xavier collantes

Cloudflared Tunnel: Network for Outbound-Only Traffic

By Xavier Collantes

11/25/2025

Cloudflare Tunnel

The Problem: Exposing Your Server to the Internet

If you are like me and work with Raspberry Pis and home lab projects regularly, you have probably faced this dilemma: How do you make your applications and APIs accessible without exposing your entire home network (or any network, for that matter) to the open internet?
For the longest time, I struggled with this challenge. Opening ports and using a traditional NGINX reverse proxy felt like leaving my front door wide open. Sure, it worked, but the security vulnerabilities left too many potential entry points for attacks.

My Experience with Ngrok (and Why I Needed Something Better)

My next consideration was ngrok, a popular tunneling solution that is a standard tool for developers to quickly expose local services to the internet. It solves the security problem elegantly by creating secure tunnels to your local services. However, there was one significant roadblock: cost. For the number of projects I was running and the flexibility I needed, the paid tiers added up quickly. I needed something equally powerful but more accessible for my use case.

Enter Cloudflare Tunnel: The Perfect Solution

That is when I discovered Cloudflare Tunnel (or as its library, cloudflared), and it completely transformed how I deploy my Raspberry Pi applications. It checked every box:
  • No subscription fees for basic tunneling needs
  • Lightweight daemon that just works
  • Backed by Cloudflare's global network

How Cloudflare Tunnel Works

Cloudflare Tunnel
Cloudflare Tunnel provides a secure way to connect your resources to Cloudflare without exposing them directly to the internet. Here's what makes it different:

Outbound-Only Connection Model

Instead of opening inbound ports, the cloudflared daemon on your server creates outbound-only connections to Cloudflare's global network. Since most firewalls allow outbound traffic by default, this means:
  • No firewall configuration nightmares
  • No port forwarding required
  • No public IP address needed
  • Your server remains hidden from the internet
Once the connection is established, traffic flows through the secure tunnel. All requests to your application are routed through Cloudflare first, providing an additional layer of protection and DDoS mitigation.

Key Features

1. Multiple Protocol Support Cloudflare Tunnel isn't just for HTTP web servers. You can securely expose:
  • HTTP/HTTPS web applications
  • SSH servers for remote access
  • Remote desktop connections (RDP)
  • Other TCP/UDP protocols
2. The Cloudflared Daemon This lightweight server-side daemon is the heart of the system. It runs on your infrastructure (whether that is a Raspberry Pi, a VPS, or an on-premises server) and maintains persistent connections to Cloudflare's network. Multiple cloudflared processes can connect to the same tunnel, providing redundancy and load balancing.
3. DNS Integration Tunnels route traffic to DNS records, making it seamless to connect your domain to your private server. No complex networking knowledge required—just point your DNS records at the tunnel, and Cloudflare handles the rest.
4. Zero Trust Architecture Since traffic flows through Cloudflare's network, you can layer on additional security policies, access controls, and authentication mechanisms. Your origin server only accepts connections from Cloudflare, blocking everything else by default.

My Experience: From Setup to Production

Setting up my first Cloudflare Tunnel took less than 15 minutes. I installed cloudflared on my Raspberry Pi, authenticated it with my Cloudflare account, created a tunnel through the dashboard, and configured which services to expose. That's it.
Now I run multiple projects—from home automation APIs to personal web applications—all served securely through Cloudflare Tunnel. My home network remains locked down, with zero open ports, and I sleep better knowing that Cloudflare's infrastructure sits between the internet and my Raspberry Pi.

Why This Matters for Your Projects

Whether you are:
  • Running IoT devices that need external access
  • Hosting personal projects from home
  • Building applications that need secure, reliable connectivity
Cloudflare Tunnel offers a production-ready solution without the complexity or cost of traditional approaches.

Further Reading

Related Articles

Related by topics:

cloud
infrastructure
devops
networking
Network Debugging: Ports to Packet Traces

My scripts and tools for diagnosing connectivity issues.

By Xavier Collantes9/24/2025
networking
debugging
architecture
+9
Docker Image Storage Options

Comparison of Docker Hub, AWS ECR, Google Artifact Registry with my experience.

By Xavier Collantes1/25/2025
docker
devops
infrastructure
+5
Docker Commands Cheat Sheet

Advanced learning and reference for Docker commands for containerization.

By Xavier Collantes12/21/2024
docker
containers
devops
+4
HomeFeedback