Lab: Deploy a Cloudflare Tunnel
Publish an internal dashboard to the internet with Zero Trust policies and no port forwards.
Difficulty: BeginnerTime: 25 minutes
Prerequisites:
- Cloudflare account with a domain
- One internal service running (HTTP)
- SSH or shell access to the host
Step 1: Create a Tunnel in Cloudflare
- Go to Zero Trust > Networks > Tunnels > Create.
- Name it (e.g.,
homelab-hq) and copy the install command. - Choose Docker or systemd depending on your host.
Step 2: Install cloudflared
On the host where the service runs:
curl -fsSL https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb -o cloudflared.deb sudo dpkg -i cloudflared.deb cloudflared service install <TOKEN_FROM_UI>
Verify:
sudo systemctl status cloudflared
Step 3: Route Traffic
- Add a Public Hostname in the tunnel UI (e.g.,
dash.example.com). - Service type: HTTP. URL:
http://localhost:3000(or your internal port). - Save. Cloudflare will create a DNS CNAME pointing to the tunnel endpoint.
Step 4: Lock It Down
- Zero Trust > Access > Applications: Add your hostname.
- Policy: Require One-Time Pin or your IdP (Google/Microsoft).
- Optional: Add country/IP allowlists for more control.
Visit the hostname from an external network. You should see the Access prompt, then your service.
Step 5: Health and Logs
- Check logs:
journalctl -u cloudflared -f. - Verify the tunnel shows “healthy” in the Cloudflare dashboard.
- Set the service to restart:
sudo systemctl enable cloudflared.
Do not expose SSH or raw admin panels without Access policies. Keep everything behind Zero Trust.
≈·*•—[ A|S ]—•*·≈