| Our Rating | |
|---|---|
| Affordability | ★★★★★ |
| Ease of Use | ★★★★☆ |
| Support | ★★★★★ |
| Overall | ★★★★★ |
In an era dominated by online interactions and digital connectivity, ensuring the speed, security, and reliability of internet connections has become a paramount concern. Cloudflared is a versatile tool from Cloudflare that serves two primary purposes: securing DNS resolution through encryption, and creating secure tunnels for self-hosted services. In this article, we’ll explore both capabilities with practical implementation guides.
Part 1: Secure DNS with Cloudflared
What is Cloudflared?
Cloudflared is a lightweight command-line tool developed by Cloudflare. At its core, it improves the speed, privacy, and security of DNS resolution by encrypting your DNS queries, preventing ISPs and malicious actors from snooping on your browsing activity.
DNS (Domain Name System) is responsible for translating human-readable domain names (like www.example.com) into IP addresses that computers understand. Traditional DNS connections are unencrypted, exposing users to security risks including DNS spoofing and eavesdropping.
How DNS-over-HTTPS Works
Cloudflared acts as a proxy between your device and Cloudflare’s DNS servers (1.1.1.1). Here’s the flow:
- Query Initiation: Your device sends a DNS query to Cloudflared running locally
- Encryption: Cloudflared wraps the query in HTTPS encryption
- Tunnel to Cloudflare: The encrypted query travels to Cloudflare’s secure DNS servers
- Resolution: Cloudflare resolves the query and returns the IP address
- Encrypted Response: The response travels back through the encrypted tunnel
- Local Delivery: Cloudflared delivers the result to your device
Installing Cloudflared for DNS
Linux (Debian/Ubuntu)
# Add Cloudflare GPG key
curl -fsSL https://pkg.cloudflare.com/cloudflare-main.gpg | sudo tee /usr/share/keyrings/cloudflare-main.gpg >/dev/null
# Add repository
echo "deb [signed-by=/usr/share/keyrings/cloudflare-main.gpg] https://pkg.cloudflare.com/cloudflared $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/cloudflared.list
# Install
sudo apt update
sudo apt install cloudflaredmacOS
# Using Homebrew
brew install cloudflaredWindows
# Using winget
winget install Cloudflare.cloudflared
# Or download from: https://github.com/cloudflare/cloudflared/releasesConfiguring DNS-over-HTTPS
# Start Cloudflared DNS proxy
sudo cloudflared service install
# Configure to use port 53 (standard DNS port)
sudo cloudflared service install --legacy dnsserver
# Enable and start the service
sudo systemctl enable cloudflared
sudo systemctl start cloudflared
# Update system DNS to use localhost
sudo nano /etc/resolv.conf
# Change to:
# nameserver 127.0.0.1Verifying Your Setup
# Test DNS resolution
dig example.com @127.0.0.1
# Check which DNS server you're using
dig whoami.cloudflare @127.0.0.1
# Run DNS leak test
# Visit: https://dnsleaktest.com
Part 2: Cloudflare Tunnels for Self-Hosting
The real power of Cloudflared for smart home enthusiasts is Cloudflare Tunnels—a way to expose local services to the internet without opening ports on your router.
Why Cloudflare Tunnels?
- No port forwarding – Works behind CGNAT and restrictive ISPs
- No public IP needed – Perfect for dynamic IP connections
- Automatic SSL – Cloudflare handles certificates
- DDoS protection – Traffic routes through Cloudflare’s edge network
- Zero Trust access – Add authentication without running your own auth server
Architecture Overview
Clients connect to Cloudflare’s edge → Tunnel routes to your cloudflared daemon → Daemon forwards to your local service:
Setting Up a Tunnel
Step 1: Authenticate Cloudflared
# Authenticate with your Cloudflare account
cloudflared tunnel login
# This will open a browser window to authorize
# Select your domain when promptedStep 2: Create a Tunnel
# Create a named tunnel
cloudflared tunnel create homeassistant
# Note the tunnel ID output
# Example: tunnel ID: 6ff42ae2-765d-4adf-8c4f-5a1b2c3d4e5fStep 3: Configure the Tunnel
# Create configuration file
mkdir -p ~/.cloudflared
nano ~/.cloudflared/config.ymlAdd your tunnel configuration:
tunnel: <YOUR_TUNNEL_ID>
credentials-file: /home/youruser/.cloudflared/<YOUR_TUNNEL_ID>.json
ingress:
# Home Assistant
- hostname: home.yourdomain.com
service: http://192.168.1.100:8123
# Nextcloud
- hostname: cloud.yourdomain.com
service: http://192.168.1.101:80
# Grafana
- hostname: grafana.yourdomain.com
service: http://192.168.1.102:3000
# Catch-all rule (required)
- service: http_status:404Step 4: Create DNS Records
# Create DNS records for your services
cloudflared tunnel route dns homeassistant home.yourdomain.com
cloudflared tunnel route dns homeassistant cloud.yourdomain.com
cloudflared tunnel route dns homeassistant grafana.yourdomain.comStep 5: Run the Tunnel
# Test the tunnel
cloudflared tunnel run homeassistant
# Or run as a systemd service
sudo cloudflared service install
sudo systemctl enable cloudflared
sudo systemctl start cloudflared
Docker Configuration
For Home Assistant or other Docker setups, you can run cloudflared as a container:
# docker-compose.yml
version: "3.8"
services:
cloudflared:
image: cloudflare/cloudflared:latest
container_name: cloudflared
restart: unless-stopped
command: tunnel --no-autoupdate run --token <YOUR_TUNNEL_TOKEN>
# Or use config file:
# volumes:
# - ./cloudflared:/etc/cloudflared:ro
# command: tunnel --config /etc/cloudflared/config.yml runAdding Authentication with Cloudflare Access
Protect your services without running your own authentication server:
- Go to Cloudflare Zero Trust dashboard
- Navigate to Access → Applications
- Add an application for your hostname
- Configure policies (email, GitHub, Google login)
- Users authenticate before accessing your service
# Example policy configuration (wrangler.toml for Access)
[[routes]]
pattern = "home.yourdomain.com/*"
zone_id = "<YOUR_ZONE_ID>"
[access]
type = "application"
policies = [
{
name = "Family Access"
include = ["email:[email protected]"]
}
]Benefits of Using Cloudflared
For DNS-over-HTTPS
- Improved Privacy: Encrypt DNS queries, preventing ISP tracking
- Enhanced Security: Protect against DNS spoofing and man-in-the-middle attacks
- Faster Resolution: Cloudflare’s globally distributed network
- Bypass Censorship: Access blocked content in restrictive regions
For Cloudflare Tunnels
- No Port Forwarding: Works behind carrier-grade NAT (CGNAT)
- Security: No exposed ports on your router
- Simplicity: One tool for multiple services
- Professional Setup: Automatic SSL with custom domains
- Free Tier: Generous free limits for personal use
Common Use Cases
| Use Case | Configuration |
|---|---|
| Home Assistant | service: http://homeassistant.local:8123 |
| Nextcloud | service: http://nextcloud.local:80 |
| Plex/Jellyfin | service: http://media.local:32400 |
| Code Server | service: http://code.local:8443 |
| Grafana | service: http://grafana.local:3000 |
Troubleshooting
Tunnel Won’t Start
# Check cloudflared logs
journalctl -u cloudflared -f
# Verify tunnel credentials
ls -la ~/.cloudflared/
# Test connectivity
cloudflared tunnel info homeassistantDNS Not Resolving
# Verify DNS records exist
cloudflared tunnel route dns homeassistant home.yourdomain.com
# Check DNS propagation
dig home.yourdomain.comService Not Accessible
# Test local service is running
curl http://192.168.1.100:8123
# Check tunnel ingress rules
cloudflared tunnel config homeassistant
# Verify tunnel is running
cloudflared tunnel listThe Bottom Line
Cloudflared is an essential tool for anyone serious about network privacy or self-hosting services. The DNS-over-HTTPS functionality protects your browsing from ISP surveillance, while Cloudflare Tunnels eliminates the need for port forwarding and provides professional-grade security for home servers.
For Home Assistant users, Cloudflare Tunnels is often the easiest way to get remote access—no router configuration, no dynamic DNS, and automatic SSL certificates. Combined with Cloudflare Access, you get enterprise-grade authentication for free.
Resources
- Cloudflared GitHub Repository
- Cloudflare Tunnels Documentation
- 1.1.1.1 DNS Service
- Cloudflare Zero Trust Applications
Discover more from JRB Consulting
Subscribe to get the latest posts sent to your email.