External Publication
Visit Post

Cloudflare Tunnel

Sahil Kapoor's Playbook May 17, 2026
Source

Cloudflare Tunnel (formerly Argo Tunnel) creates an outbound-only encrypted connection from your server to Cloudflare's edge. Your origin server makes the connection out; Cloudflare routes incoming requests to it. No inbound ports, no dynamic DNS, no server IP exposed, your server is completely hidden behind Cloudflare.

How It Works

  1. Install cloudflared (the tunnel daemon) on your server
  2. Authenticate with your Cloudflare account: cloudflared tunnel login
  3. Create a tunnel: cloudflared tunnel create my-app
  4. Configure routing (which hostname routes to which local port)
  5. Run the tunnel: cloudflared tunnel run my-app

Cloudflare issues you a unique subdomain (e.g., randomstring.cfargotunnel.com) and you can CNAME your own domain to it. Traffic flows: browser → Cloudflare edge → encrypted tunnel → cloudflared → local service.

What It Solves

  • NAT traversal , exposes a service on a home network or private cloud without router configuration
  • No static IP required , the tunnel reconnects even if your ISP changes your IP
  • DDoS protection , Cloudflare absorbs attacks before they reach your origin
  • TLS termination , Cloudflare handles HTTPS certificates automatically
  • Zero Trust access , combine with Cloudflare Access for identity-based access control (no VPN needed)

Cloudflare Tunnel vs Tailscale

Tailscale connects devices in a private mesh, for SSH, database connections, internal APIs. Cloudflare Tunnel exposes a service to the public internet, for web apps, webhooks, public APIs. For internal-only access, Tailscale; for public-facing services on a private machine, Cloudflare Tunnel. Many teams use both.

Cloudflare Tunnel vs Traefik/Nginx

Traefik and Nginx are reverse proxies that route traffic between services, they assume you already have inbound connectivity. Cloudflare Tunnel solves the connectivity problem so you don't need open ports for those proxies to receive traffic.

Use Cases

  • Expose a local dev server to share with clients or for webhook testing
  • Run a web service on a home server without ISP restrictions on port 80/443
  • Secure access to internal tools with Cloudflare Access (SSO, MFA), no VPN
  • Multi-origin load balancing and failover via Cloudflare Load Balancing

Related Terms

  • Tailscale, private mesh networking (vs public exposure)
  • Traefik, reverse proxy that pairs well with tunnels for internal routing
  • Caddy, web server with automatic HTTPS; often used alongside Cloudflare Tunnel
  • Wireguard, alternative tunnel protocol for lower-level connectivity

Discussion in the ATmosphere

Loading comments...