Setting up Cloudflare Tunnel (Argo Tunnel) on a VPS: Secure Access to Local Services
TL;DR
In this detailed guide, we will step-by-step configure Cloudflare Tunnel (formerly known as Argo Tunnel) on your VPS to provide secure and private access to your internal services (web servers, SSH, databases) without the need to open ports on your firewall or have a public IP address. You will learn how to install and configure the `cloudflared` daemon, create tunnels, and route traffic through Cloudflare's secure global network, significantly enhancing the security and ease of managing access to your applications.
Secure Access: Your services are accessible via Cloudflare, not directly from the internet, hiding your actual IP address and protecting against direct attacks.
No Open Ports: All connections originate from your VPS to Cloudflare, eliminating the need for port forwarding on your firewall.
Easy DNS Setup: Cloudflare automatically manages DNS records for your tunnel.
Zero Trust Integration: Ability to further integrate with Cloudflare Zero Trust for granular access control.
Up-to-date Versions: All instructions are based on current software versions as of 2026, including Ubuntu 24.04 LTS and the latest `cloudflared` versions.
What We Are Configuring and Why
In this guide, we will be setting up Cloudflare Tunnel, a powerful tool from Cloudflare that allows you to securely connect local or private networks and services to the Cloudflare global network. Its primary purpose is to make your internal services accessible from the internet without opening any ports on your VPS or local firewall. This radically enhances security, as your server is not exposed to direct external attacks.
Imagine a scenario: you have a web server (Nginx, Apache), a Minecraft server, GitLab, Mattermost, or any other service running on your VPS. Typically, to make it accessible from the internet, you would have to open the corresponding ports (e.g., 80 and 443 for HTTP/S, 22 for SSH) on your server's firewall. This creates potential entry points for attackers and requires constant monitoring and protection.
Cloudflare Tunnel changes this approach. Instead of opening inbound ports, you install a small daemon called `cloudflared` on your VPS. This daemon establishes an outbound, encrypted connection to the nearest Cloudflare node. All traffic to your service passes through the Cloudflare global network and then through this secure tunnel to your server. Your VPS never exposes its public IP address, and all inbound connections are blocked by the firewall. This means you get all the benefits of Cloudflare (DDoS protection, caching, WAF) for your services, even if they don't have a public IP.
Ultimately, the reader will gain:
Enhanced Security: Your server is protected from direct DDoS attacks and port scanning.
Simplified Management: No need to configure complex firewall rules for each service.
IP Address Hiding: The real IP address of your VPS remains private.
Reliability and Performance: Utilizing Cloudflare's global network for traffic routing.
Flexibility: Ability to tunnel virtually any TCP service.
What are the alternatives and why self-hosted on a VPS?
There are several ways to make services accessible from the internet:
Traditional Reverse Proxy (Nginx/Apache) with Open Ports: The most common method. Requires a public IP, DNS configuration, SSL certificate issuance (Certbot), and careful firewall configuration. Less secure, as ports are open to the outside.
VPN Server (OpenVPN, WireGuard): Creates an encrypted tunnel but requires each user to connect to the VPN, which is not always convenient for public services or link-based access. Suitable for team access or personal use, but not for a broad audience.
Cloud-managed Services (AWS Application Load Balancer, Google Cloud Load Balancer): Managed cloud load balancers that provide similar functionality but are usually more expensive and tied to a specific cloud provider. Require deep knowledge of cloud platforms.
Ngrok or similar services: Provide similar tunneling functionality but often have limitations on bandwidth, uptime, or features in free plans, and may raise privacy concerns as traffic passes through a third-party service.
Want full control over your infrastructure and data.
Are looking for a cost-effective solution compared to managed cloud services.
Value security and want to hide your real IP.
Already use Cloudflare for your domains and want to integrate new services.
Plan to use Cloudflare Zero Trust for more advanced access control.
Setting up on a VPS gives you flexibility and independence, while Cloudflare Tunnel adds a layer of security and simplicity that is difficult to achieve with traditional methods.
What VPS Configuration is Needed for This Task
Cloudflare Tunnel (the `cloudflared` daemon) itself is a fairly lightweight application. The main resource requirements for the VPS will depend not on the tunnel, but on the services you plan to run *behind* the tunnel.
Minimum requirements for `cloudflared` (excluding tunneled services):
CPU: 1 vCPU (even the most basic, e.g., Intel Xeon E3 or E5).
RAM: 512 MB – 1 GB (`cloudflared` consumes minimally, but the OS and other system processes need memory).
Disk: 10 GB SSD (for the operating system, logs, and `cloudflared` itself; HDD would also work, but SSD is always preferable for performance).
Network: 100 Mbps port (minimum, but the higher the bandwidth, the better). Cloudflare Tunnel uses outbound connections, so a stable and fast internet connection is critical.
If you plan to tunnel light web services, small databases, SSH access, or a Minecraft server for a few friends, the specified minimum requirements will be sufficient for `cloudflared` itself and the OS. However, if resource-intensive applications such as GitLab for a large team, Mattermost for hundreds of users, a high-load web server, or a Bitcoin/Ethereum node will be running behind the tunnel, the requirements for CPU, RAM, and disk will significantly increase.
Specific VPS plan for the task (current as of 2026):
For most scenarios, such as setting up GitLab for a small team (up to 10-15 users), Mattermost, a Minecraft server for 10-20 players, or several simple websites, the following VPS configuration is recommended:
High Load: Thousands of concurrent requests need to be processed, high-performance databases are run, or very active game servers are in use.
Specific Hardware: GPUs are needed for machine learning, very large storage volumes (terabytes), or RAID arrays for fault tolerance.
Guaranteed Performance: A VPS shares resources with other users on the same physical server; a dedicated server provides you with all machine resources without sharing.
Strict Security/Isolation Requirements: For mission-critical systems where complete isolation from other users is a priority.
Large Number of Services: If you plan to host dozens of different services, each with its own requirements.
For running a Bitcoin/Ethereum node, which requires significant disk space (hundreds of gigabytes or more) and high read/write speeds, as well as continuous operation, it is often preferable to use a suitable dedicated server, especially if you plan to participate in staking or mining.
Location: What it affects
The choice of VPS location plays an important role:
Latency: The closer your VPS is to your target audience or to you, the lower the latency. This is critical for interactive applications (game servers, video conferencing). For websites, Cloudflare will distribute traffic through its global network, but the initial connection to your server will still have latency.
Jurisdiction: Data and privacy laws vary in different countries. Choose a location that complies with your legal requirements.
Cloudflare Node Availability: Cloudflare has nodes worldwide. Choose a location with good peering to the nearest Cloudflare node for optimal tunnel performance.
In general, choose a location that is geographically close to most of your users or to you, if you are the sole user.
Server Preparation
Before installing Cloudflare Tunnel, you need to perform basic setup of your VPS. We will use Ubuntu 24.04 LTS, as it is a current and stable operating system for 2026. These steps will enhance the security and usability of your server.
1. SSH Connection
Connect to your new VPS as the root user or the user provided by your hosting provider, using SSH.
ssh root@ВАШ_IP_АДРЕС
Replace ВАШ_IP_АДРЕС with your server's actual IP address.
2. System Update
First, update the package list and the system itself to the latest versions. This will ensure you have all current security and stability fixes.
sudo apt update -y && sudo apt upgrade -y
Update the package list and install all available updates.
3. Create a New User with Sudo Privileges (Recommended)
Operating as the root user is insecure. Create a new user and grant them sudo privileges.
adduser ваш_пользователь
Create a new user. Enter a password and user information.
usermod -aG sudo ваш_пользователь
Add the user to the sudo group so they can execute commands with administrator privileges.
su - ваш_пользователь
Switch to the new user. All subsequent commands will now be executed on their behalf.
4. Configure SSH Keys for the New User (Optional, but Highly Recommended)
Using SSH keys instead of passwords significantly enhances security.
Create the .ssh directory, set the correct permissions, and open the authorized_keys file.
Paste your public SSH key (generated on your local machine) into this file and save it (Ctrl+X, Y, Enter).
chmod 600 ~/.ssh/authorized_keys
Set the correct permissions for the authorized_keys file.
After this, you can disconnect and reconnect via SSH using the new user and SSH key.
exit && exit
ssh ваш_пользователь@ВАШ_IP_АДРЕС
Exit the current session and connect as the new user via SSH.
5. Firewall Configuration (UFW)
Ubuntu comes with UFW (Uncomplicated Firewall). We will configure it to allow only necessary connections. For Cloudflare Tunnel, we don't need to open incoming ports for tunneled services, but SSH access must be allowed.
Create a local copy of the configuration for making changes.
Your server is now ready for Cloudflare Tunnel installation.
Software Installation — Step-by-Step
Now that your VPS is prepared, we can proceed with installing and configuring the Cloudflare Tunnel daemon, called cloudflared. We will use the official Cloudflare repository for Ubuntu, which will ensure easy updates in the future.
For 2026, Ubuntu 24.04 LTS will be a stable and supported system, and cloudflared will be actively developed. The instructions will use current methods.
1. Add the Cloudflare Repository
First, you need to add the official Cloudflare APT repository so that the system can find and install the cloudflared package.
sudo mkdir -p --mode=0755 /usr/share/keyrings
Create the directory for GPG keys if it doesn't exist.
curl -fsSL https://pkg.cloudflare.com/cloudflare-main.gpg | sudo tee /usr/share/keyrings/cloudflare-main.gpg >/dev/null
Download the Cloudflare GPG key and add it to the system's keyrings.
echo 'deb [signed-by=/usr/share/keyrings/cloudflare-main.gpg] https://pkg.cloudflare.com/cloudflared jammy main' | sudo tee /etc/apt/sources.list.d/cloudflared.list
Add the Cloudflare repository to the APT sources list. Note that Cloudflare often uses codenames of previous LTS Ubuntu versions (e.g., jammy for 22.04) for compatibility with newer versions like 24.04.
sudo apt update -y
Update the package list so APT recognizes the new repository.
2. Install cloudflared
Now that the repository has been added, you can install the cloudflared package itself.
sudo apt install cloudflared -y
Install the Cloudflare Tunnel daemon.
cloudflared --version
Check the installed version of cloudflared. Ensure it is a current version (for 2026, it will be something like 2026.x.x).
3. Authenticate cloudflared with Your Cloudflare Account
For cloudflared to create and manage tunnels, it must be authenticated with your Cloudflare account. This step is performed once.
cloudflared login
Execute the command for authentication. It will output a URL to the console.
Copy this URL and open it in your web browser. You will be prompted to log in to your Cloudflare account and select the domain you want to use for the tunnel. After selecting the domain, Cloudflare will generate a cert.pem certificate and automatically download it to your VPS in the ~/.cloudflared/ directory (or /etc/cloudflared/ if run as a service).
If you execute the command as user ваш_пользователь, the certificate will be in /home/ваш_пользователь/.cloudflared/cert.pem. If you switched to root or used sudo, it might be in /root/.cloudflared/cert.pem. Make sure you know where the cert.pem file is located.
4. Create a Tunnel
After authentication, you can create the tunnel itself. Each tunnel must have a unique name.
cloudflared tunnel create мой-первый-туннель
Create a new tunnel named "мой-первый-туннель".
This command will output a JSON object containing the tunnel's id and the path to the credentials file (credentials-file), for example: /home/ваш_пользователь/.cloudflared/ТУННЕЛЬ_ID.json. This file contains unique credentials for your tunnel and is very important. Keep it secure!
5. Configure DNS Record for the Tunnel
For internet traffic to reach your tunnel, you need to create a DNS record in Cloudflare that points to your tunnel.
cloudflared tunnel route dns мой-первый-туннель имя-хоста.ваш-домен.com
Route the DNS record имя-хоста.ваш-домен.com through your tunnel. Replace имя-хоста.ваш-домен.com with the desired subdomain name that will point to your service.
For example, if your domain is example.com and you want to access a web server at my-app.example.com, the command will be: cloudflared tunnel route dns мой-первый-туннель my-app.example.com. Cloudflare will automatically create a CNAME record in your DNS pointing to your tunnel.
Configuration
After installing and creating the tunnel, you need to configure cloudflared so it knows which local services to tunnel. This is done via the configuration file config.yml. We will also configure cloudflared as a system service so it starts automatically when the server boots.
1. Creating the config.yml configuration file
The configuration file config.yml defines the routing rules for your tunnel. It should be in the same directory as the cert.pem file and the .json file containing the tunnel credentials (usually ~/.cloudflared/ or /etc/cloudflared/). For convenience and consistency, it is recommended to use /etc/cloudflared/.
If you created the tunnel as a regular user, the files cert.pem and ТУННЕЛЬ_ID.json are located in /home/your_user/.cloudflared/. Move them to /etc/cloudflared/ and set the correct permissions.
Now, let's create the file config.yml in /etc/cloudflared/.
sudo nano /etc/cloudflared/config.yml
Here is an example of the contents of config.yml for tunneling a web server (Nginx/Apache) running on port 80, and SSH access:
# Your tunnel's unique ID
tunnel: ТУННЕЛЬ_ID
# Path to the tunnel credentials file
credentials-file: /etc/cloudflared/ТУННЕЛЬ_ID.json
# List of ingress rules for traffic routing
ingress:
# Rule for web server (HTTP)
- hostname: my-app.your-domain.com
service: http://localhost:80
# Disable TLS verification for the local service if it does not use HTTPS
# noTLSVerify: true
# If your local service already uses HTTPS (e.g., via Caddy/Nginx with Let's Encrypt),
# use service: https://localhost:443 and ensure the certificate is valid or add noTLSVerify: true
# If your local service uses HTTP, Cloudflare will provide HTTPS at its edge.
# Rule for SSH access
- hostname: ssh.your-domain.com
service: ssh://localhost:22
# If you want to use Cloudflare Access for SSH, additional settings will go here.
# Default rule (must be the last one)
# Sends all other traffic to this service or returns an error
- service: http_status:404
Replace ТУННЕЛЬ_ID with your actual tunnel ID (it can be found in the name of the .json file or in the output of the cloudflared tunnel create command). Replace your-domain.com with your actual domain. If you are tunneling other services, add them to the ingress list.
Important notes on ingress rules:
Order matters: Rules are processed from top to bottom. The first matching rule is applied.
service: http://localhost:80: Indicates that cloudflared will proxy requests to the local HTTP server on port 80. Cloudflare automatically handles HTTPS at its edge, so you don't need HTTPS on your local server unless you want end-to-end encryption.
service: ssh://localhost:22: Proxies SSH traffic. To access SSH via Cloudflare Tunnel, you will need special SSH client configuration or the use of Cloudflare Access.
service: http_status:404: This is a mandatory "catch-all" rule that must be at the end of the list. It returns a 404 for any traffic that did not match the preceding rules.
2. Running cloudflared as a system service
For cloudflared to start automatically when the server boots and run in the background, we will configure it as a systemd service.
sudo cloudflared --config /etc/cloudflared/config.yml service install
This command installs cloudflared as a systemd service, using your configuration file. It will create the file /etc/systemd/system/cloudflared.service.
sudo systemctl start cloudflared
Start the cloudflared service.
sudo systemctl enable cloudflared
Enable the service to start automatically on system boot.
sudo systemctl status cloudflared
Check the service status. It should be active (active (running)).
View the logs of the cloudflared service for the last 10 minutes to ensure there are no errors.
3. Verifying functionality
After starting the service, the tunnel should be active. Let's check its operation:
Via browser: Open the address my-app.your-domain.com (or any other you configured) in your browser. You should see your local web server.
Via curl: Execute the curl command from your local machine.
curl https://my-app.your-domain.com
You should receive the HTML code of your web server.
Checking SSH access: If you have configured SSH tunneling, try to connect. Cloudflare Tunnel provides several ways to access SSH:
Cloudflare Access (Zero Trust): The recommended and most secure method, requiring additional configuration in the Cloudflare dashboard.
cloudflared CLI: You can use cloudflared access ssh --hostname ssh.your-domain.com from your local machine, where cloudflared is also installed.
Ensure that DNS records for your hostnames have been successfully created in the Cloudflare dashboard. They should be CNAME records pointing to ТУННЕЛЬ_ID.cfargotunnel.com.
4. TLS/HTTPS via Cloudflare
One of the key advantages of Cloudflare Tunnel is automatic TLS/HTTPS management. When traffic passes through Cloudflare, it is encrypted between the client and Cloudflare (Edge TLS) and between Cloudflare and your server (Origin TLS). For tunnels, Cloudflare provides end-to-end encryption.
If your local service runs over HTTP (e.g., http://localhost:80), Cloudflare will automatically provide HTTPS at its edge, and users will see a secure connection.
If your local service is already configured for HTTPS (e.g., via Caddy or Nginx with Certbot), you can specify service: https://localhost:443. In this case, ensure your local certificate is valid, or add noTLSVerify: true to the tunnel configuration so that cloudflared does not verify the local server's certificate (this reduces the security of end-to-end encryption but can be useful for self-signed certificates).
In most cases for web services, it is sufficient to configure the local service for HTTP, and Cloudflare will handle HTTPS.
Backups and Maintenance
Setting up Cloudflare Tunnel significantly simplifies access to services, but it does not eliminate the need for regular server backups and maintenance. It is important to ensure data integrity and software currency.
1. What to Back Up
When using Cloudflare Tunnel, the main things to back up are:
User Data/Files: (e.g., for GitLab: repositories, for Mattermost: attachments, for Minecraft: worlds).
System Configurations: (e.g., /etc/ssh/sshd_config, UFW firewall settings).
2. Simple Auto-Backup Script
We will create a simple script that will archive important files and send them to a secure location. For example, we will use tar for archiving and rsync for copying to another server or cloud storage (e.g., S3-compatible storage).
sudo nano /usr/local/bin/backup_cloudflared.sh
Script content:
#!/bin/bash
# Directory for temporary backup storage
BACKUP_DIR="/var/backups/cloudflared"
# Backup file name
TIMESTAMP=$(date +%Y%m%d%H%M%S)
BACKUP_FILE="${BACKUP_DIR}/cloudflared_config_${TIMESTAMP}.tar.gz"
# Directory with cloudflared configs
CLOUDFLARED_CONFIGS="/etc/cloudflared"
# Create backup directory if it doesn't exist
mkdir -p "${BACKUP_DIR}"
# Create archive with cloudflared configs
echo "Creating backup of cloudflared configuration files..."
sudo tar -czf "${BACKUP_FILE}" "${CLOUDFLARED_CONFIGS}"
if [ $? -eq 0 ]; then
echo "Backup created: ${BACKUP_FILE}"
else
echo "Error creating cloudflared backup."
exit 1
fi
# --- Add commands here to back up your services ---
# Example for PostgreSQL:
# pg_dumpall -U postgres | gzip > "${BACKUP_DIR}/postgresql_all_dbs_${TIMESTAMP}.sql.gz"
# Example for Nginx configs:
# sudo tar -czf "${BACKUP_DIR}/nginx_config_${TIMESTAMP}.tar.gz" /etc/nginx
# --- Copying backup to remote server or S3 ---
# For Rsync to another VPS (requires setting up passwordless SSH keys):
# rsync -avz "${BACKUP_FILE}" user@remote_server:/path/to/backups/
# For S3 (requires installing awscli/s3cmd and configuring credentials):
# aws s3 cp "${BACKUP_FILE}" s3://your-s3-bucket/cloudflared/
# Delete old backups (e.g., older than 7 days)
find "${BACKUP_DIR}" -type f -name "*.tar.gz" -mtime +7 -delete
echo "Old backups deleted."
echo "Backup completed."
This will run the script every day at 3 AM and write the output to a log file.
3. Where to Store Backups
External S3-compatible storage: Recommended. This can be AWS S3, Backblaze B2, DigitalOcean Spaces, or any other object storage. This provides high availability and fault tolerance, as well as geographical separation of backups from the main server.
Separate VPS: You can use a second, less powerful VPS exclusively for storing backups. This also provides separation but requires managing two servers.
Local computer: For very small projects, you can copy backups to your local computer via scp or rsync.
Never store backups on the same server as the original data! In case of hardware failure or server compromise, you will lose both your data and your backups.
4. Updates: rolling vs maintenance window
Regular software updates are critical for security and stability. For Cloudflare Tunnel and OS:
OS Updates (Ubuntu):
Rolling updates: For non-critical services, automatic security updates can be configured. However, for production servers, it is recommended to perform updates manually or within a scheduled maintenance window.
Maintenance window: Plan regular maintenance windows (e.g., once a month) for a full system update (sudo apt update && sudo apt upgrade -y) and reboot if required. This allows for process control and minimizes the risk of failures.
cloudflared Updates:
cloudflared is updated via the same APT repository. You can include it in your regular OS updates. Cloudflare releases updates quite frequently, so it's important to maintain an up-to-date version.
After updating cloudflared, a service restart is usually required: sudo systemctl restart cloudflared.
Tunneled Application Updates:
Update your applications (GitLab, Mattermost, Nginx, etc.) according to their developers' recommendations, observing maintenance windows.
Always perform a backup before major updates or configuration changes.
Troubleshooting + FAQ
In this section, we will cover common issues that may arise when setting up Cloudflare Tunnel and answer frequently asked questions.
Cannot connect to the service via Cloudflare domain
Problem: You have configured the tunnel, but when trying to access my-app.ваш-домен.com in your browser, you see an error (e.g., 502 Bad Gateway, 503 Service Unavailable, or "Origin connection failed").
What to check:
cloudflared service status:
sudo systemctl status cloudflared
Make sure the service is active and running.
cloudflared logs:
journalctl -u cloudflared --since "5 minutes ago"
Look for errors related to connecting to the local service (origin connection failed, dial tcp).
Local service availability: Make sure your service (e.g., Nginx on port 80) is actually running on the VPS and accessible from localhost. Try
curl http://localhost:80
on the VPS itself. If the service does not respond, the problem is with the service, not the tunnel.
config.yml configuration: Check the correctness of hostname and service in the /etc/cloudflared/config.yml file. Make sure the port is specified correctly (e.g., http://localhost:80).
DNS record in Cloudflare: Make sure that in the Cloudflare dashboard for your domain my-app.ваш-домен.com, there is a CNAME record pointing to ТУННЕЛЬ_ID.cfargotunnel.com.
Credential files: Check the presence and correctness of paths to cert.pem and ТУННЕЛЬ_ID.json in config.yml.
How to fix: Correct the errors found in the logs or configuration. Restart cloudflared:
sudo systemctl restart cloudflared
.
cloudflared login not working or not downloading cert.pem
Problem: After executing cloudflared login and navigating to the URL in the browser, the cert.pem file does not appear in ~/.cloudflared/ or /etc/cloudflared/.
What to check:
Internet connection: Make sure your VPS has internet access (ping google.com).
Permissions: Make sure the user running cloudflared login has write permissions to ~/.cloudflared/.
Firewall: Make sure outgoing connections are allowed (sudo ufw status should show Status: active and Default: deny (incoming), allow (outgoing)).
Domain selection in browser: Make sure you have successfully selected the domain in the Cloudflare web interface after logging in.
How to fix: Check permissions, network connection. Try deleting the ~/.cloudflared/ directory and repeating cloudflared login. Make sure you are logging into the correct Cloudflare account and selecting a domain managed by that account.
What is the minimum suitable VPS configuration?
For Cloudflare Tunnel itself and the operating system (e.g., Ubuntu 24.04 LTS), the minimum configuration can be very modest: 1 vCPU, 512 MB RAM, 10-20 GB SSD, and a 100 Mbps network channel. This is sufficient for cloudflared to run and tunnel one or two very lightweight services. However, if you plan to run anything more resource-intensive, such as a web server with moderate load or a small game server, you will need at least 2 vCPU, 2-4 GB RAM, and 50+ GB SSD for comfortable operation of the tunneled application.
What to choose — VPS or dedicated for this task?
The choice between a VPS and a dedicated server depends on the scale of your needs. For most individual users, small teams, and light/medium projects (personal website, Mattermost for 10-20 people, Minecraft server for friends), a VPS will be an optimal and economical choice. It provides sufficient power and flexibility. A dedicated server is needed when maximum performance, guaranteed resources, huge disk space (e.g., for a blockchain node with a full archive), very high bandwidth, or specific hardware (GPU) is required. Cloudflare Tunnel works perfectly on both types of servers, but the requirements for the underlying hardware are determined not by the tunnel, but by the services it serves.
How to update cloudflared?
Since cloudflared was installed from the official Cloudflare APT repository, it is updated like any other system program in Ubuntu:
The apt upgrade command will update cloudflared to the latest available version, and then the service needs to be restarted for the changes to take effect.
How to tunnel SSH without Cloudflare Access?
If you don't want to use Cloudflare Access (Zero Trust), you can still tunnel SSH. To do this, cloudflared must also be installed on your local computer. You can use it to proxy the SSH connection:
This command will create a temporary tunnel from your local cloudflared to the Cloudflare Edge, and then through your Cloudflare Tunnel on the VPS to your SSH server. This requires authentication with Cloudflare from your local machine. For more convenient use, you can configure your SSH client to use cloudflared as a ProxyCommand.
Can I tunnel multiple services through a single tunnel?
Yes, absolutely. This is one of the main advantages of Cloudflare Tunnel. You simply add new ingress rules to your /etc/cloudflared/config.yml file, specifying different hostname and corresponding service (e.g., http://localhost:8080 for another web application). After modifying config.yml, don't forget to restart the cloudflared service:
sudo systemctl restart cloudflared
.
Conclusions and Next Steps
We have successfully configured Cloudflare Tunnel on your VPS, ensuring secure and private access to your local services without the need to open firewall ports. Now your server is protected from direct attacks, and all traffic passes through Cloudflare's global, secure network, which significantly enhances security and simplifies infrastructure management.
This solution is ideal for developers, SaaS solo founders, gamers, and crypto enthusiasts who need a reliable way to publish their services online while maintaining control and security.
Next Steps:
Integration with Cloudflare Zero Trust: Explore Cloudflare Zero Trust (formerly Cloudflare Access) to implement granular access control for your tunneled services. You can configure authentication via SSO (Google, GitHub, etc.) and apply access policies based on user identity, device, or IP address.
Monitoring and Logging: Set up centralized logging for cloudflared and your services, as well as VPS performance monitoring, to promptly respond to any issues.
Adding New Services: Extend tunnel usage by adding new services (e.g., GitLab, Mattermost, Grafana, Prometheus) to your config.yml, using different subdomains.
Performance Optimization: For high-load services, consider optimizing Cloudflare settings (caching, Argo Smart Routing) and your VPS settings (Linux kernel tuning, database optimization).