takes a few quick commands but provides immense security and remote access benefits for your Raspberry Pi and other devices.
Cloudflare’s tunnel functionality makes exposing local development servers publicly straightforward while prioritizing security. Following the steps outlined here, you can have an encrypted tunnel configured within minutes on any Raspberry Pi.
Some personal uses cases include securely accessing a home media server, connecting to home automation tools like Zigbee2MQTT, or even just monitoring a pet webcam. possibilities expand even further by routing multiple subdomains to any number of local services.
Experiment with Cloudflare tunnel creation using a free-tier Cloudflare account. Use thecloudflared tool to set up encrypted tunnels within minutes and take your homelab or network projects to the next level with world-wide accessibility.
Frequently Asked Questions
- What are the benefits of using a Cloudflare Tunnel?
Cloudflare Tunnels provide secure remote access to services and devices without exposing them directly to the public internet. Traffic is encrypted through Cloudflare’s network and your home IP address stays hidden.
- How many tunnels can I create?
Cloudflare’s free plan allows you to create up to 5 tunnels with randomized hostnames assigned. Paid plans allow for unlimited tunnels using your own hostnames.
- Does Cloudflare Access work with tunnels?
Yes, you can authenticate user logins through Cloudflare Access to add an extra layer of security on top of your tunnels.
- Do I need to configure my router or firewall for tunnels to work?
No, tunnels only require outbound HTTP connections to Cloudflare. No incoming ports need opened, making setup much easier.
- Can anyone create tunnels to my Cloudflare account?
No, only devices that have authenticated with cloudflared login and have the certificate can create associated tunnels. You explicitly allow which devices have access.
- What happens if my home IP changes?
Tunnels will automatically reconnect if your home IP changes. Hostnames and routing config all stay the same – no changes needed.
- Is there a way to monitor tunnel stats and analytics?
Yes, Cloudflare provides graphs of bandwidth usage and request counts over time for each tunnel in your account’s analytics.
- Can I use tunnels for non-HTTP services like SSH?
Yes! You can route nearly any TCP-based service like SSH through a tunnel by specifying the service host in your tunnel.yml.
- Do tunnels add much overhead or latency to connections?
No, in testing tunnels only add 1-2ms of round-trip latency in most cases. Performance impact is generally unnoticeable for most applications.
- Is there an officially supported cloudflared package for the Raspberry Pi OS?
Yes, Cloudflare provides an officially maintained cloudflared package available from the standard Raspbian package repositories used here.
- What versions of cloudflared are available?
Packages are offered for a wide range of platforms like Debian/Ubuntu, RHEL/CentOS, Arch, and also MacOS, Windows and as a standalone binary.
- Can I reuse my tunnel config across multiple devices?
Yes, you can run the same tunnel.yml file on as many devices as you’d like, keeping ingress rules in sync. The config isn’t tied to any specific device.
- Do I need a paid Cloudflare account to use tunnels?
No, tunnels are included free as part of Cloudflare’s free plan. Paid plans offer additional flexibility with an unlimited number of tunnels.
- What protocols does Cloudflare support tunneling?
In addition to HTTP/HTTPS, other TCP-based protocols like SSH, RDP, SMB and more can be tunneled by specifying the service host type.