cloudflared (Cloudflare Tunnel)
cloudflared is the daemon that connects my homelab to Cloudflare without opening ports on the router. I'm behind CGNAT, so traditional port forwarding does not work. Tunnels carry HTTPS from the Cloudflare edge to apps on the LAN.
What it does
Cloudflare terminates TLS at the edge. cloudflared maintains an outbound connection from my network to Cloudflare, so nothing needs to listen on the WAN. That is how stream.saxobroko.com, dsm.saxobroko.com, and the rest of the *arr stack reach TrueNAS.
For the full traffic picture, see Network.
Where it runs
| Setting | Value |
|---|---|
| Host | TrueNAS (Ugreen DXP 8800 Plus) @ 192.168.2.203 |
| Role | Cloudflare Tunnel connector for homelab services |
| Alternative | Some hostnames may route via NGINX Proxy Manager on the LAN — see NPM |
cloudflared is deployed as a TrueNAS app or Docker container (check Apps in the TrueNAS UI for the exact name). It should start automatically when TrueNAS boots.
Tunnel credentials and the Cloudflare dashboard config are not stored in this wiki — look in Vaultwarden or the Cloudflare Zero Trust console.
Which services use the tunnel
Most public *.saxobroko.com homelab URLs depend on the tunnel:
| Category | Examples |
|---|---|
| NAS admin | dsm.saxobroko.com |
| Media | stream.saxobroko.com, music.saxobroko.com, photos.saxobroko.com |
| Dashboard | dash.saxobroko.com |
| *arr stack | sonarr.saxobroko.com, radarr.saxobroko.com, etc. — see *arr stack |
| Auth / passwords | auth.saxobroko.com, vault.saxobroko.com |
Not on the tunnel: docs.saxobroko.com (Cloudflare Pages), status.saxobroko.com and weather.saxobroko.com (hosted elsewhere — see Monitoring).
Adding a new public hostname
When a new app is running on TrueNAS and I want it reachable from outside:
- Confirm the app works on LAN — note the internal IP and port (e.g.
http://192.168.2.203:8096) - Open Cloudflare Zero Trust → Networks → Tunnels → select the homelab tunnel
- Add a public hostname:
- Public hostname:
newapp.saxobroko.com - Service type: HTTP (or HTTPS if the app expects it)
- URL: internal address from step 1
- DNS — Cloudflare usually creates the CNAME automatically; verify in the DNS dashboard
- WAF rules (if this is a private homelab app):
- Add to block no aus (Australia-only access)
- Add to localnet full strict ssl if SSL errors appear
- Add a Homepage tile — Homepage
- Update SaxDocs — add the URL to Network and Services
If the app needs path-based routing or multiple backends, I may front it with NPM first and point the tunnel at NPM instead.
Restarting cloudflared
Via TrueNAS Apps
- Open dsm.saxobroko.com or
https://192.168.2.203 - Go to Apps (or Installed Applications)
- Find the cloudflared app
- Stop, wait a few seconds, Start
When to restart
- After changing tunnel hostnames in the Cloudflare dashboard (sometimes picks up immediately; restart if not)
- After TrueNAS updates that touch Docker networking
- When multiple
.saxobroko.comsites fail at once but LAN access still works
Troubleshooting
| Symptom | Likely cause | What to try |
|---|---|---|
| Site works on LAN, fails publicly | Tunnel down or wrong hostname mapping | Restart cloudflared; check Cloudflare tunnel config |
| 403 from outside Australia | block no aus WAF rule | Expected — test from AU or temporarily disable rule for debugging |
| SSL / certificate errors | Missing localnet full strict ssl rule | Add hostname to that rule in Cloudflare |
| All tunnel sites down | cloudflared container stopped | Restart app on TrueNAS; check TrueNAS is online |
| One site down, others fine | Wrong internal URL/port in tunnel config | Fix the public hostname → service mapping in Zero Trust |
| DNS resolves but connection times out | Old CNAME to local.saxobroko.com |
Point DNS at the tunnel, not legacy A/CNAME — see Network |
Quick diagnostic order
- Can I reach the app on
192.168.2.203(or its LAN port)? - Is the cloudflared app Running in TrueNAS?
- Does Cloudflare DNS show a CNAME to
<tunnel-id>.cfargotunnel.com? - Is the hostname in the right WAF rules?
- Am I testing from Australia (or through an AU VPN)?
More general fixes: Common Issues
Security notes
- Tunnels are outbound only — no open WAN ports required
- Authentik protects some apps (e.g. Homepage) in addition to Cloudflare WAF
- Cloudflare account uses Yubikey 2FA — Yubikey
- Do not paste tunnel tokens or API keys into SaxDocs
Related
- Network — DNS, WAF, full URL list
- TrueNAS — where cloudflared runs
- Services — what the tunnel exposes
- Common Issues — site unreachable runbook