¶ What are Cloudflare Tunnels?
Cloudflare Tunnel provides you with a secure way to connect your resources to Cloudflare without a publicly routable IP address. With Tunnel, you do not send traffic to an external IP — instead, a lightweight daemon in your infrastructure (cloudflared) creates outbound-only connections to Cloudflare’s global network. Cloudflare Tunnel can connect HTTP web servers, SSH servers, remote desktops, and other protocols safely to Cloudflare. This way, your origins can serve traffic through Cloudflare without being vulnerable to attacks that bypass Cloudflare.
¶ Installaton
I don’t like to run Cloudflare Tunnels in a container because it means the docker networks have to be modified in each stack to have access from the tunnel. Instead, I run the tunnel on bare metal and update it with a cronjob when necessary. This is even easier to do than a docker compose file.
Open a free account on Cloudflare and secure a domain name. This will cost money, but not much. I pay about 66 cents per month for mine. Once you have an account and a domain name, you need to build a tunnel:
- Login to cloudflare and click the Zero Trust link in the left panel.
- Now go to the left panel again, click Networks > Tunnels > + Create a Tunnel.
- Name your tunnel then click Save Tunnel.
- At the top, you will see a section Choose your environment, where you need to click the corresponding blue button for the OS you are using.
- In the next section Install and run a connector, copy the command from the left box into the terminal and run it.
- At the bottom of the screen in the Connectors section, once the command has run successfully, your tunnel will appear. Click Next.
- In the Cloudflared Configuration section, we need to add our tunnel token.
- Login to cloudflare and click the Zero Trust link in the left panel.
- Now go to the left panel again, click Networks > Tunnels > + Create a Tunnel.
- Name your tunnel then click Save Tunnel.
- At the top, you will see a section Choose your environment, click the blue button for Docker.
- Below, in the Install and run a connector section, the tunnel token is everything after the --token line and needs to be copied to the TrueNAS install screen.
Optionally, you can check the box in Network Configuration for Host Network if you want your tunnel to be able to access anything which is not on your TrueNAS server, like your router or other computers on your network
To add apps to your tunnel, login to Cloudflare.com and click the Zero Trust link in the left panel > Access > Tunnels. Find the tunnel you just created and click the 3 dots at the right end of the row, and click Configure. Follow the Adding Endpoints section below to add apps from TrueNAS.
services:
cloudflared:
command: tunnel --no-autoupdate run --token <token_goes_here>
image: cloudflare/cloudflared:latest
restart: unless-stopped
container_name: tunnel
¶ Adding Endpoints
The next section allows you to Add public hostnames for your tunnel. This is where you specify what the tunnel connects to. Every service on your network you want to connect to over the internet needs to be added here.
| Field | Value |
|---|---|
| Subdomain | this is where you would name your service |
| Domain | the domain name you just bought |
| Path | leave this blank |
| Service Type | usually http |
| URL | IP address of the service |
This is an example for a bogus tunnel named “test” which points to my emby container running at 192.168.1.20 on port 9096 at a bogus domain “mydomain.com”
This example entry would create an endpoint in my existing tunnel. Now if I navigated to emby.mydomain.com in my web browser I would be routed to my Emby server in my home.
¶ Streaming Media
Do not, under any circumstances, use tunnels to stream media!
It is against Cloudflare’s Terms of Service to stream video through their tunnels. The better way to do this if you want to stream remotely is to use an unproxied DNS entry in Cloudflare for your domain and then port forward from your router to your container. Assuming you are using Emby, this would be a port forward on the router for port 8096 to the IP address of your server to port 8096. See screenshot below as an example:
Example configuration on Verizon FiOS Router