Want to securely access your Raspberry Pi from anywhere without port forwarding?
This tutorial walks you through setting up Cloudflare Zero Trust with a managed tunnel to expose your Pi’s services safely.
📝 0. Prerequisites: Register Cloudflare Zero Trust
- Log in to your Cloudflare Dashboard
- Sign up for Zero Trust (Free plan is enough)
- Buy a domain (e.g., from Hostinger or Namecheap)
- Add the domain to Cloudflare:
- Go to Add a Site in Cloudflare
- Enter your domain
- Choose Quick scan → Free Plan → Continue
- Cloudflare will provide nameservers
- Update your domain's nameservers via your registrar (e.g., Hostinger)
- Wait for DNS propagation (~10 min–24 hours)
- Once active, you’re ready to create your tunnel
🔧 1. Install Cloudflare Connector on Raspberry Pi
SSH into your Raspberry Pi and run:
Add GPG key
sudo mkdir -p --mode=0755 /usr/share/keyrings
curl -fsSL https://pkg.cloudflare.com/cloudflare-main.gpg | sudo tee /usr/share/keyrings/cloudflare-main.gpg >/dev/null
Add Cloudflare repository
echo 'deb [signed-by=/usr/share/keyrings/cloudflare-main.gpg] https://pkg.cloudflare.com/cloudflared any main' | sudo tee /etc/apt/sources.list.d/cloudflared.list
Install cloudflared
sudo apt update && sudo apt install cloudflared -y
🌐 2. Connect Tunnel to Cloudflare
In Cloudflare Dashboard (Zero Trust → Networks → Tunnels), create a new tunnel.
Then run the command provided, e.g.:
cloudflared service install <TUNNEL-TOKEN>
This registers and installs the tunnel as a systemd service.
⚙️ 3. Enable and Start the Tunnel Service
sudo systemctl enable cloudflared
sudo systemctl start cloudflared
Check status:
sudo systemctl status cloudflared
🌍 4. Install Nginx on Raspberry Pi
sudo apt update
sudo apt install nginx -y
Default page is served on http://localhost:80.
🧭 5. Add a Public Hostname in Cloudflare
In Cloudflare Dashboard:
- Go to Zero Trust → Networks → Tunnels
- Select your tunnel → click Public Hostnames
- Click Add a Hostname
-
Hostname:
example.com -
Service:
http://localhost:80
-
Hostname:
- Save and deploy
This will expose your Pi’s Nginx page to the internet.
✅ 6. Test It!
Now try visiting:
https://example.com
You should see the default Nginx page — securely tunneled through Cloudflare!
🛠️ Optional: Customize Nginx Page
Edit the default HTML:
sudo nano /var/www/html/index.nginx-debian.html
Then restart Nginx:
sudo systemctl restart nginx
🔒 7. Access Securely with Zero Trust Policies
Want to restrict access to only you or your team?
- Go to Zero Trust → Access → Applications
- Add a new Web or SSH application
- Set rules: e.g., Google login, email domain, OTP, etc.
Now, services like SSH or a web dashboard can only be accessed by authenticated users.
🚀 Why Use Cloudflare Tunnel?
✅ No port forwarding
✅ Works behind NAT/CGNAT
✅ End-to-end TLS by default
✅ Easy dashboard management
✅ Supports access policies (SSO, OTP, etc.)
Happy homelabbing! 🧪🌐
Top comments (0)