Cloudflare Tunnel — The Complete Guide
the tunnel your VPS opens to Cloudflare — and gets a public domain without a single open port
Cloudflare Tunnel (formerly known as Argo Tunnel, today simply 'Tunnel') is a fully free Cloudflare service that solves one of the biggest problems of a personal VPS: how to expose a service to the world without opening any ports, without worrying about DDoS, and without buying a static IP. The idea is brilliantly simple — instead of the internet connecting to your server, your server reaches out and creates a 'tunnel' to Cloudflare. All requests for your domain hit Cloudflare (which has a CDN of 300+ datacenters), and Cloudflare passes them through the tunnel to your server. The result: port 443 on your server stays hermetically sealed, but users get a working site with HTTPS, CDN, and DDoS protection — for free. For me (Elad), the domain `hub.eladjak.com` points in DNS to Cloudflare, and a small daemon called `cloudflared` running on my Hetzner VPS manages the tunnel. Every request to `hub.eladjak.com` goes through Cloudflare, enters via the tunnel, and reaches an internal nginx on port 80 — without any port being open on the server to the outside world. It is a paradigm shift: you've moved from 'how do I secure an open port' to 'there is no open port'.
What this guide covers
How a reverse tunnel works
Who initiates the connection — and why it changes everything
The magic of Cloudflare Tunnel is that the direction of the connection is reversed from the traditional. In a regular setup, the internet connects to your server — meaning you need an open port, a public IP, and an even stronger firewall. In a tunnel, your server is the one that initiates the connection to Cloudflare — exactly like a browser connecting to a website. The implication: your firewall only sees 'outbound' traffic (which is always allowed), not 'inbound' (which is the dangerous direction). All requests start at Cloudflare's CDN and travel through the open tunnel to the server — but no one on the internet can talk directly to the server. It is invisible.
Install: from zero to a live domain in 5 minutes
Step-by-step on Ubuntu/Debian
Installing Cloudflare Tunnel is among the fastest setups in DevOps. You need: a domain managed by Cloudflare (moving nameservers takes ~24h, but it's free), a Cloudflare account (free), and a VPS with sudo access. Everything is done via CLI, and after the first activation `systemd` handles auto-start.
config.yml: advanced routing
Same tunnel — hundreds of services if you want
config.yml is the file that defines the tunnel's behavior. You can route by hostname (like domains in nginx), by path, or by both. For me, a single tunnel serves 10+ different domains, each one going to a different Docker container.
Cloudflare Access: zero-trust without VPN
Require auth before reaching the application at all
Cloudflare Access is the Tunnel extension that turns it into a zero-trust gateway. Instead of your application handling login, Cloudflare itself requires the user to identify (via Google, GitHub, enterprise SSO, or an email one-time-pin) — and only if they pass does the request reach your service. The free tier includes 50 users, which makes it perfect for private dashboards, admin panels, or dev tools you want to be reachable from anywhere but only by you.
Practical use cases
Not just for exposing public sites
Cloudflare Tunnel is powerful any time you need to expose something internal to the world. Here are the most common uses I've seen with myself and with clients.
Alternatives: ngrok, Tailscale, FRP
When to pick which
Cloudflare Tunnel isn't alone in the market, but it has the most generous free tier and the easiest setup for a VPS that serves web. Here's a comparison to the popular alternatives.
