Skip to content

cloudflared (Cloudflare Tunnel)

cloudflared is the daemon that connects my homelab to Cloudflare without opening ports on the router. I'm behind CGNAT, so traditional port forwarding does not work. Tunnels carry HTTPS from the Cloudflare edge to apps on the LAN.

What it does

Browser → Cloudflare DNS/WAF → Tunnel → cloudflared on TrueNAS → app (Docker / TrueNAS UI)

Cloudflare terminates TLS at the edge. cloudflared maintains an outbound connection from my network to Cloudflare, so nothing needs to listen on the WAN. That is how stream.saxobroko.com, dsm.saxobroko.com, and the rest of the *arr stack reach TrueNAS.

For the full traffic picture, see Network.

Where it runs

Setting Value
Host TrueNAS (Ugreen DXP 8800 Plus) @ 192.168.2.203
Role Cloudflare Tunnel connector for homelab services
Alternative Some hostnames may route via NGINX Proxy Manager on the LAN — see NPM

cloudflared is deployed as a TrueNAS app or Docker container (check Apps in the TrueNAS UI for the exact name). It should start automatically when TrueNAS boots.

Tunnel credentials and the Cloudflare dashboard config are not stored in this wiki — look in Vaultwarden or the Cloudflare Zero Trust console.

Which services use the tunnel

Most public *.saxobroko.com homelab URLs depend on the tunnel:

Category Examples
NAS admin dsm.saxobroko.com
Media stream.saxobroko.com, music.saxobroko.com, photos.saxobroko.com
Dashboard dash.saxobroko.com
*arr stack sonarr.saxobroko.com, radarr.saxobroko.com, etc. — see *arr stack
Auth / passwords auth.saxobroko.com, vault.saxobroko.com

Not on the tunnel: docs.saxobroko.com (Cloudflare Pages), status.saxobroko.com and weather.saxobroko.com (hosted elsewhere — see Monitoring).

Adding a new public hostname

When a new app is running on TrueNAS and I want it reachable from outside:

  1. Confirm the app works on LAN — note the internal IP and port (e.g. http://192.168.2.203:8096)
  2. Open Cloudflare Zero TrustNetworksTunnels → select the homelab tunnel
  3. Add a public hostname:
  4. Public hostname: newapp.saxobroko.com
  5. Service type: HTTP (or HTTPS if the app expects it)
  6. URL: internal address from step 1
  7. DNS — Cloudflare usually creates the CNAME automatically; verify in the DNS dashboard
  8. WAF rules (if this is a private homelab app):
  9. Add to block no aus (Australia-only access)
  10. Add to localnet full strict ssl if SSL errors appear
  11. Add a Homepage tileHomepage
  12. Update SaxDocs — add the URL to Network and Services

If the app needs path-based routing or multiple backends, I may front it with NPM first and point the tunnel at NPM instead.

Restarting cloudflared

Via TrueNAS Apps

  1. Open dsm.saxobroko.com or https://192.168.2.203
  2. Go to Apps (or Installed Applications)
  3. Find the cloudflared app
  4. Stop, wait a few seconds, Start

When to restart

  • After changing tunnel hostnames in the Cloudflare dashboard (sometimes picks up immediately; restart if not)
  • After TrueNAS updates that touch Docker networking
  • When multiple .saxobroko.com sites fail at once but LAN access still works

Troubleshooting

Symptom Likely cause What to try
Site works on LAN, fails publicly Tunnel down or wrong hostname mapping Restart cloudflared; check Cloudflare tunnel config
403 from outside Australia block no aus WAF rule Expected — test from AU or temporarily disable rule for debugging
SSL / certificate errors Missing localnet full strict ssl rule Add hostname to that rule in Cloudflare
All tunnel sites down cloudflared container stopped Restart app on TrueNAS; check TrueNAS is online
One site down, others fine Wrong internal URL/port in tunnel config Fix the public hostname → service mapping in Zero Trust
DNS resolves but connection times out Old CNAME to local.saxobroko.com Point DNS at the tunnel, not legacy A/CNAME — see Network

Quick diagnostic order

  1. Can I reach the app on 192.168.2.203 (or its LAN port)?
  2. Is the cloudflared app Running in TrueNAS?
  3. Does Cloudflare DNS show a CNAME to <tunnel-id>.cfargotunnel.com?
  4. Is the hostname in the right WAF rules?
  5. Am I testing from Australia (or through an AU VPN)?

More general fixes: Common Issues

Security notes

  • Tunnels are outbound only — no open WAN ports required
  • Authentik protects some apps (e.g. Homepage) in addition to Cloudflare WAF
  • Cloudflare account uses Yubikey 2FA — Yubikey
  • Do not paste tunnel tokens or API keys into SaxDocs