Are you looking for an easy, secure way to access your web server from anywhere? In this article, I'll show you how to use a Cloudflare tunnel on a Raspberry Pi to get free remote access and control of your data. Discover how to connect all your devices with a single click and benefit from Cloudflare's service's ease of use and unbeatable security. Learn how to set up your private network in minutes!
For its DDOS protection services, Cloudflare has gained popularity. It is also one of the leaders in terms of private and secure connections.
Cloudflare's tunneling service is one of the free products it offers. Between your device and the Cloudflare network, you may create a secure connection via this tunnel.
You won't need to worry about opening any ports in your firewall if you use Cloudflare's tunnel on your Raspberry Pi. You won't even need Cloudflared to be installed on another device if you want to provide access to a service that uses HTTP or HTTPS.
Please take note that to run via Cloudflare's services, this guide requires you to have a domain name set up. You will need to set up a domain name if you don't already have one before continuing.
What You Need to Setup a Cloudflare Tunnel on Raspberry Pi
The equipment we needed to set up a Cloudflare tunnel on the Raspberry Pi is listed below.
- Raspberry Pi
- Micro SD Card or an SD card if you’re using an old version of the Pi.
- Ethernet Cable or Wi-Fi
- Power Supply
On a Raspberry Pi 400 running the latest version of Raspberry Pi OS, Bullseye, this tutorial was last tested.
Getting ready for the Cloudflare Tunnel on Raspberry Pi
We will rely on a piece of software known as “Cloudflared” to set up the Cloudflare tunnel on Raspberry Pi. The secure tunnel between the Raspberry Pi and the Cloudflare network is created and maintained by the software Cloudflared.
We will need to add the official Cloudflare repository to install the required software, despite the fact that these steps are rather simple.
Installing any Required Software
1- The first task is to perform an update of the package list as well as an upgrade of any outdated packages.
Using the following command on the terminal, you may perform both of these tasks:
sudo apt update
sudo apt upgrade
2- We must ensure we have both the “curl” and “lsb-release” packages when the update is finished.
By using the following command in the terminal, you may install both of these packages.
sudo apt install curl lsb-release
- curl: We will use curl to grab the GPG key for the Cloudflared repository.
- lsb-release: This package allows us to easily retrieve information about the system, such as the release name.
Adding the Cloudflare Repository on the Raspberry Pi
3- We can now grab the GPG key for the Cloudflared repository and store it on our Raspberry Pi after installing all the required packages.
The following command should be used to save this key to your device:
curl -L https://pkg.cloudflare.com/cloudflare-main.gpg | sudo tee /usr/share/keyrings/cloudflare-archive-keyring.gpg >/dev/null
A GPG key is essential for verifying that the packages we are installing are valid and belong to the repository.
4- After we've saved the GPG key to our keyrings folder, the next step is to add the Cloudflared repository to our Raspberry Pi. You may add
echo "deb [signed-by=/usr/share/keyrings/cloudflare-archive-keyring.gpg] https://pkg.cloudflare.com/cloudflared $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/cloudflared.list
5- We will need to perform another update of the package list cache since we made modifications to the accessible repositories.
By using the following command in the terminal, you may update this cache:
sudo apt update
Installing Cloudfared to the Raspberry Pi
6- We can now proceed to install the Cloudflared package on our Raspberry Pi after adding the repository.
You must run the following command to install this package:
sudo apt install cloudflared
Setting up a Cloudflare Tunnel on Raspberry Pi
After setting up the Raspberry Pi, we may configure the Cloudflare tunnel. Traffic will run over this tunnel.
Authenticating with the Cloudflare Service
1- To create a connection between our Raspberry Pi and the Cloudflare service, we must first complete the first step.
We can begin logging in to the Cloudflare service using the command below.
cloudflared tunnel login
While this process is running, be sure to keep Cloudflared open on your device.
2- After running the above command, you should see the following message on the terminal:
You should go to the URL in the message and use it to log in to your Cloudflare account.
Please open the following URL and log in with your Cloudflare account:
Leave cloudflared running to download the cert automatically.
3- You will see the following message after your Raspberry Pi has successfully authenticated with the Cloudflare service:
You have successfully logged in. If you wish to copy your credentials to a server, they have been saved to: /home/pi/.cloudflared/cert.pem
Creating the Cloudflare Tunnel on Raspberry Pi
4- Using the following command, we can now create a Cloudflare tunnel after receiving authorization:
Make sure to replace “TUNNELNAME” with the name you wish to give this tunnel.
cloudflared tunnel create TUNNELNAME
5- You will see a message similar to the one below after running the above command.
You should write down the ID since we will need it later.
Tunnel credentials are written to /home/pi/.cloudflared/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX.json. cloudflared chose this file based on where your origin certificate was found. Keep this file secret. To revoke these credentials, delete the tunnel.
Created tunnel pimytunnel with id XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
Routing the Tunnel to a Domain Name
6- We may now route the tunnel to a domain name we have registered with Cloudflare once it has been built. As a result, we will be able to access our Raspberry Pi using that domain name.
As an example, you might use the following if you wanted your PhotoPrism or Minecraft server to be accessible through a certain domain name: The other user will need to have Cloudflared installed, however, if the program you wish to create a tunnel for doesn't use the HTTP or HTTPS protocol.
Please be sure to replace “TUNNELNAME” with the name of your tunnel and “DOMAINNAME” with the domain name you want to use.
cloudflared tunnel route dns TUNNELNAME DOMAINNAME
7- If the preceding command worked well, you would see a message similar to the one below. This message confirms that Cloudflare has created a CNAME that routes to your tunnel.
2022-10-18T04:54:54Z INF Added CNAME DOMAINNAME which will route to this tunnel tunnelID=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
Read More: How to Make Your Own Raspberry Pi Watch
Forwarding your Raspberry Pi Ports through the Cloudflare Tunnel
8- The last task we need to do is link the Cloudflare tunnel to a Raspberry Pi destination.
While the tunnel exists, it is not currently linked to anything; therefore, we will point it to a specific URL in this example.
Replace “PORT” with the port of the app you want to expose when running this command. For example, if you wish to expose your web server's HTTP port, you may use port 80.
Replace “TUNNELNAME” with the tunnel's name.
cloudflared tunnel run --url localhost:PORT TUNNELNAME
9- You will see a message similar to the one below when the Cloudflare tunnel has been started.
2022-10-18T09:34:40Z INF Starting tunnel tunnelID=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX 2022-10-18T09:34:40Z INF Cannot determine default configuration path. No file [config.yml config.yaml] in [~/.clouddflare-warp /etc/cloudflared /usr/local/etc/cloudflared] 2022-10-18T09:34:40Z INF Version 2022.10.0 2022-10-18T09:34:40Z INF GOOS: linux, GOVersion: go1.18.6, GoArch: arm 2022-10-18T09:34:40Z INF Settings: map[url:localhost:80]
By pressing “CTRL+C” on your keyboard, you may exit this tunnel at any point.
10- Try now accessing your Raspberry Pi using the domain name you set up previously to verify that your Cloudflare tunnel to it is operational.
For our NGINX web server, for example, we set up a Cloudflare tunnel and used that to access it.
Connecting to your Cloudflare Tunnel on Boot
11- Once you've verified that your Cloudflare tunnel works, you'll probably want it to start when your Raspberry Pi boots up.
To do this, we must write everything into a “config.yml” file that the Cloudflare daemon will read.
sudo nano ~/.cloudflared/config.yml
12- Within this file, type in the following lines and adjust them as needed for your specific use case.
[TUNNELNAME]: Replace this value with the name of your tunnel.
[USERNAME]: This value will need to be replaced with your user’s name.
[UUID]: You will need to specify the UUID that you got back in step 5 of this section.
[HOSTNAME]: Swap this value out with the domain name you are planning to use. For example, “
[PORT]: Finally, replace “PORT” with the port you want accessible through the tunnel.
[PROTOCOL]: This is the protocol you want to use for your service. In the case of a web server, you will want to use “
http” or “
However, if the service you're using uses a different protocol, you have a few other options.
- http: Forward HTTP requests to the specified service.
- https: Forward HTTPS requests to the specified service.
- Unix: Same as HTTP but using a Unix Socket.
- unix+tls: Same as HTTPS but using a Unix socket.
- tcp: Proxy a service using the TCP protocol to a local service. (For example, a Minecraft server)
- ssh: Allows you to proxy an SSH connection to a local service.
- rdp: Proxies a connection made using RDP to the specified service.
tunnel: [TUNNELNAME] credentials-file: /home/[USERNAME]/.cloudflared/[UUID].json ingress: - hostname: [HOSTNAME] service: [PROTOCOL]://localhost:[PORT] - service: http_status:404
13- Once these modifications have been made to the config file, save and quit by pressing “CTRL+X“, then “Y“, then the “ENTER” key.
14- We may install it as a service using the following command after the config file has been created:
This command will prepare a service file for systemd and transfer our configuration file to the proper place.
sudo cloudflared --config ~/.cloudflared/config.yml service install
15- Using the following command, we can have the Cloudflare tunnel service start when our Raspberry Pi does:
sudo systemctl enable cloudflared
16- Finally, by using the command below in the terminal, you can ensure that the tunnel is now online.
sudo systemctl start cloudflared
On a Raspberry Pi, this tutorial shows you how to set up a Cloudflare tunnel.
A Cloudflare tunnel enables you to create a secure connection to the Cloudflare network without needing to open ports on your host system.
If you merely wish to serve via HTTP or HTTPS, Cloudflared does not need to be installed on the client workstations.