Expose Proxmox to the Internet Using Cloudflare Tunnel (Zero Trust)

Kunal YadavaaKunal Yadavaa
3 min read

Accessing your Proxmox VE web interface securely over the internet can be challenging, especially if you want to avoid exposing open ports directly or dealing with complex firewall configurations. With Cloudflare Tunnel (Zero Trust), you can safely expose your Proxmox instance using Cloudflare’s edge network, eliminating the need to expose your local IP address or port.

In this article, we’ll walk through a simple and secure setup using Cloudflare Tunnel on a Proxmox LXC container.


🛠️ Prerequisites

  • A running Proxmox VE host.

  • A LXC container (Debian/Ubuntu recommended) with internet access.

  • A registered domain name on Cloudflare.

  • Proxmox Web UI is reachable locally on port 8006.


🔧 Step 1: Install cloudflared in Proxmox LXC

The easiest way to install cloudflared is to use a verified community script:

📎 Script Source: https://community-scripts.github.io/ProxmoxVE/scripts?id=cloudflared

Installation Command:

bash <(curl -s https://community-scripts.github.io/ProxmoxVE/scripts/cloudflared-install.sh)

Once installed, authenticate and create a tunnel:

cloudflared tunnel login

This will open a browser and ask you to authorize your domain with Cloudflare.


📂 Step 2: Verify Tunnel Configuration Files

After successful login and tunnel creation, use the following command to verify the presence of config files:

ls -a ~/.cloudflared

You should see a file like:

.e9f798b1-86ae-47b0-ac7a-354b5bb41bdc.json

This is your tunnel’s credentials file used for authenticating the service.


✏️ Step 3: Create the Tunnel Configuration

Create or edit the config file:

nano ~/.cloudflared/config.yaml

Paste the following configuration (update with your domain and internal Proxmox IP):

tunnel: e9f798b1-86ae-47b0-ac7a-354b5bb41bdc
credentials-file: /root/.cloudflared/e9f798b1-86ae-47b0-ac7a-354b5bb41bdc.json

ingress:
  - hostname: proxmox.example.com
    service: https://192.168.1.100:8006
    originRequest:
      noTLSVerify: true  # disables TLS verification for local Proxmox
  - service: http_status:404

🔁 Replace:

  • proxmox.example.com with your Cloudflare-managed subdomain.

  • 192.168.1.100 with your Proxmox host’s local IP.


🌐 Step 4: Configure DNS in Cloudflare

Go to your domain dashboard in Cloudflare:

  1. Navigate to DNS settings.

  2. Add a CNAME record:

Cloudflare will now route all traffic from proxmox.example.com to your local Proxmox IP via the tunnel.


🚀 Step 5: Start the Tunnel

Now run the tunnel service:

cloudflared tunnel run e9f798b1-86ae-47b0-ac7a-354b5bb41bdc

You should now be able to access https://proxmox.example.com from anywhere on the internet with Cloudflare securing the connection.


For additional security, consider enabling Cloudflare Access rules:

  1. Go to Cloudflare Zero Trust Dashboard.

  2. Under Access → Applications, add a new application.

  3. Set:

Only authorized users will be able to access your Proxmox dashboard.


✅ Summary

Using Cloudflare Tunnel (Zero Trust), you can:

  • Expose Proxmox without opening ports.

  • Keep your local IPs and services secure.

  • Add identity-based access controls.

📘 No VPNs, no firewall headaches — just secure and fast remote access.

If you’re building a homelab or production environment, this setup ensures zero-trust security and minimal exposure. Try it out and simplify your remote Proxmox management!


0
Subscribe to my newsletter

Read articles from Kunal Yadavaa directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

Kunal Yadavaa
Kunal Yadavaa

"Sudo-ing my way through clouds and containers."