Create a locally-managed tunnel
Follow this step-by-step guide to get your first tunnel up and running using the CLI.
Before you start, make sure you:
-
Download
cloudflaredon your machine. Visit the downloads page to find the right package for your OS. -
Rename the executable to
cloudflared.exe -
In PowerShell, change directory to your Downloads folder and run
.\cloudflared.exe --version. It should output the version ofcloudflared. Note thatcloudflared.execould becloudflared-windows-amd64.exeorcloudflared-windows-386.exeif you have not renamed it.
PS C:\Users\Administrator\Downloads\cloudflared-stable-windows-amd64> .\cloudflared.exe --versionTo download and install cloudflared:
brew install cloudflaredAlternatively, you can download the latest Darwin amd64 release directly.
Debian and Ubuntu APT
Use the apt package manager to install cloudflared on compatible machines.
- Add Cloudflare's package signing key:
sudo mkdir -p --mode=0755 /usr/share/keyringscurl -fsSL https://pkg.cloudflare.com/cloudflare-main.gpg | sudo tee /usr/share/keyrings/cloudflare-main.gpg >/dev/null- Add Cloudflare's apt repo to your apt repositories:
echo "deb [signed-by=/usr/share/keyrings/cloudflare-main.gpg] https://pkg.cloudflare.com/cloudflared any main" | sudo tee /etc/apt/sources.list.d/cloudflared.list- Update repositories and install cloudflared:
sudo apt-get update && sudo apt-get install cloudflaredRHEL RPM
Use the rpm package manager to install cloudflared on compatible machines.
- Add Cloudflare's repository:
curl -fsSL https://pkg.cloudflare.com/cloudflared-ascii.repo | sudo tee /etc/yum.repos.d/cloudflared.repo- Update repositories and install cloudflared:
sudo yum update && sudo yum install cloudflaredArch Linux
cloudflared is in the Arch Linux community repository ↗.
Use pacman to install cloudflared on compatible machines.
pacman -Syu cloudflaredOther
Alternatively you can download the cloudflared binary or the linux packages to your machine and install manually. Visit the downloads page to find the right package for your OS.
To build the latest version of cloudflared from source:
git clone https://github.com/cloudflare/cloudflared.gitcd cloudflaredmake cloudflaredgo install github.com/cloudflare/cloudflared/cmd/cloudflaredDepending on where you installed cloudflared, you can move it to a known path as well.
mv /root/cloudflared/cloudflared /usr/bin/cloudflaredcloudflared tunnel loginRunning this command will:
- Open a browser window and prompt you to log in to your Cloudflare account. After logging in to your account, select your hostname.
- Generate an account certificate, the cert.pem file, in the default
cloudflareddirectory.
cloudflared tunnel create <NAME>Running this command will:
- Create a tunnel by establishing a persistent relationship between the name you provide and a UUID for your tunnel. At this point, no connection is active within the tunnel yet.
- Generate a tunnel credentials file in the default
cloudflareddirectory. - Create a subdomain of
.cfargotunnel.com.
From the output of the command, take note of the tunnel's UUID and the path to your tunnel's credentials file.
Confirm that the tunnel has been successfully created by running:
cloudflared tunnel list-
In your
.cloudflareddirectory, create aconfig.ymlfile using any text editor. This file will configure the tunnel to route traffic from a given origin to the hostname of your choice. -
Add the following fields to the file:
If you are connecting an application:
url: http://localhost:8000tunnel: <Tunnel-UUID>credentials-file: /root/.cloudflared/<Tunnel-UUID>.jsonIf you are connecting a private network:
tunnel: <Tunnel-UUID>credentials-file: /root/.cloudflared/<Tunnel-UUID>.jsonwarp-routing: enabled: true-
Confirm that the configuration file has been successfully created by running:
Terminal window cat config.yml
-
Now assign a
CNAMErecord that points traffic to your tunnel subdomain:- If you are connecting an application, route the service to a public hostname:
Terminal window cloudflared tunnel route dns <UUID or NAME> <hostname>- If you are connecting a private network, route an IP address or CIDR through the tunnel:
Terminal window cloudflared tunnel route ip add <IP/CIDR> <UUID or NAME> -
Confirm that the route has been successfully established:
Terminal window cloudflared tunnel route ip show
Run the tunnel to proxy incoming traffic from the tunnel to any number of services running locally on your origin.
cloudflared tunnel run <UUID or NAME>If your configuration file has a custom name or is not in the .cloudflared directory, add the --config flag and specify the path.
cloudflared tunnel --config /path/your-config-file.yml run <UUID or NAME>Your tunnel configuration is complete! If you want to get information on the tunnel you just created, you can run:
cloudflared tunnel info <UUID or NAME>You can now route traffic to your tunnel using Cloudflare DNS or determine who can reach your tunnel with Cloudflare Access.
To secure your origin, you must validate the application token issued by Cloudflare Access. Token validation ensures that any requests which bypass Cloudflare Access (for example, due to a network misconfiguration) are rejected.
One option is to configure the Cloudflare Tunnel daemon, cloudflared, to validate the token on your behalf. This is done by enabling Protect with Access in your Cloudflare Tunnel settings. Alternatively, if you do not wish to perform automatic validation with Cloudflare Tunnel, you can instead manually configure your origin to check all requests for a valid token.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Products
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark