Cloudflare Tunnel, no need for NGROK

Flynn · Sep 30, 2025

— let’s walk through setting up Cloudflare Tunnel as your permanent replacement for Ngrok. This way, Twilio always hits a stable HTTPS URL → routed through Cloudflare → into your node.

Step-by-Step Setup (Cloudflare Tunnel for Twilio + Node)

1. Prerequisites

You own a domain in Cloudflare (easy to transfer or add).
You’ve installed your Twilio number already.
Your node runs a web app (Flask/FastAPI/etc.) on some local port (e.g., 5000).

2. Install Cloudflared

On your node (Pi/Jetson/server):

curl -L https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-arm64.deb -o cloudflared.deb sudo dpkg -i cloudflared.deb 

Check version:

cloudflared --version

3. Authenticate with Cloudflare

cloudflared tunnel login

This opens a browser, asks you to log in, and lets you pick your domain.
Cloudflare then drops a cert file in ~/.cloudflared/cert.pem.

4. Create a Named Tunnel

cloudflared tunnel create my-node-tunnel 

This gives you a tunnel UUID and writes it into ~/.cloudflared.

5. Configure Tunnel Routing

Create a config file: ~/.cloudflared/config.yml

tunnel: my-node-tunnel credentials-file: /home/pi/.cloudflared/<UUID>.json ingress: - hostname: node.yourdomain.com service: http://localhost:5000 - service: http_status:404

node.yourdomain.com will be the permanent public URL.
Requests to that DNS will flow → Cloudflare → your local app on port 5000.

6. Add DNS Record Automatically

cloudflared tunnel route dns my-node-tunnel node.yourdomain.com 

Cloudflare adds a CNAME → your tunnel UUID.

7. Run the Tunnel

Dev run:

cloudflared tunnel run my-node-tunnel 

For auto-start at boot:

sudo cloudflared service install

8. Point Twilio to It

In Twilio Console → Phone Numbers → Messaging → Webhook URL:

https://node.yourdomain.com/api/twilio/inbound 

Now Twilio has a permanent endpoint for inbound SMS.

Cost

Tunnel itself = $0/month.
Cloudflare DNS (Free plan) also $0.
Only costs if you add extras (Argo Smart Routing, Zero Trust seats, load balancing).

Why This Beats Ngrok

No ephemeral URLs (stable DNS).
No router port forwarding.
Your node’s IP stays hidden behind Cloudflare’s network.
Free unless you bolt on extra features.

Flynn · Sep 30, 2025

— let’s walk through setting up Cloudflare Tunnel as your permanent replacement for Ngrok. This way, Twilio always hits a stable HTTPS URL → routed through Cloudflare → into your node.

Step-by-Step Setup (Cloudflare Tunnel for Twilio + Node)

1. Prerequisites

You own a domain in Cloudflare (easy to transfer or add).
You’ve installed your Twilio number already.
Your node runs a web app (Flask/FastAPI/etc.) on some local port (e.g., 5000).

2. Install Cloudflared

On your node (Pi/Jetson/server):

curl -L https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-arm64.deb -o cloudflared.deb sudo dpkg -i cloudflared.deb 

Check version:

cloudflared --version

3. Authenticate with Cloudflare

cloudflared tunnel login

This opens a browser, asks you to log in, and lets you pick your domain.
Cloudflare then drops a cert file in ~/.cloudflared/cert.pem.

4. Create a Named Tunnel

cloudflared tunnel create my-node-tunnel 

This gives you a tunnel UUID and writes it into ~/.cloudflared.

5. Configure Tunnel Routing

Create a config file: ~/.cloudflared/config.yml

tunnel: my-node-tunnel credentials-file: /home/pi/.cloudflared/<UUID>.json ingress: - hostname: node.yourdomain.com service: http://localhost:5000 - service: http_status:404

node.yourdomain.com will be the permanent public URL.
Requests to that DNS will flow → Cloudflare → your local app on port 5000.

6. Add DNS Record Automatically

cloudflared tunnel route dns my-node-tunnel node.yourdomain.com 

Cloudflare adds a CNAME → your tunnel UUID.

7. Run the Tunnel

Dev run:

cloudflared tunnel run my-node-tunnel 

For auto-start at boot:

sudo cloudflared service install

8. Point Twilio to It

In Twilio Console → Phone Numbers → Messaging → Webhook URL:

https://node.yourdomain.com/api/twilio/inbound 

Now Twilio has a permanent endpoint for inbound SMS.

Cost

Tunnel itself = $0/month.
Cloudflare DNS (Free plan) also $0.
Only costs if you add extras (Argo Smart Routing, Zero Trust seats, load balancing).

Why This Beats Ngrok

No ephemeral URLs (stable DNS).
No router port forwarding.
Your node’s IP stays hidden behind Cloudflare’s network.
Free unless you bolt on extra features.

Flynn · Sep 30, 2025

Awesome. Here’s a complete, fully-commented Python project preconfigured for Cloudflare Tunnel at https://node.yourdomain.com/api/twilio/inbound. Paste it as-is; no manual edits required beyond your .env values and the DNS/Cloudflared steps.

Code files (full list)

requirements.txt
.env.example
app.py
ai_router.py
config.py
wsgi.py
run_dev.sh
cloudflared/config.yml
README.md

1) requirements.txt

twilio==9.3.3
Flask==3.0.3
python-dotenv==1.0.1
gunicorn==22.0.0
werkzeug==3.0.3

2) .env.example

==== COPY to .env and set real secrets ====

Twilio webhook verification + outbound sending

TWILIO_ACCOUNT_SID=ACxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
TWILIO_AUTH_TOKEN=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
TWILIO_FROM_NUMBER=+1XXXXXXXXXX

Your public host served by Cloudflare Tunnel (NO trailing slash)

PUBLIC_HOST=https://node.yourdomain.com

Flask host/port

HOST=0.0.0.0
PORT=5000
FLASK_ENV=production
LOG_LEVEL=INFO

3) app.py

Flask app exposing a Twilio webhook at /api/twilio/inbound.

- Verifies Twilio signature using TWILIO_AUTH_TOKEN

- Uses PUBLIC_HOST so signature validation matches Cloudflare URL

- Routes message to ai_router.handle_incoming_text()

- Optional outbound /api/twilio/send for server-initiated SMS

import os
import logging
from urllib.parse import urljoin
from flask import Flask, request, Response, jsonify
from twilio.twiml.messaging_response import MessagingResponse
from twilio.request_validator import RequestValidator
from twilio.rest import Client
from config import Settings
from ai_router import handle_incoming_text

app = Flask(name)
settings = Settings()

Logging

logging.basicConfig(level=getattr(logging, settings.LOG_LEVEL, logging.INFO))
log = logging.getLogger("twilio-node")

Twilio REST client (for optional outbound sending)

twilio_client = None
if settings.TWILIO_ACCOUNT_SID and settings.TWILIO_AUTH_TOKEN:
twilio_client = Client(settings.TWILIO_ACCOUNT_SID, settings.TWILIO_AUTH_TOKEN)

def _expected_public_url(req_path: str) -> str:
"""
Build the absolute public URL that Twilio POSTed to, using PUBLIC_HOST.
This ensures signature validation works behind Cloudflare Tunnel.
"""
base = settings.PUBLIC_HOST.rstrip("/")
return urljoin(base + "/", req_path.lstrip("/"))

def _verify_twilio_signature(req: request) -> bool:
"""
Validate X-Twilio-Signature. If AUTH TOKEN missing, allow (dev mode).
Signature must be computed against the public URL that Twilio targeted.
"""
if not settings.TWILIO_AUTH_TOKEN:
log.warning("TWILIO_AUTH_TOKEN not set; skipping signature validation (DEV MODE).")
return True

validator = RequestValidator(settings.TWILIO_AUTH_TOKEN) twilio_sig = req.headers.get("X-Twilio-Signature", "") # IMPORTANT: Use the public URL Twilio called (Cloudflare hostname), # not req.url (which may be the local origin). expected_url = _expected_public_url(req.path) post_vars = req.form.to_dict() valid = validator.validate(expected_url, post_vars, twilio_sig) if not valid: log.error("Invalid Twilio signature. expected_url=%s form=%s", expected_url, post_vars) return valid 

@app.get("/healthz")
def health():
return jsonify(ok=True, service="twilio-node", mode="python", host=settings.PUBLIC_HOST)

@app.post("/api/twilio/inbound")
def inbound_sms():
"""
Primary webhook for inbound SMS.
Twilio POSTs: From, To, Body, MessageSid, etc.
We validate signature, route to AI, return TwiML reply.
"""
if not _verify_twilio_signature(request):
return Response("Invalid signature", status=403)

from_number = request.form.get("From", "") to_number = request.form.get("To", "") body = request.form.get("Body", "") log.info("Inbound SMS: from=%s to=%s body=%r", from_number, to_number, body) # Route to your AI (Jetson/LLMs/NRules/etc.) ai_reply = handle_incoming_text(from_number, body) # Short TwiML reply back to sender (customize freely) resp = MessagingResponse() resp.message(ai_reply or "

Node online. Your message is in the AI queue.") return Response(str(resp), mimetype="application/xml") 

@app.post("/api/twilio/send")
def send_sms():
"""
Optional server-initiated SMS endpoint.
JSON: { "to":"+1...", "message":"..." }
"""
if not (twilio_client and settings.TWILIO_FROM_NUMBER):
return jsonify(error="Twilio sending not configured."), 400

data = request.get_json(force=True, silent=True) or {} to = data.get("to", "") message = data.get("message", "") if not to or not message: return jsonify(error="Provide 'to' and 'message'"), 400 msg = twilio_client.messages.create( to=to, from_=settings.TWILIO_FROM_NUMBER, body=message ) log.info("Outbound SMS sent sid=%s to=%s", msg.sid, to) return jsonify(ok=True, sid=msg.sid) 

if name == "main":
# Dev runner (for quick local tests). For prod use: ./run_dev.sh (gunicorn).
app.run(host=settings.HOST, port=settings.PORT)

4) ai_router.py

Minimal “AI Router” stub — replace with your real pipeline calls.

You can:

- Publish to RabbitMQ/Redis for Jetson workers

- Call a local HTTP inference API on Orin

- Write to SQL for audit/analytics

For now, we just echo with a simple policy.

import datetime

def handle_incoming_text(from_number: str, body: str) -> str:
"""
Decide what to do with the inbound text. This is your 'butler':
- log/queue the message
- classify intent
- trigger tools/agents
- return a short user-facing response
"""
# Example: super-tiny classifier
lower = (body or "").strip().lower()
if "help" in lower:
return "

You reached the Node AI. Commands: HELP, STATUS, PING."
if "status" in lower:
now = datetime.datetime.utcnow().isoformat()
return f"

Node OK @ {now}Z"
if "ping" in lower:
return "

pong"

# Default stub reply return "

Got it. Processing via AI pipeline."

5) config.py

Centralized settings (env-driven). Keeps secrets out of code.

import os
from dotenv import load_dotenv

load_dotenv()

class Settings:
TWILIO_ACCOUNT_SID = os.getenv("TWILIO_ACCOUNT_SID", "")
TWILIO_AUTH_TOKEN = os.getenv("TWILIO_AUTH_TOKEN", "")
TWILIO_FROM_NUMBER = os.getenv("TWILIO_FROM_NUMBER", "")

PUBLIC_HOST = os.getenv("PUBLIC_HOST", "https://node.yourdomain.com") HOST = os.getenv("HOST", "0.0.0.0") PORT = int(os.getenv("PORT", "5000")) LOG_LEVEL = os.getenv("LOG_LEVEL", "INFO")

6) wsgi.py

Gunicorn entrypoint:

from app import app

Expose 'app' as module variable for gunicorn

all = ["app"]

7) run_dev.sh

#!/usr/bin/env bash
set -euo pipefail

Load .env into current shell

if [ -f .env ]; then
export $(grep -v '^#' .env | xargs)
fi

Default to 2 workers; tune on Jetson/Pi

WORKERS=${WORKERS:-2}
BIND="${HOST:-0.0.0.0}:${PORT:-5000}"

echo "Starting gunicorn on ${BIND} (workers=${WORKERS})"
exec gunicorn -w "${WORKERS}" -b "${BIND}" wsgi:app

8) cloudflared/config.yml

Place this at: ~/.cloudflared/config.yml

Replace <UUID>.json with your tunnel credential file name created by:

cloudflared tunnel create my-node-tunnel

And make sure DNS points to 'node.yourdomain.com' via:

cloudflared tunnel route dns my-node-tunnel node.yourdomain.com

tunnel: my-node-tunnel
credentials-file: /home/pi/.cloudflared/<UUID>.json

ingress:

hostname: node.yourdomain.com
service: http://localhost:5000
service: http_status:404

9) README.md

Twilio → Cloudflare Tunnel → Node (Python/Flask)

Overview

Stable public URL: https://node.yourdomain.com
Cloudflare Tunnel keeps your origin IP hidden; no router port forwards.
Twilio sends inbound SMS webhooks to /api/twilio/inbound.

Quick Start

Python deps

python3 -m venv .venv && source .venv/bin/activate pip install -r requirements.txt cp .env.example .env # fill in values
Cloudflared (on the same box)

# Install + login curl -L https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-arm64.deb -o cloudflared.deb sudo dpkg -i cloudflared.deb cloudflared --version cloudflared tunnel login # Create tunnel & DNS cloudflared tunnel create my-node-tunnel # Note the <UUID>.json placed in ~/.cloudflared/ # Put config.yml (from repo) into ~/.cloudflared/config.yml and set your hostname + credentials-file path cloudflared tunnel route dns my-node-tunnel node.yourdomain.com # Run tunnel cloudflared tunnel run my-node-tunnel # (Optional) Install service so it starts at boot) sudo cloudflared service install
App (gunicorn)

chmod +x run_dev.sh ./run_dev.sh
Twilio Console → Phone Numbers → Your Number → Messaging Webhook

https://node.yourdomain.com/api/twilio/inbound 
- Keep HTTP POST, content form-encoded (default).

Security Notes

Twilio signature verification is ON (uses PUBLIC_HOST to match the Cloudflare URL).
Ensure your .env has the correct PUBLIC_HOST exactly as Twilio sees it (https + hostname).
For private staging, consider Cloudflare Access (Zero Trust). (Free for basic use; paid for advanced policies.)

Outbound Sending (optional)

POST JSON to POST /api/twilio/send

curl -X POST https://node.yourdomain.com/api/twilio/send \ -H "Content-Type: application/json" \ -d '{"to":"+1XXXXXXXXXX","message":"Hello from the node!"}'

Jetson/AI Integration

Replace handle_incoming_text() with:
- HTTP call to local inference server (Jetson Orin)
- Message publish to RabbitMQ/Redis queue
- DB log to SQL Server/Postgres for audit/analytics

What you change

In .env: TWILIO_* + PUBLIC_HOST=https://node.yourdomain.com
In ~/.cloudflared/config.yml: your tunnel credential file path + hostname
In Twilio Console: set your webhook to https://node.yourdomain.com/api/twilio/inbound

Cost

Cloudflare Tunnel & DNS: $0/month on the free plan (premium features optional).
Twilio: usage-based (your existing number + per-SMS rates).

Done.

Once the tunnel is up and ./run_dev.sh is running, send an SMS to your Twilio number. You’ll see logs and an immediate AI stub reply. If you want, I can also drop a RabbitMQ producer version of ai_router.py that queues messages to your Jetson workers.

Feature	Ngrok (free or paid)	Cloudflare Tunnel
Public URL / Tunnel	Yes, ephemeral (free) or reserved (paid)	Yes, via your DNS or a Cloudflare hostname
Costs	Free tier has limits; paid plans for reserved domains, TCP forwarding, etc.	Basic tunnel is free; only pay for premium features
Security / Hidden origin IP	Partial (exposes ngrok domain)	Better — your origin’s IP is hidden; only Cloudflare connects to it
Integration with DNS / firewall	More manual	Deep integration with DNS, Cloudflare’s policies, Access, WAF
Performance enhancements / routing	Some built-in	Can augment with Argo Smart Routing (paid)

Cloudflare Tunnel, no need for NGROK

What is Cloudflare Tunnel​

Cost / Pricing​

Practical Comparison: Ngrok vs Cloudflare Tunnel​

What You Should Expect Month-to-Month​

Flynn

Administrator

Step-by-Step Setup (Cloudflare Tunnel for Twilio + Node)​

1. Prerequisites​

2. Install Cloudflared​

3. Authenticate with Cloudflare​

4. Create a Named Tunnel​

5. Configure Tunnel Routing​

6. Add DNS Record Automatically​

7. Run the Tunnel​

8. Point Twilio to It​

Cost​

Why This Beats Ngrok​

Flynn

Administrator

Step-by-Step Setup (Cloudflare Tunnel for Twilio + Node)​

1. Prerequisites​

2. Install Cloudflared​

3. Authenticate with Cloudflare​

4. Create a Named Tunnel​

5. Configure Tunnel Routing​

6. Add DNS Record Automatically​

7. Run the Tunnel​

8. Point Twilio to It​

Cost​

Why This Beats Ngrok​

Flynn

Administrator

Code files (full list)​

1) requirements.txt​

2) .env.example​

==== COPY to .env and set real secrets ====​

Twilio webhook verification + outbound sending​

Your public host served by Cloudflare Tunnel (NO trailing slash)​

Flask host/port​

3) app.py​

Flask app exposing a Twilio webhook at /api/twilio/inbound.​

- Verifies Twilio signature using TWILIO_AUTH_TOKEN​

- Uses PUBLIC_HOST so signature validation matches Cloudflare URL​

- Routes message to ai_router.handle_incoming_text()​

- Optional outbound /api/twilio/send for server-initiated SMS​

Logging​

Twilio REST client (for optional outbound sending)​

4) ai_router.py​

Minimal “AI Router” stub — replace with your real pipeline calls.​

You can:​

- Publish to RabbitMQ/Redis for Jetson workers​

- Call a local HTTP inference API on Orin​

- Write to SQL for audit/analytics​

For now, we just echo with a simple policy.​

5) config.py​

Centralized settings (env-driven). Keeps secrets out of code.​

6) wsgi.py​

Gunicorn entrypoint:​

Expose 'app' as module variable for gunicorn​

7) run_dev.sh​

Load .env into current shell​

Default to 2 workers; tune on Jetson/Pi​

8) cloudflared/config.yml​

Place this at: ~/.cloudflared/config.yml​

Replace <UUID>.json with your tunnel credential file name created by:​

cloudflared tunnel create my-node-tunnel​

And make sure DNS points to 'node.yourdomain.com' via:​

cloudflared tunnel route dns my-node-tunnel node.yourdomain.com​

9) README.md​

Twilio → Cloudflare Tunnel → Node (Python/Flask)​

Overview​

Quick Start​

Security Notes​

Outbound Sending (optional)​

Jetson/AI Integration​

What you change​

Cost​

Done.​

Similar threads

What is Cloudflare Tunnel

Cost / Pricing

Practical Comparison: Ngrok vs Cloudflare Tunnel

What You Should Expect Month-to-Month

Step-by-Step Setup (Cloudflare Tunnel for Twilio + Node)

1. Prerequisites

2. Install Cloudflared

3. Authenticate with Cloudflare

4. Create a Named Tunnel

5. Configure Tunnel Routing

6. Add DNS Record Automatically

7. Run the Tunnel

8. Point Twilio to It

Cost

Why This Beats Ngrok

Step-by-Step Setup (Cloudflare Tunnel for Twilio + Node)

1. Prerequisites

2. Install Cloudflared

3. Authenticate with Cloudflare

4. Create a Named Tunnel

5. Configure Tunnel Routing

6. Add DNS Record Automatically

7. Run the Tunnel

8. Point Twilio to It

Cost

Why This Beats Ngrok

Code files (full list)

1) requirements.txt

2) .env.example

==== COPY to .env and set real secrets ====

Twilio webhook verification + outbound sending

Your public host served by Cloudflare Tunnel (NO trailing slash)

Flask host/port

3) app.py

Flask app exposing a Twilio webhook at /api/twilio/inbound.

- Verifies Twilio signature using TWILIO_AUTH_TOKEN

- Uses PUBLIC_HOST so signature validation matches Cloudflare URL

- Routes message to ai_router.handle_incoming_text()

- Optional outbound /api/twilio/send for server-initiated SMS

Logging

Twilio REST client (for optional outbound sending)

4) ai_router.py

Minimal “AI Router” stub — replace with your real pipeline calls.

You can:

- Publish to RabbitMQ/Redis for Jetson workers

- Call a local HTTP inference API on Orin

- Write to SQL for audit/analytics

For now, we just echo with a simple policy.

5) config.py

Centralized settings (env-driven). Keeps secrets out of code.

6) wsgi.py

Gunicorn entrypoint:

Expose 'app' as module variable for gunicorn

7) run_dev.sh

Load .env into current shell

Default to 2 workers; tune on Jetson/Pi

8) cloudflared/config.yml

Place this at: ~/.cloudflared/config.yml

Replace <UUID>.json with your tunnel credential file name created by:

cloudflared tunnel create my-node-tunnel

And make sure DNS points to 'node.yourdomain.com' via:

cloudflared tunnel route dns my-node-tunnel node.yourdomain.com

9) README.md

Twilio → Cloudflare Tunnel → Node (Python/Flask)

Overview

Quick Start

Security Notes

Outbound Sending (optional)

Jetson/AI Integration

What you change

Cost

Done.