How to Configure Cloudflare Tunnel for Zero Trust Access

What Is Cloudflare Tunnel?

Cloudflare Tunnel (formerly Argo Tunnel) creates encrypted outbound connections from your Breeze to the Cloudflare network without exposing any public ports. This eliminates the need for port forwarding or firewall rules, providing zero trust access to internal services.

Prerequisites

• A Breeze running Ubuntu 22.04 or later
• A Cloudflare account with a domain added
• Root or sudo access

Install cloudflared

Download and install the Cloudflare daemon:

curl -fsSL https://pkg.cloudflare.com/cloudflare-main.gpg | sudo tee /usr/share/keyrings/cloudflare-main.gpg > /dev/null
echo "deb [signed-by=/usr/share/keyrings/cloudflare-main.gpg] https://pkg.cloudflare.com/cloudflared $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/cloudflared.list
sudo apt update && sudo apt install -y cloudflared

Authenticate and Create a Tunnel

cloudflared tunnel login
cloudflared tunnel create my-tunnel

This generates a credentials JSON file under ~/.cloudflared/.

Configure the Tunnel

Create the configuration file at ~/.cloudflared/config.yml:

tunnel: my-tunnel
credentials-file: /root/.cloudflared/<TUNNEL_ID>.json

ingress:
  - hostname: app.yourdomain.com
    service: http://localhost:8080
  - service: http_status:404

Route DNS and Start

cloudflared tunnel route dns my-tunnel app.yourdomain.com
sudo cloudflared service install
sudo systemctl enable --now cloudflared

Your internal service is now accessible through Cloudflare with full DDoS protection and no open inbound ports.