Cloudflare Tunnels: Exposing Services Without Opening Ports (and the Trade-Offs)
An outbound-only door to your homelab, with strings attached
There’s a particular dread that comes with port-forwarding something on your home router. You log into a web interface that hasn’t changed since the Blair government, you punch a hole through to a box on your LAN, and then you spend the next week wondering whether you’ve just invited the entire internet to find that one unpatched service. Carrier-grade NAT might mean you can’t forward ports at all, and a dynamic IP means you’re chasing DDNS updates on top of everything else.
Cloudflare Tunnels — the thing formerly known as Argo Tunnel — offer a different deal. Instead of opening an inbound port, you run a small daemon that makes an outbound connection to Cloudflare’s network and holds it open. Traffic for your hostname arrives at Cloudflare, travels down that existing tunnel to your daemon, and reaches your service. Your router’s inbound ports stay shut. It feels like cheating, and for a homelab it’s frequently the right tool. But the trade-offs are real, and you should know them before you commit your whole stack to it.
1 How the tunnel works
You install cloudflared on a box in your network and connect it to a named tunnel in your Cloudflare account. The daemon dials out to Cloudflare over HTTPS/QUIC and keeps that connection alive. Cloudflare then routes any request for your configured hostname back down the tunnel to the local service you’ve mapped it to.
tunnel: homelab
credentials-file: /etc/cloudflared/abc123.json
ingress:
- hostname: grafana.example.com
service: http://localhost:3000
- hostname: jellyfin.example.com
service: http://localhost:8096
- service: http_status:404Because the connection originates from inside your network, none of this requires a public inbound port, a static IP, or even a router you control. Run it on a Raspberry Pi behind CGNAT and it still works. That’s the headline feature, and it’s a genuinely good one.
2 What you get for free
On top of the no-ports trick, your traffic now rides Cloudflare’s edge. You get TLS termination with their certificates, so no Let’s Encrypt dance. You get DDoS absorption and a sensible WAF. Your home IP address never appears in DNS — visitors hit Cloudflare, not you, which is a real privacy and security win. And you can layer Cloudflare Access in front of any hostname to demand an email login or SSO before a single byte reaches your service, which is a lovely way to protect an admin panel that has no auth of its own.
cloudflared tunnel login
cloudflared tunnel create homelab
cloudflared tunnel route dns homelab grafana.example.com
cloudflared tunnel run homelabFour commands and a config file, and your internal Grafana is reachable on a clean HTTPS URL with your home IP nowhere in sight.
3 The trade-offs nobody puts on the marketing page
Now the honest part, because this is not free in the ways that matter.
You are routing everything through Cloudflare. They terminate your TLS, which means they can see your traffic in cleartext at the edge. For a media dashboard, fine. For anything genuinely sensitive, that’s a meaningful trust decision, not a footnote.
Streaming large files is against the rules. Cloudflare’s terms restrict using the proxy to serve substantial non-HTML content like video. Self-host Jellyfin or Plex through a tunnel for the family and you may get a polite — or not so polite — email asking you to stop. People do it; people also get throttled or flagged for it.
It’s a single vendor with a single point of failure. When Cloudflare has a bad day, so do you, and you have zero recourse. Your homelab’s availability is now bolted to a company you don’t pay.
TCP and UDP are second-class. HTTP is the happy path. SSH, RDP and game servers are possible but fiddlier, often needing the WARP client on the other end rather than a plain browser.
4 The verdict
For exposing a handful of web services — a dashboard, a notes app, a status page — from a network where you can’t or won’t forward ports, Cloudflare Tunnels are excellent, and the no-inbound-ports posture is a real security upgrade over poking holes in your router. I use one for exactly that, and pairing it with Cloudflare Access for admin interfaces is the kind of thing that used to take a VPN and an afternoon.
But don’t make it the only way into your homelab, and don’t run your video library through it. If you need full control, raw TCP, or you simply don’t want a third party reading your decrypted traffic, a WireGuard tunnel to your own VPS does the same no-open-ports trick with you holding the keys. Use Cloudflare Tunnels where their strengths line up with your threat model, and keep an honest second route home for everything else.
Related Content
