IT Pro Tutorials 
For self-hosting enthusiasts looking for a secure way to expose local services to the internet, Cloudflare Tunnel is one of the best free options available today. It lets you make locally hosted services accessible on the web without opening any ports on your router—no NAT rules, no dynamic DNS headaches, and no VPN complexity.
What used to be a paid, bandwidth-metered feature is now completely free under Cloudflare’s Zero Trust platform. Whether you’re running a Plex server, a self-hosted dashboard, or an internal web app, Cloudflare Tunnel creates an encrypted outbound connection from your machine to Cloudflare’s edge network. Traffic flows through their infrastructure, so your origin IP stays hidden and your services get DDoS protection for free.
In this guide, I’ll walk you through the full setup—from adding your domain to Cloudflare, to installing the cloudflared connector, to exposing your first service. The whole process takes about 15 minutes.
Prerequisites
You’ll need two things to get started:
- A domain name you own (e.g.
example.com). Cloudflare must be the authoritative DNS provider for the domain—subdomains alone won’t work. If you don’t have one yet, domains like.ovhor.xyzare cheap options. - A Linux machine (Ubuntu 22.04+ or Debian 12+ recommended) running the service you want to expose. This can be a VM, a Proxmox container, a Raspberry Pi, or a VPS—anything with outbound internet access.
You’ll also need a free Cloudflare account.
Step 1: Add your domain to Cloudflare
Head to the Cloudflare Dashboard and click Add a site. Enter your domain and select the Free plan. Cloudflare will scan your existing DNS records and give you two nameservers to configure at your registrar.
Once the nameserver change propagates (usually a few minutes to a few hours), your domain will show as Active in the Cloudflare dashboard.
Step 2: Create a tunnel
Navigate to the Zero Trust dashboard at one.dash.cloudflare.com. From the sidebar, go to Networks > Tunnels and click Create a tunnel.
- Select Cloudflared as the connector type.
- Give your tunnel a name (e.g.
homelab). - Cloudflare will display an install command for your OS. For Debian/Ubuntu, it looks like this:
curl -L --output cloudflared.deb https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb
sudo dpkg -i cloudflared.deb
sudo cloudflared service install YOUR_TOKENRun these commands on your machine. Once the connector is installed and running, you’ll see it appear as Connected in the Cloudflare dashboard.
Step 3: Route traffic to your service
Now add a public hostname to your tunnel. This maps a domain (or subdomain) to a local service on your machine.
For example, to expose an Apache web server running on port 80:
- Subdomain:
site1(or leave blank for the root domain) - Domain: your Cloudflare-managed domain
- Type:
HTTP - URL:
localhost:80
Click Save tunnel. Within seconds, your service will be live at https://site1.yourdomain.com. Cloudflare automatically provisions an SSL certificate, so your visitors get HTTPS out of the box.
Exposing HTTPS services with self-signed certificates
If your local service uses HTTPS with a self-signed certificate (common with tools like Proxmox, Portainer, or Unifi), set the Type to HTTPS and expand Additional application settings > TLS. Enable No TLS Verify to tell cloudflared to skip certificate validation on the origin.
SSL/TLS configuration tips
Back in the main Cloudflare Dashboard, go to your domain’s SSL/TLS settings:
- Set the encryption mode to Full if your origin serves HTTPS (even self-signed). Use Flexible only if your origin is plain HTTP.
- Under Edge Certificates, enable Always Use HTTPS to automatically redirect HTTP visitors to HTTPS.
- Enable Automatic HTTPS Rewrites to fix mixed-content issues on your pages.
Adding more services
The real power of Cloudflare Tunnel is running multiple services through a single connector. Just add more public hostnames to the same tunnel—each one maps a different subdomain to a different local port:
plex.yourdomain.com→localhost:32400portainer.yourdomain.com→https://localhost:9443(with No TLS Verify)ssh.yourdomain.com→ssh://localhost:22
No additional ports to open, no firewall rules to maintain. Each service gets its own subdomain with a free SSL certificate.
Wrapping up
Cloudflare Tunnel is one of the most underrated tools in the self-hosting toolkit. It gives you secure, encrypted access to your local services without exposing your home IP, without port forwarding, and without paying a cent. Combined with Cloudflare’s built-in DDoS protection and edge caching, it’s hard to beat for the price.
If you’re running a homelab or exposing internal tools for a small team, this should be one of the first things you set up.
