Getting Started with Cloudflare Tunnel: Secure Access to Internal Services Without a Public IP

Have you ever encountered this situation: It’s the weekend, you’re at Starbucks, and suddenly you want to access a file on your home NAS, only to find you can’t connect? Or you want to show a friend your project, but it’s running on your local computer and you can’t share a direct link?

The root cause of these problems is actually the same—no public IP.

To be honest, I’ve been bothered by this problem for a long time. ISPs either don’t assign public IPs or charge extra; even with a dynamic IP, you still need to configure DDNS, and the stability isn’t great. Later I tried internal network penetration tools like frp and ngrok, but they either require renting a cloud server (increasing costs) or have too many restrictions in the free version with insufficient traffic.

Until I discovered Cloudflare Tunnel.

This thing is completely free, doesn’t require a public IP, doesn’t need a cloud server, and you don’t even need to configure router port forwarding. More importantly, it comes with HTTPS encryption and Cloudflare’s DDoS protection. Honestly, when I first successfully accessed my internal services through Tunnel, that feeling of “oh, so it can work like this” was pretty awesome.

In this article, I’ll walk you through using Cloudflare Tunnel to achieve internal network penetration step by step. Whether you want to remotely access your home NAS, show friends your local project, or SSH into your home server from outside, it only takes 30 minutes to set up.

1. What is Cloudflare Tunnel? Why Choose It?

What Problem Does Internal Network Penetration Solve?

Let me first explain why we need internal network penetration.

Normally, your home devices are all on an internal network with private IP addresses (like 192.168.1.100). These devices can access each other, but external networks can’t connect in. If you want to access your home NAS from the office or a coffee shop, you need a “bridge” to connect the internal and external networks.

The traditional approach is port forwarding: open a port on the router to forward external requests to internal devices. But this has a prerequisite—you need a public IP. The problem is that many home broadband connections don’t provide public IPs, or they provide carrier-grade NAT, making it impossible to connect from outside.

This is the problem internal network penetration solves: allowing external networks to access your internal services when you don’t have a public IP.

How Cloudflare Tunnel Works

Cloudflare Tunnel’s approach is quite clever. Instead of “drilling a hole from outside in” like traditional solutions, it actively connects outward from inside.

Specifically, here’s how it works:

1. You run a small program called cloudflared (a daemon) on your internal network device
2. This program actively connects to Cloudflare’s global network, establishing an encrypted tunnel
3. When someone accesses your configured domain (like nas.yourdomain.com), the request first reaches Cloudflare’s CDN
4. Cloudflare forwards the request to your internal service through this encrypted tunnel
5. Your internal service processes it, and data returns through the tunnel

This way, your internal service is completely “invisible” to the outside world—no ports are open, no public IP is needed, just an encrypted connection from inside to outside. From a security perspective, this is the idea behind Zero Trust architecture: don’t trust any connection by default, all traffic must go through authentication and encryption.

To use an imprecise analogy: it’s like you’ve set up a dedicated line between your home and Cloudflare that only you can use, and outsiders can’t see where your server is at all.

Why Did I Choose Cloudflare Tunnel?

There are quite a few internal network penetration solutions on the market. I’ve tried several and ultimately went with Cloudflare Tunnel. Here are the main reasons:

Compared to frp (most common solution):

frp is indeed easy to use with straightforward configuration, but it has a hard requirement—you need a cloud server with a public IP. This means spending tens of dollars per month on server rental, plus configuration and maintenance, which is actually quite troublesome. Cloudflare Tunnel completely eliminates this cost, and you even get Cloudflare’s CDN and DDoS protection for free.

Compared to ngrok (popular abroad):

ngrok’s free version assigns you a random domain that changes every restart, and there are traffic limitations. If you want to use your own domain, you need to buy the paid version. Cloudflare Tunnel is completely free, you can use custom domains however you like, and there’s no traffic limit.

Compared to Tailscale/ZeroTier (P2P networking):

These two are virtual local area network solutions with a different approach. They’re more suited for point-to-point networking, like connecting your phone, computer, and servers to each other. But if you want to publish a website externally for everyone to access, Tailscale isn’t quite suitable. Cloudflare Tunnel is better for “publishing services externally.”

Simply put, Cloudflare Tunnel’s advantages come down to three words: free, secure, simple.

That said, it’s not perfect. The biggest issue is generally slower access from China because Cloudflare’s CDN nodes are mainly overseas, so latency is higher, with occasional disconnections. If your users are mainly in China or you have very high real-time requirements, you might need to consider other solutions. But for personal use and non-real-time scenarios, it’s perfectly adequate.

2. Preparation: What Do You Need?

Before starting configuration, let’s confirm what you need to prepare. Don’t worry, nothing is complicated, and most of it is free.

1. Cloudflare Account (Free)

Nothing much to say here—just register an account at cloudflare.com, completely free. If you’re already using Cloudflare’s DNS or CDN services, just use your existing account.

2. Your Own Domain Name

This is the only thing that costs a little money. You need a domain name, and you need to host it with Cloudflare.

Why must you have a domain? Cloudflare Tunnel routes traffic through domain names. When you access nas.yourdomain.com, that’s how Cloudflare knows which tunnel to forward the request to.

Domain names aren’t expensive—buying a .com or .top domain from Alibaba Cloud or Tencent Cloud in China costs only a few dozen dollars per year. After purchasing, just change the DNS servers to Cloudflare’s (Cloudflare has detailed tutorials, it’s simple).

There’s an extra benefit: hosting your domain with Cloudflare lets you enjoy its CDN and firewall features, essentially getting free extras.

3. Cloudflare Zero Trust Free Plan

Pay a bit of attention to this. Cloudflare Tunnel is part of the Cloudflare Zero Trust service, so you need to activate Zero Trust first.

Don’t panic, the free plan is completely sufficient, supporting up to 50 users (way more than you’d ever need personally).

Activation steps:

1. Log into the Cloudflare console
2. Find Zero Trust in the left menu
3. Select Free Plan
4. Need to bind a payment method (credit card or PayPal)

This might make you hesitate—why does a free plan require binding a card?

To be honest, I was a bit worried at first, but actually there are no charges. Cloudflare does this to prevent abuse (like people batch-registering accounts for malicious purposes). Domestic dual-currency credit cards work fine—I use China Merchants Bank’s, and after binding it, I’ve never been charged.

4. An Internal Network Device

This device needs to meet two conditions:

1. Can connect to the network: Obviously, how can you establish a tunnel without network connectivity
2. Can stay powered on (or at least be on when you need access)

Specifically, this could be:

• Your home computer (Windows/Mac/Linux all work)
• NAS (Synology, QNAP, etc., especially convenient if it supports Docker)
• Raspberry Pi or other development boards
• Soft router

I run it on my NAS using Docker deployment—very convenient.

5. Internal Service to Expose

Finally, you need a service you want to expose externally. For example:

• NAS web management interface (common ports 5000, 5001)
• Home Assistant smart home control panel (port 8123)
• Your own blog or website (ports 80, 8080, etc.)
• SSH service (port 22)

You need to know this service’s internal IP address and port number. For example, my NAS is 192.168.1.100:5000.

That’s all for preparation. It sounds like a lot, but the only thing you actually need to pay extra for is the domain name—everything else is free.

3. Hands-On Configuration: Building Your Tunnel Step by Step

Alright, after all that buildup, let’s get to the practical part. The whole configuration process has three steps: create tunnel, install cloudflared, configure domain. It sounds like a lot, but the actual operation is really quick. Follow along and you’ll get it.

Step 1: Create Tunnel in Cloudflare Console

1. Log into your Cloudflare account and enter the Zero Trust console
2. Click Networks → Connectors → Cloudflare Tunnels in the left menu
3. Click the Create a tunnel button in the upper right
4. Select connector type: Cloudflared (this is the default)
5. Give your Tunnel a name

For naming, I suggest using meaningful names like home-nas or dev-server for easier future management. If you only have one Tunnel, it doesn’t matter what you call it; but if you might have multiple in the future, it’s better to choose names that clearly indicate which service they’re for.

After clicking Save tunnel, Cloudflare will generate a Token.

Key point: This Token is super important! It’s like your Tunnel’s password, and you’ll need it when installing cloudflared. The page will display a very long string of characters—copy and save it, or just don’t close the page yet.

Step 2: Install cloudflared Daemon

Now you need to install cloudflared on your internal network device. This step varies slightly depending on your system. I’ll focus on the Docker method (simplest) and briefly mention other methods.

Method 1: Docker Deployment (Recommended)

If your device supports Docker (NAS, Linux servers, etc.), this is the easiest approach. Just one command:

docker run -d --restart=always \
  --name cloudflared \
  cloudflare/cloudflared:latest \
  tunnel --no-autoupdate run --token <YOUR_TOKEN>

Replace <YOUR_TOKEN> with the long string you just copied, then press enter.

After a few seconds, the container will be running. The --restart=always parameter ensures the container auto-restarts, so even if the device reboots, the Tunnel will automatically recover.

Method 2: Direct Linux System Installation

If not using Docker, you can also install directly on the system. For Ubuntu/Debian:

# Download package
wget https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb

# Install
sudo dpkg -i cloudflared-linux-amd64.deb

# Run Tunnel
sudo cloudflared service install <YOUR_TOKEN>

CentOS/RHEL users just change .deb to .rpm.

Method 3: Windows Installation

Windows users download the MSI package: https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-windows-amd64.msi

Double-click to install, then open Command Prompt (CMD) as administrator and run:

cloudflared.exe service install <YOUR_TOKEN>

Method 4: macOS Installation

Mac users have it simplest, using Homebrew:

brew install cloudflared
cloudflared service install <YOUR_TOKEN>

Regardless of which method you use, after installation, go back to the Cloudflare console and check. If you see the Tunnel status turn to HEALTHY, that means the connection succeeded. At this point, cloudflared has already established an encrypted tunnel with Cloudflare.

Step 3: Configure Public Hostname

Now the tunnel is set up, but Cloudflare doesn’t know where to forward traffic yet. Next, we need to tell it: “When someone accesses nas.yourdomain.com, please forward to my internal 192.168.1.100:5000.”

Still on the Tunnel page from before:

1. Click the Public Hostname tab
2. Click Add a public hostname
3. Fill in the configuration:
   • Subdomain: For example, fill in nas, and the full domain will be nas.yourdomain.com
   • Domain: Select your domain from the dropdown (assuming it’s already hosted with Cloudflare)
   • Path: Generally leave blank, unless you want to use paths like /api to differentiate
   • Type: Select HTTP
   • URL: Fill in your internal service address in the format http://internal-IP:port, like http://192.168.1.100:5000

You might wonder: Why select HTTP for Type? Shouldn’t we use HTTPS for security?

Actually, don’t worry—Cloudflare automatically provides HTTPS. The flow works like this:

• Visitor → Cloudflare: HTTPS encryption (Cloudflare auto-issues certificate)
• Cloudflare → Your internal service: Transmitted through encrypted tunnel

This means even if your internal service itself doesn’t have HTTPS configured, when users access it, everything is encrypted end-to-end. Saves a ton of hassle configuring certificates.

Click Save hostname, and the configuration takes effect.

Step 4: Verify Access

Now we can test!

Open a browser and visit the domain you just configured, like https://nas.yourdomain.com.

If everything goes smoothly, you should see your internal service. Notice the browser address bar will show a lock icon, indicating the HTTPS certificate is valid.

First access might take a few minutes because DNS records need time to propagate. If you can’t access:

1. Wait 5-10 minutes and try again
2. Check if Tunnel status is HEALTHY
3. Check if internal service is running normally (try accessing http://192.168.1.100:5000 from inside the network)

One Tunnel Can Configure Multiple Subdomains

Here’s a very practical tip: one Tunnel can add multiple public hostnames, corresponding to different internal services.

For example, my configuration is like this:

• nas.mydomain.com → http://192.168.1.100:5000 (NAS management interface)
• blog.mydomain.com → http://192.168.1.100:8080 (personal blog)
• ha.mydomain.com → http://192.168.1.101:8123 (Home Assistant)

This way you don’t need to create a separate Tunnel for each service—management is especially convenient.

4. Advanced Configuration and Best Practices

Basic configuration is done at this point, but if you want to go further, there are some advanced techniques you can learn.

Using Configuration Files to Manage Multiple Services

We just configured through the Dashboard by clicking around, which is convenient for a small number of services. But if you have many services to expose, or want to manage configuration through code (like version control), you can use configuration files.

On the device running cloudflared, create a configuration file config.yml:

tunnel: <Your Tunnel UUID>
credentials-file: /path/to/<UUID>.json

ingress:
  - hostname: nas.yourdomain.com
    service: http://192.168.1.100:5000
  - hostname: blog.yourdomain.com
    service: http://192.168.1.100:8080
  - hostname: ha.yourdomain.com
    service: http://192.168.1.101:8123
  - service: http_status:404

That last line service: http_status:404 is a catch-all rule—all requests that don’t match will return 404. This rule must exist and must be last.

Then start cloudflared with this configuration file:

cloudflared tunnel --config /path/to/config.yml run

The advantage of this approach is clearer configuration, and you can put it in a Git repository for version management (just don’t commit the Token!).

Supporting SSH and RDP

Cloudflare Tunnel doesn’t just forward HTTP—it also supports protocols like SSH and RDP. This is especially useful for remote server management.

SSH Configuration Example:

Add to config.yml:

- hostname: ssh.yourdomain.com
  service: ssh://localhost:22

Then use cloudflared on your local computer to SSH connect:

# First configure SSH config
cat >> ~/.ssh/config << EOF
Host ssh.yourdomain.com
  ProxyCommand cloudflared access ssh --hostname %h
EOF

# Then you can SSH directly
ssh [email protected]

RDP configuration (Windows Remote Desktop) is similar, just change the protocol to rdp://.

The benefit of doing this is your SSH/RDP ports don’t need to be exposed to the public internet at all, greatly improving security.

Hardening Security with Cloudflare Access

With the above configuration, anyone who knows your domain can access your service. This is fine for public websites, but for sensitive services like NAS management interfaces, it’s better to add a layer of authentication.

This is where Cloudflare Access comes in—it can add a login gate in front of Tunnel.

Configuration isn’t complicated:

1. In the Zero Trust console, go to Access → Applications
2. Click Add an application → select Self-hosted
3. Fill in application information:
   • Application name: Like “My NAS”
   • Application domain: Select your domain, like nas.yourdomain.com
4. Configure authentication policy:
   • Can choose email whitelist (only specified emails can log in)
   • Or Google/GitHub OAuth login
   • Can even enable MFA (multi-factor authentication)

After configuration, when accessing nas.yourdomain.com, you’ll first be redirected to Cloudflare’s login page, and only after authentication can you enter your service.

This feature is also completely free for personal users—strongly recommend configuring it for sensitive services.

Performance Optimization and Monitoring

Finally, let’s talk about some daily usage tips.

Check Tunnel Running Status:

On the Tunnels page in the Zero Trust console, you can see:

• Whether Tunnel is online (HEALTHY or DOWN)
• Traffic statistics
• Number of connected clients

If Tunnel suddenly goes DOWN, it’s probably because the internal network device disconnected or shut down—go check if the cloudflared process is still running.

View Logs to Troubleshoot Problems:

With Docker, you can use docker logs cloudflared to view logs.

Common errors include:

• Invalid Token: Check if you copied it wrong
• Connection failure: Check if internal service is running normally
• Certificate error: Usually auto-fixes after a few minutes

Regularly Update cloudflared:

Cloudflare periodically updates cloudflared, adding new features or fixing bugs. If using Docker, just pull the latest image and restart the container:

docker pull cloudflare/cloudflared:latest
docker restart cloudflared

However, Cloudflare officially only guarantees compatibility for versions from the past year—versions that are too old might be forcibly discontinued, so it’s still recommended to update regularly.

5. Common Issues and Notes

After using Cloudflare Tunnel for a while, I’ve summarized some common issues and things to pay attention to. I’ll share them with you.

About Speed and Stability

This is what everyone cares about most. To be honest, access speed from China really isn’t fast.

My own test data:

• Latency: 300-800ms (accessing from China)
• Bandwidth: Download speed generally 1-5MB/s, depending on time and region
• Stability: Occasional brief disconnections, but mostly fine

Why is it slow? Because Cloudflare’s CDN nodes are mainly overseas, so traffic from China has to take a detour. Plus free users have relatively lower priority and might get throttled during peak hours.

Suitable scenarios:

• Occasionally remotely accessing NAS to download files
• Showing friends personal projects
• Remote SSH server management (latency impact isn’t huge)

Unsuitable scenarios:

• Streaming media playback (will stutter)
• Game servers (latency too high)
• Frequent large file transfers
• Production environments facing domestic users

If you have high speed requirements, consider using frp + domestic cloud server, or P2P solutions like Tailscale.

About Security

Cloudflare Tunnel itself is very secure, mainly reflected in:

• End-to-end HTTPS encryption
• No need to open any inbound ports
• Zero Trust architecture, default deny all access
• Built-in Cloudflare DDoS protection

But this doesn’t mean you can carelessly expose services. Strong recommendations:

1. Don’t expose databases: Never expose MySQL, Redis, etc. directly through Tunnel—the risk is too high
2. Add Access verification for sensitive services: NAS, SSH, admin backends, etc. must have Cloudflare Access configured
3. Regularly check logs: See if there’s any abnormal access
4. Update systems and software: Internal services should be patched—don’t think “it’s on internal network” means you can ignore security

That said, compared to directly opening public ports, Tunnel is already much more secure.

About Usage Limitations

Cloudflare free plan limitations:

• Maximum 50 users (more than enough for personal use)
• No traffic limit (this is quite generous)
• UDP protocol not currently supported (TCP is fine)
• HTTP/3 QUIC not currently supported in China

There’s also a hard requirement: must have a domain and must be hosted with Cloudflare. If you don’t want to put your domain on Cloudflare, then you can’t use Tunnel.

Alternative Solutions Comparison

If Cloudflare Tunnel doesn’t suit you, here are other options:

Choose based on your needs—there’s no absolutely best solution.

Some Practical Tips

Finally, sharing a few small tips:

1. Use Short Domains

For example, nas.yourdomain.com is easier to remember than mynas.yourdomain.com. If the domain itself is short (like abc.com), then nas.abc.com is even more convenient.

2. Plan Subdomains for Different Services

Suggest using meaningful subdomains, like:

• nas. - NAS management
• blog. - Blog
• dev. - Development environment
• ssh. - SSH access

This way you can tell what service it is just by looking at the URL, and management is clear.

3. Backup Your Token

Be sure to save your Tunnel Token well, preferably in a password manager (like 1Password or Bitwarden). If you lose it, you can only delete and rebuild the Tunnel.

4. Monitor Tunnel Status

You can use Cloudflare’s Webhook or email notification feature to get timely alerts when Tunnel goes offline. Configure this in Settings in the Zero Trust console.

Conclusion

After all that, let’s summarize:

Cloudflare Tunnel is a free, secure, easy-to-use internal network penetration solution, especially suitable for individual developers and home server users. You don’t need a public IP, don’t need to buy a cloud server, and don’t need to mess with router port forwarding—configuration takes just 30 minutes.

Its core advantages are:

• Completely free, unlimited traffic
• Zero Trust security architecture
• Built-in HTTPS and DDoS protection
• Supports HTTP/SSH/RDP and other protocols
• One Tunnel can expose multiple services

Of course, we must also acknowledge its shortcomings:

• Generally slower access from China, relatively high latency
• Occasional disconnections
• Must have domain and host with Cloudflare
• Doesn’t support UDP protocol

If you mainly occasionally access remotely yourself, or face users overseas, Cloudflare Tunnel is completely adequate. If it’s a domestic production environment or you have high speed requirements, you might need to consider other solutions.

That said, for most personal users, being able to freely use Cloudflare’s infrastructure is already a pretty good choice. Back when I spent an afternoon struggling with frp and cloud servers, only to discover Tunnel could do it in ten minutes—that feeling of “I should have done this earlier,” you’ll understand when you try it.

Go ahead and give it a try! If you encounter problems, feel free to leave a comment, and I’ll respond when I see it.

Published on: Nov 30, 2025 · Modified on: Dec 4, 2025

Easton

Technology