My second Cloudflare Tunnel

Source: Dev.to

The problem

A quick recap of the privacy and security issues involved:

• Port forwarding exposes your home IP address
• Dynamic DNS requires constant updates
• Opening ports is a security risk
• SSL certificates are a hassle to manage

I wanted a solution that would:

• Keep my home network secure
• Provide HTTPS automatically
• Add authentication
• Be simple to maintain

Enter Cloudflare Tunnel

Cloudflare Tunnel creates a secure outbound connection from your network to Cloudflare’s edge. Requests to your domain are routed through this tunnel to your application, requiring no inbound ports.

Flow:
Internet → Cloudflare Edge → Tunnel → NAS → Application

All connections are outbound from the NAS, leaving the firewall untouched.

Setting up the Tunnel

Prerequisites

• A domain managed by Cloudflare
• Docker service running on the NAS
• Your application running as a Docker container

Create a named tunnel

1. In the Cloudflare Zero Trust dashboard, go to Access > Tunnels.
2. Click Create a tunnel and choose Cloudflared.
3. Name the tunnel (e.g., nas).
4. Copy the generated tunnel token – you’ll need it shortly.

The token authenticates your tunnel to Cloudflare.

Run cloudflared on the NAS

Pull the official Docker image:

docker pull cloudflare/cloudflared:2025.9.1

Create a container (via the Synology Docker UI) with these settings:

• Container name: cloudflared
• Command: tunnel --no-autoupdate run
• Environment variable: TUNNEL_TOKEN= (paste your token here)
• Network: the same network as your application (e.g., bridge)

Create a link from the cloudflared container to the application container:

• Link container: name of the application container (e.g., myapp)
• Alias: same name (myapp)

This lets cloudflared reach the app at http://myapp: without exposing any ports.

Configure the public hostname

1. In the Cloudflare dashboard, open the tunnel configuration.
2. Go to the Public Hostname tab and click Add a public hostname.
3. Set your subdomain, domain, and service path (e.g., http://myapp:).

The hostname must match the Docker link alias. If you see an error like:

dial tcp: lookup wrongname on 192.168.1.254:53: no such host

check the link name and hostname for mismatches.

Adding authentication

Without extra protection, anyone with the URL could reach the app. Cloudflare Access provides built‑in authentication without code changes.

1. Navigate to Access > Applications.
2. Click Add an application > Self‑hosted.
3. Fill in the application name, domain, and subdomain, then click Next.
4. Create a policy:
   • Policy name: “Allow myself”
   • Action: Allow
   • Include rule: Emails → john@doe.it
5. Finish by adding the application.

Make sure the policy is attached to the tunnel; otherwise Cloudflare won’t enforce the authentication.

Result

When accessing the application from outside:

1. Cloudflare shows an authentication page.
2. You enter your email.
3. Cloudflare sends a one‑time code.
4. After entering the code, you’re authenticated.
5. Requests are proxied through the tunnel to the application.

Now I can schedule posts from anywhere.

Conclusion

Cloudflare Tunnel offers an elegant, cost‑free solution for self‑hosting:

• Automatic HTTPS
• Built‑in authentication via Cloudflare Access
• No inbound ports, keeping the home network safe

The whole setup took about 30 minutes, most of which was spent fixing container names and policy assignments. I hope this guide helps anyone facing a similar challenge.

Further reading

• Cloudflare Tunnel for Home Assistant
• Cloudflare Access controls
• Cloudflare Policies
• I finally understand Cloudflare Zero Trust tunnels

Originally published at A Java Geek on November 30th, 2025.