Ubuntu Based

How To Install Cloudflare Tunnel on Ubuntu 24.04 LTS

r00t

Install Cloudflare Tunnel on Ubuntu 24.04

In this tutorial, we will show you how to install Cloudflare Tunnel on Ubuntu 24.04 LTS. In the ever-evolving landscape of network security, Cloudflare Tunnels offer a robust solution for securely exposing services to the internet without the traditional vulnerabilities associated with port forwarding. This comprehensive guide walks you through the complete process of installing and configuring Cloudflare Tunnel on Ubuntu 24.04 LTS, providing you with a secure connection between your local environment and Cloudflare’s global network.

Understanding Cloudflare Tunnels

Cloudflare Tunnels is a service that creates a secure, encrypted connection between your origin server and Cloudflare’s network. Unlike traditional methods that require opening ports on your firewall or setting up complex reverse proxies, Cloudflare Tunnels establishes an outbound-only connection, eliminating the need for public IP addresses or port forwarding.

This approach offers significant security advantages as your server remains completely shielded from direct internet access, protecting it from common attack vectors such as port scanning and DDoS attacks. The tunnel acts as a secure conduit, with all traffic encrypted and authenticated before reaching your internal services.

Key Benefits of Cloudflare Tunnels:

  • Elimination of inbound firewall rules
  • Protection against direct server exposure
  • Simplified setup compared to traditional reverse proxies
  • Built-in DDoS protection through Cloudflare’s network
  • Access control through Cloudflare Zero Trust

For organizations running applications on Ubuntu 24.04 LTS, implementing Cloudflare Tunnels provides enterprise-grade security with minimal configuration complexity.

Prerequisites

Before proceeding with the installation of Cloudflare Tunnel on your Ubuntu 24.04 LTS system, ensure you meet the following requirements:

  • A running Ubuntu 24.04 LTS server with administrative privileges
  • A registered Cloudflare account
  • A domain added and configured in your Cloudflare account
  • Basic familiarity with command-line operations
  • Stable internet connection

The installation process requires minimal system resources, making it suitable for even modest server specifications. However, ensuring your system is up-to-date before beginning is always recommended:

sudo apt update
sudo apt upgrade -y

These preparatory steps create a solid foundation for your Cloudflare Tunnel installation and help prevent potential compatibility issues during the process.

Step 1: Installing Cloudflared Package

The first step in setting up Cloudflare Tunnel is installing the cloudflared package, which serves as the client that establishes and maintains the tunnel connection. Unfortunately, this package isn’t available in the standard Ubuntu repositories, so we’ll need to download it directly from Cloudflare.

Begin by downloading the latest version of the cloudflared package from the official Cloudflare GitHub repository:

wget -q https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb

Once downloaded, install the package using the dpkg command:

sudo dpkg -i cloudflared-linux-amd64.deb

After installation, verify that cloudflared is correctly installed and available in your system by checking its version:

cloudflared --version

This command should return the installed version number, confirming that the installation was successful. If you encounter any issues, ensure that you have the necessary dependencies installed:

sudo apt install -f

This command resolves any dependency issues that might have occurred during the installation process. With cloudflared successfully installed, your Ubuntu 24.04 LTS system is now ready for the next configuration steps.

Step 2: Authenticating with Cloudflare

The authentication process connects your local cloudflared instance with your Cloudflare account, establishing the necessary trust relationship. This step is crucial as it generates the credentials that authorize your tunnel to operate under your account.

Initiate the authentication process by running:

cloudflared tunnel login

This command launches a browser window where you’ll be prompted to log into your Cloudflare account. Once logged in, you’ll need to authorize cloudflared to access your domains by selecting the specific domain you want to use with your tunnel.

After successful authorization, Cloudflare generates a certificate that is automatically downloaded and stored in your local .cloudflared directory. By default, this certificate is saved at:

~/.cloudflared/cert.pem

This certificate serves as the authentication token for all subsequent tunnel operations. It’s important to secure this file appropriately as it provides access to create and manage tunnels for your domain.

Security Best Practices:

  • Restrict permissions on the certificate file: chmod 600 ~/.cloudflared/cert.pem
  • Avoid sharing or transferring the certificate to unauthorized systems
  • Consider using dedicated service accounts for production deployments

The authentication process only needs to be completed once unless you revoke access or the certificate expires. With authentication completed, you’re now ready to create your first Cloudflare Tunnel.

Step 3: Creating Your First Tunnel

Creating a tunnel establishes the persistent identity for your connection to Cloudflare’s network. Each tunnel is assigned a unique UUID that serves as its identifier within the Cloudflare ecosystem.

To create a new tunnel, execute the following command:

cloudflared tunnel create <TUNNEL_NAME>

Replace <TUNNEL_NAME> with a descriptive name that helps you identify the purpose of this tunnel. For example:

cloudflared tunnel create ubuntu-web-server

Upon successful creation, cloudflared generates a JSON credentials file specific to this tunnel. This file contains the necessary authentication information and is typically stored in the .cloudflared directory with a filename matching the tunnel UUID.

Make note of the tunnel UUID displayed in the command output, as you’ll need it for subsequent configuration steps. You can list all your existing tunnels at any time using:

cloudflared tunnel list

The tunnel creation process simply establishes the identity of your tunnel but doesn’t yet configure what traffic will flow through it or start the actual connection. These aspects will be addressed in the following steps.

Step 4: Configuring the Tunnel

Proper configuration is essential for determining how traffic flows through your Cloudflare Tunnel. This is achieved through a configuration file that defines the ingress rules and routing behavior.

First, create a configuration directory if you plan to run the tunnel as a system service:

sudo mkdir -p /etc/cloudflared

Next, create a configuration file named config.yml in this directory:

sudo nano /etc/cloudflared/config.yml

Add the following configuration, adjusting the values to match your setup:

tunnel: <TUNNEL_UUID>
credentials-file: /root/.cloudflared/<TUNNEL_UUID>.json

ingress:
  - hostname: your-domain.com
    service: http://localhost:80
  - hostname: subdomain.your-domain.com
    service: http://localhost:8080
  - service: http_status:404

Let’s break down this configuration:

  1. tunnel: The UUID of your tunnel obtained during creation
  2. credentials-file: Path to the credentials file generated when creating the tunnel
  3. ingress: Rules defining how traffic should be routed

The ingress section is particularly important as it determines which services traffic will be directed to based on the requested hostname. The last rule serves as a catch-all, returning a 404 status for any requests that don’t match previous rules.

Save the file after making your changes. For complex environments, you might need additional configuration options such as:

  • originRequest settings for adjusting connection parameters
  • warp-routing for private network access
  • Custom headers or TLS settings

Verify your configuration syntax with:

sudo cloudflared tunnel ingress validate

This ensures your configuration file is correctly formatted and will be properly interpreted when the tunnel starts.

Step 5: DNS Configuration

Configuring DNS records is a crucial step that connects your domain names to your Cloudflare Tunnel. This allows incoming requests to be properly routed through Cloudflare to your local services.

The simplest way to create these DNS records is through the cloudflared CLI:

cloudflared tunnel route dns <TUNNEL_NAME> <HOSTNAME>

For example:

cloudflared tunnel route dns ubuntu-web-server website.example.com

This command automatically creates a CNAME record in your Cloudflare DNS settings that points to your tunnel. Repeat this command for each hostname you specified in your ingress rules.

To verify that your DNS records have been properly configured, you can check your Cloudflare dashboard or use a DNS lookup tool:

dig CNAME website.example.com

DNS propagation typically takes a few minutes, but within Cloudflare’s network, changes are usually effective almost immediately. Once your DNS records are set up, any request to your configured hostnames will be directed through your Cloudflare Tunnel to the specified local services.

Step 6: Running the Tunnel Manually

Before setting up the tunnel as a persistent service, it’s advisable to run it manually to ensure everything is configured correctly.

Execute the following command to start your tunnel:

sudo cloudflared tunnel run <TUNNEL_NAME>

This command initiates the tunnel connection using the configuration you’ve established. In the terminal output, you should see connection logs indicating that the tunnel has successfully connected to Cloudflare’s edge network.

Test the connection by accessing one of your configured hostnames in a web browser. If everything is set up correctly, you should be able to access your local service through the Cloudflare network.

During this testing phase, pay attention to any error messages or warnings in the logs. Common issues might include:

  • Authentication failures
  • Configuration syntax errors
  • Connection problems to local services
  • DNS resolution issues

Running the tunnel manually is an excellent way to troubleshoot these issues before proceeding to set it up as a system service. Once you’ve confirmed that the tunnel is working as expected, you can terminate the manual run with Ctrl+C and proceed to the next step.

Step 7: Configuring Cloudflared as a System Service

For production environments, running Cloudflare Tunnel as a system service ensures it starts automatically on boot and recovers from failures. Ubuntu 24.04 LTS uses systemd for service management, making this process straightforward.

First, ensure your configuration files are properly placed:

  1. The tunnel credentials file should be in the proper location (typically /root/.cloudflared/<TUNNEL_UUID>.json)
  2. The config.yml file should be in /etc/cloudflared/

Next, install the service using the following command:

sudo cloudflared service install

This command creates a systemd service file at /etc/systemd/system/cloudflared.service with the appropriate configuration to run your tunnel.

Start the service and enable it to launch at boot:

sudo systemctl start cloudflared
sudo systemctl enable cloudflared

Verify that the service is running correctly:

sudo systemctl status cloudflared

The output should indicate that the service is active and running. You can also check the logs for any issues:

sudo journalctl -u cloudflared

With the service properly configured, your Cloudflare Tunnel will now:

  1. Start automatically when your system boots
  2. Restart automatically if it encounters errors
  3. Maintain persistent logs through journald

To manage the service, you can use standard systemctl commands:

  • sudo systemctl restart cloudflared – Restart the service
  • sudo systemctl stop cloudflared – Stop the service
  • sudo systemctl disable cloudflared – Prevent the service from starting at boot

This systemd integration ensures reliable operation of your tunnel in production environments.

Advanced Configurations

As your infrastructure evolves, you might need more sophisticated tunnel configurations to handle complex routing scenarios and high-availability requirements.

Multi-Service Routing

You can route traffic to multiple services through a single tunnel by expanding your ingress rules:

ingress:
  - hostname: app.example.com
    service: http://localhost:3000
  - hostname: api.example.com
    service: http://localhost:8080
  - hostname: admin.example.com
    service: http://10.0.0.10:8090
  - service: http_status:404

This configuration allows different subdomains to route to different internal services, all through the same tunnel.

Load Balancing and High Availability

For production environments requiring high availability, you can:

  1. Run multiple tunnel instances across different servers
  2. Configure Cloudflare Load Balancing to distribute traffic between them
  3. Implement health checks to automatically route around failures
# Additional config for health checks
originRequest:
  connectTimeout: 10s
  noHappyEyeballs: true

Access Control with Cloudflare Zero Trust

Enhance security by integrating with Cloudflare Access:

ingress:
  - hostname: internal.example.com
    service: http://localhost:8000
    originRequest:
      caPool: /etc/certs/internal-ca.pem
      noTLSVerify: false

These advanced configurations allow you to build sophisticated, secure networking solutions that scale with your infrastructure needs while maintaining the security benefits of Cloudflare Tunnels.

Troubleshooting and Maintenance

Even with careful setup, you may encounter issues with your Cloudflare Tunnel. Here are solutions to common problems and maintenance procedures to keep your tunnel operating smoothly.

Connection Issues

If your tunnel fails to connect to Cloudflare’s network:

  1. Check your internet connection and firewall settings
  2. Verify that outbound connections on port 7844 are allowed
  3. Ensure your credentials file is valid and accessible
  4. Examine logs for specific error messages: journalctl -u cloudflared -f

Service Connectivity Problems

If the tunnel connects but services aren’t accessible:

  1. Verify that you can reach the service directly from the cloudflared host: 
    telnet localhost 80
  2. Check for firewalls between the cloudflared host and your services
  3. Review ingress rules in your configuration for errors
  4. Use packet capture tools like tcpdump to trace connection attempts

Updating Cloudflared

Regularly update the cloudflared client to benefit from security patches and new features:

wget -q https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb
sudo dpkg -i cloudflared-linux-amd64.deb
sudo systemctl restart cloudflared

Performance Optimization

If you’re experiencing performance issues:

  1. Run cloudflared closer to your origin services to reduce latency
  2. Adjust timeout and keepalive settings in your configuration
  3. Consider upgrading server resources if handling high traffic volumes
  4. Monitor CPU and memory usage during peak periods

Regular maintenance and proactive monitoring will help ensure reliable operation of your Cloudflare Tunnel on Ubuntu 24.04 LTS.

Security Considerations

Implementing Cloudflare Tunnels significantly enhances your security posture, but it’s important to follow best practices to maximize protection.

Certificate Management

The credentials generated during tunnel creation are critical security assets:

  1. Restrict file permissions: chmod 600 /root/.cloudflared/*.json
  2. Back up credentials securely for disaster recovery
  3. Consider using a secrets management solution for production environments
  4. Rotate credentials periodically for sensitive applications

Access Controls

Layer additional security controls:

  1. Implement Cloudflare Access policies to require authentication
  2. Use Cloudflare WARP with device posture checks for zero-trust security
  3. Apply IP-based access rules within your internal network
  4. Enable Gateway policies to filter malicious traffic

Monitoring and Alerts

Establish comprehensive monitoring:

  1. Configure alerts for tunnel disconnections
  2. Review logs regularly for suspicious activity
  3. Monitor traffic patterns for anomalies
  4. Set up automated responses to potential security incidents

By combining Cloudflare Tunnels with these security practices, you create a robust defense-in-depth strategy that protects your Ubuntu 24.04 services from a wide range of threats.

Congratulations! You have successfully installed Cloudflare Tunnels. Thanks for using this tutorial for installing the Cloudflare Tunnels on Ubuntu 24.04 LTS system. For additional help or useful information, we recommend you check the official Cloudflare Tunnels website.

VPS Manage Service Offer
If you don’t have time to do all of this stuff, or if this is not your area of expertise, we offer a service to do “VPS Manage Service Offer”, starting from $10 (Paypal payment). Please contact us to get the best deal!
Tags
r00t
Photo of r00t

r00t

r00t is an experienced Linux enthusiast and technical writer with a passion for open-source software. With years of hands-on experience in various Linux distributions, r00t has developed a deep understanding of the Linux ecosystem and its powerful tools. He holds certifications in SCE and has contributed to several open-source projects. r00t is dedicated to sharing her knowledge and expertise through well-researched and informative articles, helping others navigate the world of Linux with confidence.
Copyright © 2025 idroot.us | All Rights Reserved | Follow us for more Linux tutorials!
Back to top button