Cloudflare Tunnels
Cloudflare Tunnel provides you with a secure way to connect your resources to Cloudflare without a publicly routable IP address.
If you're hosting a service in your home lab that you want to make publicly accessible, Cloudflare Tunnels are perfect for you.
Please keep in mind the security risks with exposing services from your local machine to the public internet
Prerequisites
- CLoudflare domain or a domain using cloudflare DNS
- Service hosted on RPi locally that you want exposed publicly
Install
Always begin installs with an upgrade and update
sudo apt update
sudo apt upgrade
Ensure curl and lsb-release are installed.
sudo apt install curl lsb-release
Setup Repo
Install Cloudflare official gpg key
curl -L https://pkg.cloudflare.com/cloudflare-main.gpg | sudo tee /usr/share/keyrings/cloudflare-archive-keyring.gpg >/dev/null
echo "deb [signed-by=/usr/share/keyrings/cloudflare-archive-keyring.gpg] https://pkg.cloudflare.com/cloudflared $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/cloudflared.list
sudo apt update
Install Cloudflared CLI
We will utilize the cloudflared service.
sudo apt install cloudflared
Authenticate Cloudflared CLI
cloudflared tunnel login
Create Tunnel
Now we can create a Cloudflare tunnel since we are authenticated
Replace "TUNNELNAME" with your preferred tunnel name. Ex: rpi-home-lab
cloudflared tunnel create TUNNELNAME
You will notice output similar to that below:
Copy down the UUID for later
Tunnel credentials written to /home/pi/.cloudflared/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX.json. cloudflared chose this file based on where your origin certificate was found. Keep this file secret. To revoke these credentials, delete the tunnel.
Created tunnel pimytunnel with id XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
Confirm tunnel was created
cloudflared tunnel list
Route Tunnel
Route your tunnel to the local service
cloudflared tunnel route dns TUNNELNAME your-domain.com
OR route as a subdomain to your domain
cloudflared tunnel route dns TUNNELNAME sub.your-domain.com
Cloudflared Config
Now we need to configure cloudflare config. This is where that UUID you copied down earlier will come in handy.
- [TUNNELNAME] - Replace this with the name you chose for your tunnel.
- [USERNAME] - Replace with your user's name.
- [UUID] - You will need to set this as the UUID that you got when creating the tunnel.
- [HOSTNAME] - Put your domain hostname here that you just routed in the previous step.
- [PORT] - This will be the port that your local service is running on and you want accessible through the tunnel.
- [PROTOCOL] - This is the protocol for your service. Likely to be
httporhttps.
tunnel: [TUNNELNAME]
credentials-file: /home/[USERNAME]/.cloudflared/[UUID].json
ingress:
- hostname: [HOSTNAME]
service: [PROTOCOL]://localhost:[PORT]
- service: http_status:404
Connect on Boot
We want the Cloudflared CLI to connect and run automatically on boot.
Install the service
sudo cloudflared --config ~/.cloudflared/config.yaml service install
Enable Cloudflared Service
sudo systemctl enable cloudflared
Start Service
You can reboot your RPi to start or you can simply call systemctl start
sudo systemctl start cloudflared
Conclusion
Well done! Your service should now be publicly accessible at the domain you specified!