Cloudflare Tunnel Easy Setup

Flynn · Oct 10, 2025

from chatgpt...such a sense of humor.. ha.

how will i do getting my raspberry pi up an configuring the cloudflare tunnel.

ChatGPT said:

Here’s a step-by-step guide to getting your Raspberry Pi up and configuring a Cloudflare Tunnel (formerly Argo Tunnel) so you can expose services (web, SSH, etc.) securely without opening ports on your router.

I’ll include full commands, config files, and tips. If you tell me your Pi’s OS (Raspberry Pi OS, Ubuntu, etc.) I can tailor it more.

Overview & prerequisites

Before diving in, here’s what you need and a high-level view:

What you need

A Raspberry Pi running Linux (Raspberry Pi OS, Ubuntu, etc.), with network connectivity.
A domain name managed via Cloudflare (i.e. your DNS is through Cloudflare), so you can create DNS records and route traffic via the tunnel.
The service(s) on the Pi you want to expose (e.g. a web server on port 80 or 8080, SSH, etc.).
Basic familiarity with the terminal, editing config files, etc.

How it works (conceptually)

You install the cloudflared daemon on the Pi.
cloudflared makes an outbound connection to Cloudflare’s network (so you don’t need to open inbound firewall ports). Cloudflare Docs+2Cloudflare Docs+2
You create a “tunnel” that maps a hostname (via DNS) to a local service (e.g. http://localhost:80 or ssh://localhost:22).
Cloudflare routes traffic from that hostname through the tunnel, delivering it to your Pi securely. Fleetstack+3Cloudflare Docs+3Cloudflare Docs+3
You can run the tunnel persistently (as a systemd service) so it auto-starts on boot. Ladvien's Lab+3Pi My Life Up+3Gist+3

Step-by-step guide

Here’s how to do it.

Note: these commands are for Debian / Raspberry Pi OS / Ubuntu style (apt / systemd). Adjust accordingly if you're on a different distro.

1. Update your Pi and install prerequisites

sudo apt update sudo apt upgrade -y sudo apt install -y curl lsb-release 
curl is used to fetch the Cloudflare repo / packages; lsb-release helps identify your OS codename. Pi My Life Up+2IT Capture+2

2. Install

Option A: Use Cloudflare’s repository (so it updates like a package)

# Import the GPG key curl -L https://pkg.cloudflare.com/cloudflare-main.gpg | sudo tee /usr/share/keyrings/cloudflare-archive-keyring.gpg >/dev/null # Add the repository echo "deb [signed-by=/usr/share/keyrings/cloudflare-archive-keyring.gpg] https://pkg.cloudflare.com/cloudflared $(lsb_release -cs) main" \ | sudo tee /etc/apt/sources.list.d/cloudflared.list # Update package lists sudo apt update # Install cloudflared sudo apt install cloudflared -y 
This method is recommended in many tutorials. Pi My Life Up+2IT Capture+2

Option B: Download a binary / deb package manually

If the repo method doesn’t work, you can grab a prebuilt binary for your Pi’s architecture (ARM 32-bit, ARM 64-bit, etc.) from Cloudflare’s GitHub releases. Pi My Life Up+4Fleetstack+4Gist+4

For example:

wget https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-arm64.deb sudo dpkg -i cloudflared-linux-arm64.deb 
Then verify:

cloudflared --version 
If you installed via the repo, updates will be handled by apt.

3. Authenticate

Run:

cloudflared tunnel login 
That command will output a URL. Open it in your browser, log into your Cloudflare account, and authorize cloudflared to manage tunnels for your domain. This creates a certificate file (cert.pem) in ~/.cloudflared/ on your Pi. Ladvien's Lab+3Pi My Life Up+3Cloudflare Docs+3

You might see something like:

You have successfully logged in. credentials saved to /home/pi/.cloudflared/cert.pem

4. Create a new tunnel

Now that cloudflared is authorized, you can create a tunnel:

cloudflared tunnel create <TUNNEL_NAME> 
Replace <TUNNEL_NAME> with something descriptive (e.g. my-pi-tunnel).

This will output:

The tunnel ID (a UUID).
The path to the credentials JSON file (e.g. /home/pi/.cloudflared/<UUID>.json). IT Capture+4Pi My Life Up+4Fleetstack+4

Make a note of those.

You can also list tunnels:

cloudflared tunnel list

5. Configure the tunnel (config file)

You need a config.yml file for cloudflared that maps hostnames to local services (called “ingress rules”).

Create (or edit) ~/.cloudflared/config.yml:

tunnel: <TUNNEL_ID_OR_NAME> credentials-file: /home/pi/.cloudflared/<UUID>.json ingress: # example: map hostname to a local HTTP service - hostname: pi.example.com service: http://localhost:80 # default catch-all (when no other rule matches) - service: http_status:404 
Adjust:

hostname to the DNS name you’ll use (subdomain of your domain in Cloudflare).
service to the local service (HTTP, HTTPS, SSH, TCP, etc.).
For HTTP: http://localhostORT
For HTTPS (if local uses TLS): https://localhostORT
For SSH: ssh://localhost:22
For generic TCP: tcp://localhostORT Ladvien's Lab+3Gist+3Pi My Life Up+3

Example:

tunnel: my-pi-tunnel credentials-file: /home/pi/.cloudflared/1234-uuid.json ingress: - hostname: pi.mydomain.com service: http://localhost:8080 - hostname: ssh.mydomain.com service: ssh://localhost:22 - service: http_status:404 
Save the file.

6. Map DNS (in Cloudflare) to the tunnel

Tell Cloudflare DNS to route a hostname to your tunnel:

cloudflared tunnel route dns <TUNNEL_NAME> <hostname> 
Example:

cloudflared tunnel route dns my-pi-tunnel pi.mydomain.com 
This will create or update a CNAME record in Cloudflare’s DNS so that pi.mydomain.com points through the tunnel. IT Capture+3Pi My Life Up+3Cloudflare Docs+3

Alternatively, you can manually create a CNAME record in the Cloudflare dashboard pointing your subdomain to the canonical *.cfargotunnel.com address—Cloudflare’s UI often guides this during tunnel setup.

7. Run the tunnel (test mode)

You can test by running:

cloudflared tunnel run <TUNNEL_NAME> 
This starts the tunnel in the foreground, routes traffic, and logs to stdout. Try accessing https://pi.mydomain.com (or whatever hostname you set) and see if the service is reachable.

If it works, great! If not, check logs, firewall, and DNS.

8. Run as a service (auto-start on boot)

You’ll want the tunnel to persist across reboots. Use the command:

sudo cloudflared service install 
This sets up a systemd service. Then:

sudo systemctl enable cloudflared sudo systemctl start cloudflared sudo systemctl status cloudflared 
Once installed, cloudflared will read the config file (usually from /etc/cloudflared/config.yml, or from ~/.cloudflared/) and start automatically. IT Capture+4Pi My Life Up+4Fleetstack+4

If you ever update config.yml, restart:

sudo systemctl restart cloudflared

9. Verify & monitor

Ensure DNS is resolving your hostname (e.g. dig pi.mydomain.com).
Open https://pi.mydomain.com (or the relevant protocol).
Check systemctl status cloudflared for errors.
Check logs, e.g. journalctl -u cloudflared -f
If multiple services (HTTP, SSH) are mapped, ensure your ingress rules are correct.

Example full setup (concrete values)

Let’s do a small example as if:

Your domain is example.com (managed in Cloudflare).
You want to expose a web server on port 3000 on the Pi.
You want pi.example.com to point to that.

Here’s what you’d run / configure:

sudo apt update sudo apt upgrade -y sudo apt install curl lsb-release -y # Install cloudflared via repo curl -L https://pkg.cloudflare.com/cloudflare-main.gpg | sudo tee /usr/share/keyrings/cloudflare-archive-keyring.gpg >/dev/null echo "deb [signed-by=/usr/share/keyrings/cloudflare-archive-keyring.gpg] https://pkg.cloudflare.com/cloudflared $(lsb_release -cs) main" \ | sudo tee /etc/apt/sources.list.d/cloudflared.list sudo apt update sudo apt install cloudflared -y # Authenticate cloudflared tunnel login # (open browser, authorize, gets cert.pem) # Create the tunnel cloudflared tunnel create my-pi-tunnel # Create config mkdir -p ~/.cloudflared cat <<EOF > ~/.cloudflared/config.yml tunnel: my-pi-tunnel credentials-file: /home/pi/.cloudflared/<UUID>.json ingress: - hostname: pi.example.com service: http://localhost:3000 - service: http_status:404 EOF # Map DNS cloudflared tunnel route dns my-pi-tunnel pi.example.com # Test run cloudflared tunnel run my-pi-tunnel # If OK, install as service sudo cloudflared service install sudo systemctl enable cloudflared sudo systemctl start cloudflared 
Then visit https://pi.example.com in your browser. If your web app is working and listening on port 3000, you should see it.

Advanced / alternative use cases

SSH via tunnel: You can map ssh://localhost:22 in ingress. Then you can SSH to your Pi via the Cloudflare hostname (with proper auth). Mahir Senturk+4The Cloudflare Blog+4Gist+4
Multiple hostnames / services: You can list multiple ingress rules for different subdomains or ports. The config supports matching on hostname + paths. Gist+2Pi My Life Up+2
TCP / non-HTTP: For non-HTTP services (e.g. Minecraft, custom TCP apps) you can use service: tcp://localhostORT. IT Capture+3Gist+3Cloudflare Docs+3
Wildcard hostnames: You can use wildcard matches in ingress (e.g. *.example.com). Gist
Zero Trust / Cloudflare Access: For SSH or private access, you can tie it into Cloudflare Zero Trust so only authenticated users can connect. Mahir Senturk+2The Cloudflare Blog+2

If you like, I can generate a full shell script that you can run on your Pi to fully automate this, and a ready config file. Do you want me to generate that for your setup? Also, tell me: what OS your Pi is running, which service(s) you want to expose (web, SSH, etc.), and what your domain is (or a placeholder).

You said:

can a drunken redneck do it.

ChatGPT said:

Ha! Brother — if a drunken redneck can wire up a Chevy alternator with duct tape, he can absolutely get a Cloudflare Tunnel running on a Raspberry Pi.

Let me put it this way:

Cloudflare Tunnel is one of those “looks hard until you do it once” setups. After that, it’s pure muscle memory — like throwing a carb on a 350 small block.

Here’s your “Drunken Redneck Edition” guide — no corporate jargon, just the real steps:

Step 1 — Sober up for 30 minutes and boot the Pi

Plug the Pi into power and ethernet (or Wi-Fi).
Hook up a keyboard + HDMI monitor (or SSH into it if you know how).
Make sure it’s online (ping google.com should work).

🛠 Step 2 — Update the thing

sudo apt update && sudo apt upgrade -y 
This is like checking your oil before a road trip.

Step 3 — Install Cloudflared

curl -L https://pkg.cloudflare.com/cloudflare-main.gpg | sudo tee /usr/share/keyrings/cloudflare-archive-keyring.gpg >/dev/null echo "deb [signed-by=/usr/share/keyrings/cloudflare-archive-keyring.gpg] https://pkg.cloudflare.com/cloudflared $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/cloudflared.list sudo apt update && sudo apt install cloudflared -y 
If you can copy-paste this, you’re halfway done.
Cloudflared = the magic little gremlin that talks to Cloudflare.

Step 4 — Log into Cloudflare

cloudflared tunnel login 
That’ll spit out a web link.
Click it, log into Cloudflare, and pick your domain (the one you already set up there).

Step 5 — Create your Tunnel

cloudflared tunnel create my-pi-tunnel 
Name it whatever you want — “beer-server” if you like.
It’ll create some magic JSON credentials file.

Step 6 — Tell it what to do

Open this file:

nano ~/.cloudflared/config.yml 
Paste this:

tunnel: my-pi-tunnel credentials-file: /home/pi/.cloudflared/<UUID>.json ingress: - hostname: pi.yourdomain.com service: http://localhost:80 - service: http_status:404 
Change yourdomain.com to your real one.
If your Pi’s running a web page on port 80 or 8080, you’re set.
Save with CTRL + O, then CTRL + X.

🌩 Step 7 — Tell Cloudflare about it

cloudflared tunnel route dns my-pi-tunnel pi.yourdomain.com 
That adds a DNS record so Cloudflare knows where to send people.

Step 8 — Test It

cloudflared tunnel run my-pi-tunnel 
Now open your browser and go to https://pi.yourdomain.com.
If you see your Pi’s web page — hell yeah, you did it.

Step 9 — Make It Start by Itself

sudo cloudflared service install sudo systemctl enable cloudflared sudo systemctl start cloudflared 
Now the tunnel boots up every time the Pi turns on — like a truck with remote start.

Step 10 — Celebrate

You’ve got a secure Cloudflare Tunnel protecting your Pi,
no ports open, no hackers, no bullshit ISP blocking you.

Grab another beer, ’cause you just did what some IT guys still can’t.

If you want, I can write you a one-click bash script that runs this whole thing automatically — no thinking required.
Wanna me make you that “Press Enter to Deploy” version?

Cloudflare Tunnel Easy Setup