טוען...
2026 · Zero-Trust Networking · Practical guide
Cloudflare Tunnel — The Complete Guide
the tunnel your VPS opens to Cloudflare — and gets a public domain without a single open port
Cloudflare Tunnel (formerly known as Argo Tunnel, today simply 'Tunnel') is a fully free Cloudflare service that solves one of the biggest problems of a personal VPS: how to expose a service to the world without opening any ports, without worrying about DDoS, and without buying a static IP. The idea is brilliantly simple — instead of the internet connecting to your server, your server reaches out and creates a 'tunnel' to Cloudflare. All requests for your domain hit Cloudflare (which has a CDN of 300+ datacenters), and Cloudflare passes them through the tunnel to your server. The result: port 443 on your server stays hermetically sealed, but users get a working site with HTTPS, CDN, and DDoS protection — for free. For me (Elad), the domain `hub.eladjak.com` points in DNS to Cloudflare, and a small daemon called `cloudflared` running on my Hetzner VPS manages the tunnel. Every request to `hub.eladjak.com` goes through Cloudflare, enters via the tunnel, and reaches an internal nginx on port 80 — without any port being open on the server to the outside world. It is a paradigm shift: you've moved from 'how do I secure an open port' to 'there is no open port'.
0
open ports on the server
free
cost
300+
CF datacenters
5 min
install time
An outbound tunnel instead of an inbound door
Instead of opening a firewall port and praying nobody breaks in, the server itself reaches out to Cloudflare. There's nothing to break.
Open port 443, pray there's no vulnerability
Zero open ports, but a public domain still works
DDoS = server falls, you pay for the bandwidth
Cloudflare absorbs the DDoS, your server never sees it
Dynamic IP / NAT = no public domain
Tunnel reaches out from the server — IP doesn't matter
SSL cert = certbot + maintenance
Cloudflare handles HTTPS automatically
Who is this for?
Here's how:
Anyone running a server at home or on a Raspberry Pi
No static IP, behind your ISP's NAT. With Tunnel, everything works without asking the ISP for anything.
Devs who want a quick demo URL
Run a local app and get a public domain in minutes. Perfect for showing clients without deploying.
Anyone worried about DDoS
Cloudflare absorbs attacks of tens of Tbps. Your tiny VPS won't even see a ping.
Teams that need zero-trust
Cloudflare Access lets you require auth (Google/GitHub/SSO) before anyone reaches an internal service. No VPN.
The practical guide
Click any section to open it
Resources & links
Cloudflare Tunnel Docs
The official docs — well-organized with examples
Zero Trust Dashboard
Where you manage tunnels, applications, and policies
cloudflared on GitHub
The open-source code of the daemon — worth knowing what's running
Tailscale
An alternative for an internal VPN — not for the public web
Cloudflare Free Plan
The most generous free offer on the internet — see what's included
The nginx guide
When you still want nginx on the server (yes, usually even with a Tunnel)
Want to move your server to a tunnel?
I have no port open except 22, and every domain works. I can move your server to a Tunnel in 30 minutes.
Liked it? Share:
Elad Yaakobovitch
Full-Stack Developer & AI Specialist
All my domains (fullstack-eladjak.co.il, hub.eladjak.com, and others) go through Cloudflare Tunnel, and no port besides SSH is open on Hetzner. I made the switch in early 2025 and never went back. This guide is built on my live config plus helping 3 clients migrate.