Exposing a local service to the internet the traditional way means opening firewall ports, setting up dynamic DNS, and hoping your ISP does not block inbound connections. That approach works, but it also exposes your server’s public IP and creates a real attack surface. Cloudflare Tunnel solves all of that by creating an outbound-only, encrypted connection between your Fedora 43 machine and Cloudflare’s global edge network. No open ports, no exposed IP, no static IP required.

This guide walks you through the complete process to install Cloudflare Tunnel on Fedora 43 from scratch. You will install the cloudflared daemon using DNF or a direct RPM package, authenticate with your Cloudflare account, create and configure a named tunnel, set up DNS routing, and run it as a persistent systemd service. By the end, your local service will be reachable on a public hostname through Cloudflare’s network without a single inbound firewall rule.

This guide is written for Fedora 43 specifically. Fedora 43 ships with DNF5, a rewritten package manager with faster dependency resolution, and has SELinux in enforcing mode by default. Both details affect how you install and run cloudflared, and this guide covers both.

Prerequisites Before You Begin

Before running a single command, make sure you have everything in place. Missing one item here is the most common reason installations fail halfway through.

System requirements:

• A machine running Fedora 43 (confirm with cat /etc/fedora-release)
• sudo or root access on the system
• DNF5 package manager (default on Fedora 43)
• Active internet connection from the server

Cloudflare account requirements:

• A free or paid Cloudflare account at dash.cloudflare.com
• A domain name added to your Cloudflare account with nameservers pointing to Cloudflare
• The domain must be active (orange cloud) in your Cloudflare DNS settings

Optional but recommended:

• A local service already running that you want to expose (for example, a web app on port 8080, Nextcloud, Jellyfin, or a Grafana dashboard)
• A browser available on any device for completing the Cloudflare OAuth login step

You do NOT need to open any inbound ports in firewalld. Cloudflare Tunnel runs entirely on outbound connections, which means your existing firewall configuration stays untouched.

What Is Cloudflare Tunnel and Why Use It on Fedora 43

Cloudflare Tunnel (formerly Argo Tunnel) is a secure tunneling technology that routes traffic from Cloudflare’s edge network directly to your local machine through an outbound connection. The daemon that creates and maintains this connection is called cloudflared.

Here is how the architecture works: when cloudflared starts, it opens four parallel connections to two different Cloudflare data centers. Traffic arriving at your public hostname on Cloudflare’s network travels over those connections to your machine and gets proxied to whatever local service you configured. Your server never listens for inbound connections.

Key benefits for Fedora 43 users:

• No port forwarding required on your router
• Your home or server IP address stays completely hidden from the public internet
• Automatic TLS/SSL is handled by Cloudflare, so your local service does not need a certificate
• Cloudflare’s WAF and DDoS protection sit in front of every request by default
• Works with HTTP, HTTPS, SSH, TCP, and other protocols

Fedora 43 is an excellent platform for running cloudflared as a persistent service. It uses systemd natively, DNF5 for package management, and SELinux for mandatory access control. All three are well-supported by the cloudflared service installer, and this guide addresses each one directly.

Step 1: Update Your Fedora 43 System

Always start with a fully updated system. This prevents dependency conflicts and ensures you are running the latest kernel and security patches before adding new software.

sudo dnf upgrade --refresh -y

What this command does: dnf upgrade updates all installed packages. The --refresh flag forces DNF5 to sync the repository metadata before checking for updates, and -y confirms the operation without prompting.

After the upgrade completes, reboot if the kernel was updated:

sudo reboot

Once the machine is back online, confirm your Fedora version before proceeding:

cat /etc/fedora-release

Expected output:

Fedora release 43 (Forty Three)

Step 2: Install cloudflared on Fedora 43

You have two reliable methods to install cloudflared on Fedora 43. Method A uses the official Cloudflare DNF repository and is recommended because it keeps cloudflared updated automatically through standard dnf upgrade runs. Method B uses a direct RPM download, which is better for pinned versions or systems that cannot reach external repositories.

Method A: Install via the Official DNF Repository (Recommended)

Step 2a: Add the Cloudflare RPM repository

This command adds the official Cloudflare package repository to your DNF configuration:

sudo dnf config-manager --add-repo https://pkg.cloudflare.com/cloudflared-ascii.repo

On Fedora 43, config-manager is a built-in DNF5 subcommand. No additional plugins are needed.

Step 2b: Install cloudflared

sudo dnf install cloudflared -y

DNF5 will resolve dependencies, download the package (approximately 18-20 MB), and install the cloudflared binary to your system.

Step 2c: Verify the installation

cloudflared --version

Expected output:

cloudflared version 2025.x.x (built YYYY-MM-DD)

Confirm the binary path is accessible system-wide:

which cloudflared

Expected output: /usr/bin/cloudflared

Method B: Install via Direct RPM Download

Use this method when you need to pin to a specific version, work on an air-gapped system, or prefer not to add an external repository.

For x86_64 (amd64) systems:

cd /tmp
wget https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-x86_64.rpm

For ARM64/aarch64 systems (Raspberry Pi, ARM servers):

cd /tmp
wget https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-aarch64.rpm

Install with dnf localinstall rather than rpm -i. The reason is that dnf localinstall resolves and pulls in any missing dependencies automatically, while rpm -i will fail if a dependency is missing:

sudo dnf localinstall cloudflared-linux-x86_64.rpm -y

Verify the installation:

cloudflared --version

Step 3: Authenticate cloudflared with Your Cloudflare Account

Authentication links your local cloudflared installation to your Cloudflare account. Running the login command generates a certificate (cert.pem) that authorizes you to create and manage tunnels.

cloudflared tunnel login

What happens next: cloudflared prints a URL in the terminal and, if you have a desktop browser available, attempts to open it automatically.

For headless Fedora 43 servers with no display (VPS, homelab), copy the printed URL manually and open it in a browser on any other device. The URL looks like this:

https://dash.cloudflare.com/argotunnel?callback=...

After logging in, Cloudflare shows you a list of your domains. Click the domain you want this tunnel to serve, then click Authorize. The browser redirects and cloudflared confirms success in the terminal.

Verify that the certificate file was created:

ls ~/.cloudflared/

Expected output:

cert.pem

The cert.pem file is account-level and authorizes all tunnels you create under your account. Treat it as a sensitive credential and do not share it.

Step 4: Create a Named Cloudflare Tunnel

Creating a tunnel establishes a persistent identity in Cloudflare’s network. It generates a UUID that Cloudflare uses to identify your tunnel, and creates a JSON credentials file on your machine.

cloudflared tunnel create my-fedora-tunnel

Replace my-fedora-tunnel with any name that makes sense for your setup.

What this creates:

• A UUID assigned to your tunnel (printed in the terminal output)
• A credentials file at ~/.cloudflared/<UUID>.json
• A subdomain entry at <UUID>.cfargotunnel.com on Cloudflare’s network

The output looks like this:

Tunnel credentials written to /home/user/.cloudflared/<UUID>.json.
Created tunnel my-fedora-tunnel with id <UUID>

Copy the UUID now. You need it in the next step.

Verify the tunnel was registered:

cloudflared tunnel list

Your new tunnel should appear in the output with its name and UUID.

Important: The <UUID>.json credentials file is the private key for your tunnel. Set strict permissions on it and never commit it to a public Git repository.

chmod 600 ~/.cloudflared/<UUID>.json

Step 5: Configure the Cloudflare Tunnel on Fedora 43

The config.yml file is where you define how traffic flowing through your tunnel gets routed to local services. This is the most critical configuration step, and mistakes here are the most common cause of tunnel failures.

Create the configuration file:

nano ~/.cloudflared/config.yml

Add the following content, replacing values with your own UUID, username, and domain:

tunnel: <YOUR-TUNNEL-UUID>
credentials-file: /home/<your-username>/.cloudflared/<YOUR-TUNNEL-UUID>.json

ingress:
  - hostname: app.yourdomain.com
    service: http://localhost:8080
  - service: http_status:404

What each field does:

• tunnel: The UUID of the tunnel you created in Step 4
• credentials-file: The absolute path to the JSON credentials file
• ingress: A list of routing rules that maps public hostnames to local services
• The final catch-all http_status:404 is required by cloudflared to validate the ingress config

Example with multiple services:

tunnel: <YOUR-TUNNEL-UUID>
credentials-file: /home/<your-username>/.cloudflared/<YOUR-TUNNEL-UUID>.json

ingress:
  - hostname: app.yourdomain.com
    service: http://localhost:8080
  - hostname: ssh.yourdomain.com
    service: ssh://localhost:22
  - hostname: files.yourdomain.com
    service: http://localhost:8096
  - service: http_status:404

Save and close the file, then validate the configuration:

cloudflared tunnel ingress validate

If the config is valid, cloudflared confirms each rule without errors. Fix any path or YAML indentation errors before continuing.

Step 6: Route DNS Traffic to Your Tunnel

This step creates a CNAME DNS record in your Cloudflare zone that points your public hostname to your tunnel’s internal cfargotunnel.com address. You do not need to touch the Cloudflare dashboard manually; cloudflared handles it from the command line.

cloudflared tunnel route dns my-fedora-tunnel app.yourdomain.com

What this does: Cloudflare automatically creates a CNAME record pointing app.yourdomain.com to <UUID>.cfargotunnel.com. The record is proxied (orange cloud enabled) by default, which means all traffic passes through Cloudflare’s WAF and DDoS protection before reaching your tunnel.

Confirm the record appeared in your Cloudflare dashboard by navigating to DNS > Records and looking for a CNAME entry for app.

For multiple hostnames, run the command once for each:

cloudflared tunnel route dns my-fedora-tunnel ssh.yourdomain.com
cloudflared tunnel route dns my-fedora-tunnel files.yourdomain.com

Step 7: Run the Tunnel Manually to Test

Before committing to a system service, run the tunnel interactively to confirm everything works end to end.

cloudflared tunnel run my-fedora-tunnel

Look for output similar to this:

INF Starting tunnel tunnelID=<UUID>
INF Registered tunnel connection connIndex=0 location=SIN
INF Registered tunnel connection connIndex=1 location=SIN
INF Registered tunnel connection connIndex=2 location=SJC
INF Registered tunnel connection connIndex=3 location=SJC

Four active connections to Cloudflare edge nodes confirm the tunnel is healthy. Open a browser on any device and navigate to https://app.yourdomain.com. Your local service should respond.

Once confirmed, press Ctrl+C to stop the manual run. This mode is for testing only; the tunnel stops when the terminal session closes.

Step 8: Run cloudflared as a Systemd Service on Fedora 43

Running cloudflared as a systemd service means it starts automatically at boot, restarts on failure, and runs in the background without a logged-in user session. This is how you run it in production.

Install the cloudflared systemd service

cloudflared includes a built-in installer that creates the systemd unit file for you:

sudo cloudflared service install

This command reads your ~/.cloudflared/config.yml, copies it to /etc/cloudflared/config.yml, and creates a systemd unit file at /etc/systemd/system/cloudflared.service.

Enable and start the service

Enable the service so it starts on every boot:

sudo systemctl enable cloudflared

Start it immediately without rebooting:

sudo systemctl start cloudflared

Check that it is running:

sudo systemctl status cloudflared

Expected output:

cloudflared.service - cloudflared
   Loaded: loaded (/etc/systemd/system/cloudflared.service; enabled)
   Active: active (running) since ...

View live tunnel logs

sudo journalctl -u cloudflared -f

This streams live log output from cloudflared. Look for the four Registered tunnel connection lines that confirm active connections to Cloudflare’s edge.

After any change to your config.yml, restart the service to apply it:

sudo systemctl restart cloudflared

SELinux note for Fedora 43

Fedora 43 runs SELinux in enforcing mode by default. If cloudflared.service fails immediately after install, check for AVC denials:

sudo ausearch -m avc -ts recent

If SELinux is blocking cloudflared, temporarily set permissive mode for diagnostic purposes:

sudo setenforce 0
sudo systemctl start cloudflared

If it starts in permissive mode, use audit2allow to generate a proper SELinux policy module rather than leaving SELinux disabled permanently.

Step 9: Verify Your Cloudflare Tunnel on Fedora 43 Is Fully Active

With the service running, confirm the tunnel is healthy from multiple angles.

Check the tunnel from the CLI:

cloudflared tunnel info my-fedora-tunnel

This shows the tunnel’s UUID, active connections, and connected edge nodes.

Check systemd service health:

systemctl is-active cloudflared

Expected output: active

Check from the Cloudflare dashboard:

Navigate to Zero Trust > Networks > Tunnels. Your tunnel should show a Healthy status with a green indicator.

Test in a browser:

Open https://app.yourdomain.com from any device outside your local network. Your service should load over HTTPS with a valid Cloudflare-managed certificate.

Troubleshooting Common Errors

Error: “Failed to create symbolic link /usr/local/bin/cloudflared”

This happens on Fedora Silverblue or rpm-ostree systems where /usr/local/bin is read-only.

Fix: Use rpm-ostree to install instead:

rpm-ostree install cloudflared
systemctl reboot

Error: “cloudflared.service: Failed with result exit-code”

This usually means config.yml has an incorrect path or YAML syntax error.

Fix: Validate the configuration file:

cloudflared tunnel ingress validate

Check that the credentials-file path in config.yml is an absolute path and that the JSON file exists at that location.

Error: “cert.pem not found”

You ran cloudflared tunnel create before completing the login step.

Fix: Re-authenticate first, then create the tunnel:

cloudflared tunnel login
cloudflared tunnel create my-fedora-tunnel

Error: “Connection refused” when reaching your hostname

The local service you configured in config.yml is not running or is bound to a different port.

Fix: Confirm your service is listening on the expected port:

ss -tulpn | grep 8080

If the port is wrong, update the service value in config.yml and restart cloudflared.

SELinux Blocking the Service

Fedora 43’s SELinux enforcing mode can block cloudflared from binding to ports or reading credential files.

Fix: Check AVC denial logs and generate a policy module:

sudo ausearch -m avc -ts recent | audit2allow -M cloudflared-local
sudo semodule -i cloudflared-local.pp
sudo systemctl restart cloudflared

Congratulations! You have successfully installed Cloudflare Tunnels. Thanks for using this tutorial for installing the Cloudflare Tunnels on Fedora 43 Linux  system. For additional help or useful information, we recommend you check the official Cloudflare Tunnels website.