Cloudlfared CLI: Tunnels, step-by-step guide

This is how I have cloudflared tunnels configured in my macOS environment, it should be pretty much the same steps for linux and windows.

I wrote this guide making the assumption that you dont have any other cloudflare tunnel running already. If you already have a tunnel and just want to add more services, go to step 6.

Step 1: Get your domain DNS on cloudflare

You will need to have your domain dns managed by cloudflare in order to setup these tunnels to your domain/subdomains.

Is not mandatory tho! you can try tunnels with custom cloudflare urls using quick tunnels.(some limitations are applied vs using your domain)

Step 2: Enable Zero Trust in your cloudflare account

In order to have your tunnels remotely-managed by cloudflare, you need to do so via Zero Trust.

First you need to login to cloudflare Zero Trust, you can use it for free but it will require you to add a payment method for validation. No charges are applied at the time of this writing.

Once you have zero trust enabled in your account, you can navigate to the tunnels section (Networks → Tunnels)

Step 3: Create a tunnel using the dashboard

Just click on create tunnel and then choose "cloudflared" as the tunnel type

Once you click on "Select Cloudflared" it will ask you to name the tunnel. You can use whatever name you want, doesnt need to match with the domain and you can choose a different subdomain while routing it.

Step 4: Install the tunnel in your environment

Follow the steps to install cloudflared in your environment

Basically, just install cloudflared and use "cloudflared service install ..." to configure cloudflared as a service in your environment.

The token generated in this section is used to "connect" your local cloudflared config to this dashboard.

At the bottom of the connectors section, you will see your connector once you have the service running in your env

Once you are done and you have seen your connection there, click next

Step 5: Route the connection to your domain

Here you can configure this tunnel to be routed to your domain or a subdomain in your domain.

In the "service" section just fill in your local service that you want to route to this domain.

Click complete setup, and you are done! now you can use your domain to access that service

Step 6: How to route more apps

Your tunnel can route multiple public hostnames, so routing more apps its really easy.

Let's say that you want to host errbit too in a subdomain of yours, just start that rails app with a custom port, and add it as another public hostname in your tunnel.

Go to Networks → Tunnels, find your tunnel, click the 3 dots and then click on configure

Now go to the public hostnames tabs:

Click add a public hostname and just fill the information to the other service that you want to be handled by this tunnel.

And we are done!

Extras

Multiple instances of cloudflare tunnels

It is possible to have different tunnels running in parallel, but I found that is really messy sharing the connector between tunnels if you try to stick to remotely managed configs.

If you really think you need multiple tunnels in the same host, then I would suggest just having multiple locally-managed tunnels running in the background (via nohup or LaunchAgents). I used to do this but now I prefer to just add multiple public hostnames to my remotely managed tunnel.

Even if you are going for a locally-managed tunnel, I would still suggest you to add multiple hostnames within one tunnel and just run one tunnel. In the docs they refer to this as multiple ingress rules. (here is an example config file with multiple ingress rules)

Troubleshoot

You can check the official troubleshoot page but I will add my 50 cents here to.

If you get a cert.pem issue, first try running cloudflared login again.

If your connector is not being detected, run cloudflared service uninstall and install again using the command provided in the tunnel config site in the dashboard (with the specific token for that tunnel).

When running cloudflare service install/uninstall read the output, it may require you to use sudo if you installed the service using sudo before.

That's all, folks. Happy self-hosting!