Skip to content
W WikiWalls
Article Issue #5231

Cloudflare Tunnel

What to know

Cloudflare Tunnel (formerly Cloudflare Argo Tunnel) is a networking service that establishes a persistent, outbound-only TLS tunnel from a local server or container to Cloudflare's edge network; The cloudflared daemon runs on the local server and establishes multiple persistent QUIC or H2 connections to Cloudflare's edge nodes; Cloudflare Tunnel is the recommended approach for builders who want to expose homelab services without the security exposure of opening inbound ports on a home router

Cloudflare Tunnel, WikiWalls Glossary illustration
Wikiwalls Team Administrator
2 min read Subscribe to the Journal
« Back to Glossary Index

Cloudflare Tunnel (formerly Cloudflare Argo Tunnel) is a networking service that establishes a persistent, outbound-only TLS tunnel from a local server or container to Cloudflare’s edge network. Incoming requests to a configured hostname are routed through Cloudflare’s infrastructure, through the tunnel, to the local service, without requiring any inbound firewall rules or a publicly routable IP address. This makes it the preferred method for exposing homelab services to the internet when the home ISP uses CGNAT, dynamic IPs, or blocks port 80/443.

How it works

The cloudflared daemon runs on the local server and establishes multiple persistent QUIC or H2 connections to Cloudflare’s edge nodes. When a request arrives at Cloudflare for the configured hostname, it is forwarded through one of these existing outbound connections to the cloudflared daemon, which proxies it to the local service on the specified internal address. DNS records are automatically managed in the Cloudflare zone. The free tier supports unlimited tunnels and bandwidth.

Key facts

  • CGNAT bypass: Works behind carrier-grade NAT (common on mobile ISPs and many residential ISPs) where traditional port forwarding is impossible
  • Free tier: Cloudflare Tunnel is free for basic use; access policies (Zero Trust access control) are also available on the free plan for up to 50 users
  • Latency addition: Traffic routes through Cloudflare’s PoPs before reaching the origin, adding 10 to 50 ms compared to a direct connection, depending on the user’s location

For builders

Cloudflare Tunnel is the recommended approach for builders who want to expose homelab services without the security exposure of opening inbound ports on a home router. Combined with Cloudflare Access (part of the Zero Trust free tier), incoming requests can be gated behind SSO authentication before they ever reach the local service, providing enterprise-grade access control with minimal operational overhead.

Sources

« Back to Definition Index
If this saved you an afternoon — subscribe to the Journal and we will send the next one straight to your inbox.
Wikiwalls Team
Administrator · 41 published guides · Joined 2016

Welcome to wikiwalls

More from WikiWalls

AI & APIs

Cursor vs Copilot vs Cody vs Windsurf, after a 30-day production diary

May 14, 2026 · 24 min read
AI & APIs

The Cheapest Production-Grade LLM, ranked at constant output quality

May 13, 2026 · 16 min read
Self-Hosted

Best Mini-PC for Homelab: Beelink, Minisforum, GMKtec Tested

May 11, 2026 · 5 min read
AI & APIs

Best AI Note Apps: Mem vs Reflect vs Tana vs Saner.ai

May 11, 2026 · 6 min read
The WikiWalls Journal · Free, weekly

One careful fix in your inbox each Wednesday.

No affiliate links inside the diagnosis. No sponsored "top 10". One careful fix per week — unsubscribe in one click.

No tracking pixels · No spam · Edited by a human.