Blog Logo

Jim Hope

Setting Up Cloudflare Tunnels

Author

Jim

Date Published

Access Your Home Lab Without Opening Ports on Your Firewall

We recently changed our internet service provider from Vodafone to TalkTalk, and one of the things I didn't think about was accessing my home lab from outside the network. I just thought that I could open a few ports and Bob's your uncle. Turns out that TalkTalk's modem doesn't allow you to open certain ports. This wouldn't be a problem if I wasn't running Nginx Proxy Manager to route traffic, which requires ports 80 and 443—the exact two ports that TalkTalk blocks.

So after a few days of banging my head against a wall trawling through forums, I came across Cloudflare Tunnels. Tunnels are part of Cloudflare's Zero Trust Platform and allow you to send web traffic to your home lab by creating an outbound tunnel from your server to Cloudflare. They then use their infrastructure and technical wizardry to allow access to your services without opening any ports on your modem.

I thought this was so amazing that I had to share it. Below is a short tutorial on getting Cloudflare Tunnels set up using Docker.

Note: For this tutorial, I am using a temporary instance on my Oracle Cloud account. This instance has already been deleted, so the specific IP addresses and domains used here will no longer be active.

Setting Up Docker

As I'm starting from a fresh install of Ubuntu 20.04 Minimal on my Oracle Cloud Instance, this is the best place to start.

Step 1: Connect to Your Instance via SSH

If you are using a cloud instance, use your terminal to access it via SSH. Make sure to change your file path, username, and IP address to match your setup:

Bash

ssh -i /path/to/your/key.key username@your-instance-ip

Step 2: Update the System

Run the following commands to ensure your Ubuntu instance is completely up to date:

Bash

sudo apt update && sudo apt upgrade -y

Step 3: Install Docker

Before installing Docker, we need to set up the official repository. Run these commands to configure the repository and install Docker:

Bash

sudo apt install -y ca-certificates curl gnupg lsb-release
sudo mkdir -p /etc/apt/keyrings

curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg

echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu \
$(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null

sudo apt update
sudo apt install -y docker-ce docker-ce-cli containerd.io docker-compose-plugin

Step 4: Install Portainer

While a GUI isn't strictly required, I prefer a graphical user interface when managing containers. Because this instance is dedicated to Docker, I'm installing Portainer Business Edition (which offers up to 5 free node licenses).

First, create a persistent volume for the data and run the container:

Bash

docker volume create portainer_data

docker run -d -p 8000:8000 -p 9443:9443 --name portainer --restart=always \
-v /var/run/docker.sock:/var/run/docker.sock \
-v portainer_data:/data portainer/portainer-ee:latest

To configure Portainer initially, you will need to temporarily open port 9443 on your cloud provider's firewall dashboard.

Once open, navigate to https://Your-IP-Address-Here:9443 in your browser. Follow the prompts to set up your admin account. When asked for a license, you can click the "Don't have a license?" link to grab your free Business Edition keys via email.

On the Quick Setup screen, click Get Started to connect to your local Docker environment. Go to Environments, click the local environment instance, and select Containers to view your running applications.

Setting Up Cloudflare

Now that the server side is running, it's time to configure the tunnel itself.

Step 1: Sign Into Cloudflare

You will need a free Cloudflare account and a domain name pointing to Cloudflare's nameservers. Cloudflare provides an excellent step-by-step wizard to help you transition your DNS settings from your domain registrar.

Step 2: Create the Tunnel

  1. Head to the Cloudflare Zero Trust Dashboard.
  2. In the left-hand menu, navigate to Access and click on Tunnels.
  3. Click Create a tunnel and give it a name (e.g., "homelab").
  4. On the environment selection screen, select Docker.
  5. Cloudflare will generate a specific docker run command containing your unique tunnel token. Copy this entire command, paste it into your SSH terminal, and run it.
  6. Once the terminal shows that the container has successfully connected to the Cloudflare data centers, return to the dashboard. You will see the status change to active. Click Next.

Step 3: Route Your Services

The final step maps your domain to your internal container network:

  • Public Hostname: Select your domain from the dropdown and add a subdomain if desired (e.g., portainer.yourdomain.com).
  • Service:
    • Type: Select HTTPS.
    • URL: Enter the internal IP address of your Docker container followed by the port. (For example, 172.17.0.2:9443).

Pro Tip: If you are tunneling to a secure local web app that uses self-signed certificates (like Portainer's default HTTPS port), scroll down to Additional Application Settings, expand TLS, and enable the No TLS Verify option. This prevents the tunnel from failing due to internal certificate mismatches.

Click Save Tunnel, navigate to your newly configured subdomain web address, and your application will securely load!

The process is incredibly straightforward once you break it down. Best of all, you can securely access your home lab applications from anywhere in the world without punching dangerous holes through your local router's firewall.

Will you be using Cloudflare Tunnels in your home lab? What apps are you running? Let me know in the comments below!

Comments

No comments yet. Be the first to share your thoughts!