The latest articles on DEV Community by Ghazi Alchammat (@galchammat). https://dev.to/galchammat https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3742600%2F7302653b-39b2-48a8-a9ba-90a2b46345ed.jpeg https://dev.to/galchammat en Ghazi Alchammat Sun, 22 Feb 2026 23:06:42 +0000 https://dev.to/galchammat/accessing-servers-behind-strict-firewalls-using-cloudflare-46pp https://dev.to/galchammat/accessing-servers-behind-strict-firewalls-using-cloudflare-46pp <h1> Notes on Using Cloudflare Tunnel </h1> <p>I’ve been using Cloudflare Tunnel in a few different setups.</p> <p>One use case is remote development. I run <code>cloudflared</code> on my machine and expose SSH through a tunnel. The server establishes an outbound connection to Cloudflare. Access is controlled through Cloudflare Access with OTP.</p> <p>Cloudflare also provides browser-based SSH. From a phone, including an iPhone, I can open Safari, authenticate, and obtain a terminal session directly in the browser. No separate SSH client is required in that scenario.</p> <h2> SSH Flow </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>flowchart LR A[Local Machine] --&gt; B[cloudflared] B --&gt; C[Cloudflare Edge] C --&gt; D["Access Policy (OTP)"] D --&gt; E[Browser SSH Session] </code></pre> </div> <p>The local machine maintains the outbound tunnel. Authentication is handled at the edge before a session is established.</p> <h2> Exposing Web Services </h2> <p>I have also used Cloudflare Tunnel to expose small web services from networks where I do not control public IP configuration. The machine connects outward to Cloudflare, and traffic is routed back through that connection.</p> <p>This allows a static site or internal tool to be reachable without managing NAT rules or dynamic DNS.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>flowchart LR U[User] --&gt; DNS[Cloudflare DNS] DNS --&gt; Edge[Cloudflare Edge] Edge --&gt; Tunnel[Cloudflare Tunnel] Tunnel --&gt; Service[Local Web Service] </code></pre> </div> <h2> Replacing Tailscale in Some Cases </h2> <p>For personal use, this has replaced Tailscale in cases where I only need secure access to a single machine or service. Instead of maintaining a private mesh network, access is enforced through Cloudflare’s identity layer.</p> <p>This is not a universal replacement for private networking, but for individual services it simplifies the setup.</p> <h2> Potential Kubernetes Pairing </h2> <p>Cloudflare Tunnel can also be paired with Kubernetes. A cluster can sit behind a tunnel, with ingress routed through Cloudflare while pods remain private inside the cluster. The Kubernetes API server and internal services can be placed behind Access policies.</p> <p>I have not deployed that configuration yet, but the pattern follows the same outbound tunnel model.</p> <h2> Summary </h2> <p>Cloudflare Tunnel provides:</p> <ul> <li>Outbound-only connectivity</li> <li>Identity-gated access (OTP / Access policies)</li> <li>SSH</li> <li>DNS and TLS integration at the edge</li> <li>A practical way to expose services from constrained networks</li> </ul> <p>For remote access and lightweight hosting, it simplifies infrastructure without requiring direct exposure of the underlying system.</p> cloudflare networking devops