Cloudflare Tunnel in 2026: Expose localhost Without Opening Ports or Buying an IP

Tue, 14 Apr 2026 20:00:00 +0800

A side project at home needs a public demo URL for a client. A NUC in the office runs an internal tool I want to reach from outside. The old playbook — rent a static IP, forward ports on the router, manage Let’s Encrypt — is all skippable in 2026.

Cloudflare Tunnel (cloudflared) does the dirty work: your machine opens an outbound-only persistent connection to Cloudflare’s edge, and inbound traffic rides that connection back home. No open ports, no public IP, and you get Cloudflare’s DDoS protection and WAF for free.

Why Cloudflare Tunnel

Plenty of alternatives exist, and they target different use cases:

Tool	Custom domain	Auth	Self-hosted relay	TCP support	Free tier
Cloudflare Tunnel	✅ free	✅ Access built-in	❌ CF-managed	✅	Generous
ngrok	Paid	Paid add-on	❌	Paid	Connection-capped
Tailscale Funnel	Limited	❌	P2P-ish	HTTPS only	3 ports only
frp	DIY	DIY	✅ self-host	✅	Your machine

Tunnel’s real differentiator: it doesn’t just forward traffic — it plugs your service into Cloudflare’s entire Zero Trust platform. Layer Access (SSO, email OTP) on top, pass traffic through WAF, even get browser-rendered SSH without a client. Those are paid upsells on ngrok and simply don’t exist on Funnel.

The 2026 Recommended Flow: Zero Trust Dashboard

Historically cloudflared was configured via local config.yml. In 2026 Cloudflare steers most users to remotely-managed tunnels — config lives in the cloud dashboard, the local cloudflared just needs a token. Bonus: share tunnels across machines, edit ingress without restarts, run multiple replicas for HA.

Go to one.dash.cloudflare.com → Networks → Tunnels → Create a tunnel → Cloudflared. Name it, copy the install command.

Install cloudflared

macOS:

1

brew install cloudflared

Linux (Debian/Ubuntu):

1
2


curl -L https://pkg.cloudflare.com/install.sh | sudo bash
sudo apt install cloudflared

Docker:

1
2
3


docker run -d --name cf-tunnel --restart unless-stopped \
 cloudflare/cloudflared:latest \
 tunnel --no-autoupdate run --token eyJhbGci...

Drop in the token the dashboard gave you:

1

sudo cloudflared service install eyJhbGci...TOKEN...

This registers a systemd service (Linux) or launchd plist (macOS), auto-starts on boot, auto-restarts on crash. Check the dashboard — green Healthy means you’re live.

Pushing localhost:3000 to foo.example.com

Prerequisite: example.com already uses Cloudflare nameservers.

Back on the tunnel page, switch to the Public Hostname tab → Add a public hostname:

Field	Value
Subdomain	`foo`
Domain	`example.com`
Service Type	`HTTP`
URL	`localhost:3000`

Save. Cloudflare auto-creates the DNS CNAME foo.example.com → <tunnel-uuid>.cfargotunnel.com. Hit https://foo.example.com — the cert comes from Cloudflare’s edge; your local box needs zero TLS config.

Gate It With Zero Trust Access

Don’t want random scanners finding your demo URL? Put a login wall in front:

Zero Trust → Access → Applications → Add an application → Self-hosted

Application domain: foo.example.com
Add policy: Action = Allow, Include = Emails ending in @yourco.com (or a specific email list)
Identity provider: the default One-time PIN (email OTP) works out of the box, or hook up Google SSO / GitHub via Settings → Authentication

Next visit to foo.example.com lands on a Cloudflare login screen first. Free up to 50 users.

TryCloudflare: Disposable Demo Tunnels

Need to show a webhook or demo in 30 seconds, not even wanting to open an account:

1

cloudflared tunnel --url http://localhost:8080

Prints https://<random-words>.trycloudflare.com — random subdomain, traffic routed back to your localhost. Dies with the process. Great for temporary use, not production, rate-limited.

Local config.yml (for the GitOps crowd)

To keep tunnel config in Git or drive it from Terraform, the old workflow still works:

1
2
3


cloudflared tunnel login
cloudflared tunnel create dev-laptop
cloudflared tunnel route dns dev-laptop foo.example.com

~/.cloudflared/config.yml:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11


tunnel: dev-laptop
credentials-file: /Users/me/.cloudflared/<UUID>.json
ingress:
 - hostname: foo.example.com
 service: http://localhost:3000
 - hostname: api.example.com
 service: http://localhost:4000
 originRequest:
 connectTimeout: 30s
 noTLSVerify: true
 - service: http_status:404

Run: cloudflared tunnel run dev-laptop

Footguns I’ve Stepped On

Always include the catch-all ingress. Without - service: http_status:404, cloudflared refuses to start:

1
2
3
4


ingress:
 - hostname: foo.example.com
 service: http://localhost:3000
 - service: http_status:404  # mandatory final entry

WebSockets just work. Default-on since 2022, no flag needed. Next.js HMR, Socket.IO, fine.

SSH / RDP also work. Ingress entry service: ssh://localhost:22, then enable Browser rendering in the Access app — users get an in-browser terminal with no client install.

Run the same tunnel on multiple hosts. Re-use the same token on a second machine and Cloudflare handles HA / load balancing automatically. Reboot one host, service stays up.

Per-hostname originRequest. Each ingress can independently set httpHostHeader, connectTimeout, noTLSVerify — no need to change global settings for one service.

Pricing

Tunnel itself: 100% free, unmetered bandwidth, unlimited tunnels
Zero Trust Access: free up to 50 users, then Cloudflare One pay-as-you-go ~$7/user/month
No egress fees, no connection limits

For individuals and small teams, it’s effectively free.

Notable 2025–2026 Updates

Dashboard consolidation: dash.teams.cloudflare.com is fully retired; everything lives at one.dash.cloudflare.com. If you land on an old tutorial, update the URL.

WARP Connector GA: where Tunnel exposes individual services, WARP Connector brings entire subnets onto Cloudflare’s network. Site-to-site VPN replacement; complements Tunnel for full-network reach.

Cloudflare One rebrand: Access, Gateway, Tunnel, WARP, CASB, DLP, Email Security merged into a single SSE platform. One Zero Trust menu now covers all enterprise network security.

Terraform provider v5 is stable: full IaC for tunnel resources, trivial multi-environment deployments.

QUIC as default: cloudflared now uses QUIC (HTTP/3) by default, faster connection establishment and more resilient on flaky networks.

When Not to Use Tunnel

Great tool, not universal:

Want strict peer-to-peer with no third party: use Tailscale / WireGuard
Regulatory rules require non-US / non-CF transit: self-host frp or enterprise VPN
Huge static file traffic: Cloudflare Pages / R2 is a better fit than tunneling
Five-minute demo with no domain: TryCloudflare or ngrok is faster

Closing

Demo environments, webhook receivers, showing your coworker a work-in-progress — in 2026 Cloudflare Tunnel is almost always the lowest-friction answer. Generous free tier, security handled by Cloudflare, and the same setup carries from dev to production.

Three steps to live: brew install cloudflared → dashboard creates tunnel → paste token. Everything complicated lives in a cloud UI.

Zero-Trust on recca0120 Tech Notes