2024-03-04-CloudFlare Tunnel Free Intranet Penetration Concise Tutorial - Minority Report

CloudFlare Tunnel Free Intranet Penetration Concise Tutorial - Minimalist#

CloudFlare Tunnel Free Intranet Penetration Concise Tutorial

  • Expose local network services to the public network, which can be understood as intranet penetration. For example, we have set up a Transmission service for BT download on a local server We can only access this service in the intranet environment, but through intranet penetration technology, we can access the service in any wide area network environment. Compared with traditional penetration services like NPS, Tunnel does not require a public cloud server, and it comes with domain name resolution, eliminating the need for DDNS and public IP.
  • Forward unconventional port services to the conventional ports 80/443. Whether using a public IP + DDNS or traditional intranet penetration service, it is inevitable to use unconventional ports for access. If some services use complex redirection, it may cause the port number to be lost in the URL and cause uncontrollable problems, which is also not elegant.
  • Automatically provide HTTPS certification for your domain.
  • Provide additional protection and authentication for your services.
  • Most importantly - it's free.

Tunnel communicates with the Cloudflare cloud by running a Cloudflare daemon on the local network, forwarding cloud requests to the local network's IP + port.


  • Have a domain name
  • Delegate domain name DNS resolution to CF
  • Have a local server in the intranet to run the local cloudflared program that communicates with Cloudflare
  • A dual-currency credit card in Mainland China (only used to add payment methods, the service is free)

Getting Started#

1. Open the Cloudflare Zero Trust workspace panel#

2. Create Cloudflare Zero Trust, select the free plan. Provide a payment method, and use a dual-currency card in Mainland China.#


Fill in the team name, fill in at will


Select the free plan


Add payment method


Fill in credit card information (for verification only, no charges will be made), and complete the configuration

3. After completion, create a Tunnel in Access Tunnels.#


Create a Tunnel

4. Choose the Cloudflared deployment method.#

Tunnel needs to establish a channel between the cloud and the local network through Cloudflared. It is recommended to choose Docker deployment of Cloudflared daemon to use the Tunnel function.


Get the Cloudflared startup command and token

Click the copy button to copy the command and run it on the local network host. We can also add --name cloudflared -d --restart unless-stop to the Docker container to add a name and run it in the background. You can use the modified command below to create the Docker, be sure to replace it with your own token (the long string of characters after --token in the webpage)

docker run --name cloudflared -d --restart unless-stop cloudflare/cloudflared:latest tunnel --no-autoupdate run --token <YourToken>

5. Configure the domain name and forwarding URL#

Configure a subdomain for your domain name, leave the Path blank, and fill in the IP and port number of the intranet service in the URL field. Note that it is recommended to use HTTP in the Type field because Cloudflare will automatically provide HTTPS for you. Therefore, the forwarding target here can be an HTTP service port.


Configure the intranet target IP+port


Next, access the configured third-level domain name, for example, (yes, you read it right, it's https, Cloudflare has automatically provided an HTTPS certificate for the domain name), and you can access the non-public port service in the intranet. You can add multiple third-level domain names to a Tunnel to redirect to different intranet services, just add them in the Public Hostname section on the Tunnel page.

Add additional authentication for your service#

If you think that exposing the intranet service directly in this way has a higher security risk, we can also use the Application feature to add additional security authentication to the service.

  1. Click Application - Get started.


Create an Application

  1. Choose Self-hosted.


Choose the type

  1. Fill in the configuration, note that the Subdomain and Domain need to use the same Domain configuration as the Tunnel service just created.


Configure the third-level domain name

  1. Choose the authentication method. Fill in the Policy name (arbitrary). In the Include area, select the authentication method. The example image uses the Email domain method, which requires users to use the specified email domain (such as for verification when accessing the network. This method is more suitable for enterprise email users with custom domains. In addition, you can also specify specific complete email addresses, IP address ranges, and other methods.


Choose the authentication method

  1. Complete the addition


At this time, when accessing, you will see an additional verification page on the website. Use the domain name email set just now to receive the verification code for access.



In addition to directly forwarding http services mentioned above, Tunnel also supports forwarding of protocols such as RDP and SSH, with various possibilities waiting for exploration. As a free service, with simple configuration and low usage requirements, it is suitable for Self-hosted players to try. However, please note that Tunnel is not fast for accessing in China and there may be interruptions, so please use it accordingly.

Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.