--- title: Secure Remote Access with Cloudflare Tunnels description: How to set up Cloudflare Tunnels for secure remote access to your home lab services pubDate: 2025-04-19 heroImage: /blog/images/posts/prometheusk8.png category: networking tags: - cloudflare - networking - security - homelab - tunnels readTime: 7 min read --- # Secure Remote Access with Cloudflare Tunnels Cloudflare Tunnels provide a secure way to expose your locally hosted applications and services to the internet without opening ports on your firewall or requiring a static IP address. This guide will show you how to set up Cloudflare Tunnels to securely access your home lab services from anywhere. ## Why Use Cloudflare Tunnels? - **Security**: No need to open ports on your firewall - **Simplicity**: Works behind CGNAT, dynamic IPs, and complex network setups - **Performance**: Traffic routed through Cloudflare's global network - **Zero Trust**: Integrate with Cloudflare Access for authentication ## Prerequisites - A Cloudflare account - A domain managed by Cloudflare - Docker installed (for containerized deployment) - Services you want to expose (e.g., web apps, SSH, etc.) ## Setting Up Cloudflare Tunnels ### 1. Install cloudflared You can install cloudflared using Docker: ```bash docker pull cloudflare/cloudflared:latest ``` Or directly on your system: ```bash # For Debian/Ubuntu curl -L https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb -o cloudflared.deb sudo dpkg -i cloudflared.deb # For other systems, visit: https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/installation ``` ### 2. Authenticate cloudflared Run the following command to authenticate: ```bash cloudflared tunnel login ``` This will open a browser window where you'll need to log in to your Cloudflare account and select the domain you want to use with the tunnel. ### 3. Create a Tunnel Create a new tunnel with a meaningful name: ```bash cloudflared tunnel create homelab ``` This will generate a tunnel ID and credentials file at `~/.cloudflared/`. ### 4. Configure your Tunnel Create a config file at `~/.cloudflared/config.yml`: ```yaml tunnel: credentials-file: /root/.cloudflared/.json ingress: # Dashboard application - hostname: dashboard.yourdomain.com service: http://localhost:8080 # Grafana service - hostname: grafana.yourdomain.com service: http://localhost:3000 # SSH service - hostname: ssh.yourdomain.com service: ssh://localhost:22 # Catch-all rule, which responds with 404 - service: http_status:404 ``` ### 5. Route Traffic to Your Tunnel Configure DNS records to route traffic to your tunnel: ```bash cloudflared tunnel route dns homelab dashboard.yourdomain.com cloudflared tunnel route dns homelab grafana.yourdomain.com cloudflared tunnel route dns homelab ssh.yourdomain.com ``` ### 6. Start the Tunnel Run the tunnel: ```bash cloudflared tunnel run homelab ``` For production deployments, you'll want to set up cloudflared as a service: ```bash # For systemd-based systems sudo cloudflared service install sudo systemctl start cloudflared ``` ## Docker Compose Example For a containerized deployment, create a `docker-compose.yml` file: ```yaml version: '3.8' services: cloudflared: image: cloudflare/cloudflared:latest container_name: cloudflared restart: unless-stopped command: tunnel run environment: - TUNNEL_TOKEN=your_tunnel_token volumes: - ~/.cloudflared:/etc/cloudflared ``` ## Security Considerations - Store your credentials file safely; it provides full access to your tunnel - Consider using Cloudflare Access for additional authentication - Regularly rotate credentials and update cloudflared ## Advanced Configuration ### Zero Trust Access You can integrate Cloudflare Tunnels with Cloudflare Access to require authentication: ```yaml ingress: - hostname: dashboard.yourdomain.com service: http://localhost:8080 originRequest: noTLSVerify: true ``` Then, create an Access application in the Cloudflare Zero Trust dashboard to protect this hostname. ### Health Checks Configure health checks to ensure your services are running: ```yaml ingress: - hostname: dashboard.yourdomain.com service: http://localhost:8080 originRequest: healthCheckEnabled: true healthCheckPath: /health ``` ## Conclusion Cloudflare Tunnels provide a secure, reliable way to access your home lab services remotely without exposing your home network to the internet. With the setup described in this guide, you can securely access your services from anywhere in the world.