Introduction
Looking for a secure way to access your Raspberry Pi remotely without exposing your home network? Cloudflare Tunnel (formerly Argo Tunnel) provides a secure pathway to your Raspberry Pi without the need for port forwarding or exposing your IP address. This guide will walk you through the complete setup process.
What is Cloudflare Tunnel?
Cloudflare Tunnel creates a secure, outbound-only connection between your services and Cloudflare by deploying a lightweight daemon, cloudflared. This ensures:
- No inbound ports need to be opened on your firewall
- Your IP address remains hidden from the public internet
- All traffic is encrypted and protected against DDoS attacks
Prerequisites
Before we begin, ensure you have:
- Raspberry Pi 3 or newer
- Raspberry Pi OS (64-bit recommended)
- Cloudflare account with active domain
- Domain DNS managed by Cloudflare
- Basic knowledge of terminal commands
Environment Setup
Hardware Requirements
- Raspberry Pi 3/4/5
- Stable internet connection
- Power supply
- MicroSD card (16GB+ recommended)
Software Requirements
- Raspberry Pi OS Bookworm or newer
- Terminal access (SSH or direct)
sudoprivileges
Step 1: Initial Cloudflare Configuration
Create Zero Trust Organization
- Navigate to Cloudflare Zero Trust Dashboard
- Select your organization or create a new one
- Access the Zero Trust section
Configure Tunnel
- Go to “Access” → “Tunnels”
- Click “Create Tunnel”
- Assign a memorable name (e.g., “raspberry-home”)
- Save the tunnel token securely
Step 2: Cloudflared Installation
First, install the Cloudflare package repository and GPG key:
# Install required dependencies
sudo apt-get update
sudo apt-get install -y debian-keyring debian-archive-keyring apt-transport-https
# Add Cloudflare GPG key
sudo mkdir -p --mode=0755 /usr/share/keyrings
curl -fsSL https://pkg.cloudflare.com/cloudflare-main.gpg | sudo tee /usr/share/keyrings/cloudflare-main.gpg >/dev/null
# Add Cloudflare repository
echo 'deb [signed-by=/usr/share/keyrings/cloudflare-main.gpg] https://pkg.cloudflare.com/cloudflared bookworm main' | \
sudo tee /etc/apt/sources.list.d/cloudflared.list
# Update and install cloudflared
sudo apt-get update
sudo apt-get install cloudflared
Verify the installation:
cloudflared version
Step 3: Tunnel Authentication
Login to Cloudflare
sudo cloudflared tunnel login
Follow the browser prompts to authenticate.
Create and Configure Tunnel
# Create tunnel
sudo cloudflared tunnel create raspberry-tunnel
# Note the Tunnel ID for later use
Create the configuration file:
sudo mkdir -p /etc/cloudflared
sudo nano /etc/cloudflared/config.yml
Add the following configuration:
tunnel: YOUR_TUNNEL_ID
credentials-file: /root/.cloudflared/YOUR_TUNNEL_ID.json
ingress:
# Route traffic to your local service
- hostname: raspberry.yourdomain.com
service: http://localhost:80
# Catch-all rule
- service: http_status:404
Step 4: DNS Configuration
Add DNS Route
- In Cloudflare Zero Trust Dashboard:
- Select your tunnel
- Click “Configure”
- Add a public hostname:
hostname: raspberry.yourdomain.com service: http://localhost:80
Verify DNS
- Go to Cloudflare DNS Dashboard
- Confirm CNAME record:
- Name: raspberry
- Target: YOUR_TUNNEL_ID.cfargotunnel.com
Step 5: Service Configuration
Create a systemd service for automatic startup:
# Install as a service
sudo cloudflared service install
# Start the service
sudo systemctl start cloudflared
# Enable auto-start
sudo systemctl enable cloudflared
Step 6: Security Hardening
Access Policies
Configure Access policies in Cloudflare Zero Trust:
- Go to “Access” → “Applications”
- Create new application
- Set authentication rules:
- Email domains
- Identity providers
- Multi-factor authentication
SSL/TLS Configuration
Enable strict SSL mode in Cloudflare:
- SSL/TLS → Overview
- Set mode to “Full (strict)”
- Enable “Always Use HTTPS”
Testing and Verification
Check Service Status
# View service status
sudo systemctl status cloudflared
# Check logs
sudo journalctl -u cloudflared -f
# Verify tunnel
cloudflared tunnel info YOUR_TUNNEL_NAME
Connection Testing
- Access
https://raspberry.yourdomain.com - Verify SSL certificate
- Test authentication policies
Troubleshooting
Common Issues and Solutions
-
Connection Refused
# Check if local service is running sudo systemctl status nginx # or your service # Verify cloudflared logs sudo journalctl -u cloudflared -n 50 -
DNS Issues
- Verify DNS propagation:
dig raspberry.yourdomain.com - Check Cloudflare DNS settings
- Verify DNS propagation:
-
Authentication Failures
- Review Access policies
- Check browser console for errors
- Verify identity provider configuration
Performance Optimization
Tunnel Performance
# Monitor tunnel metrics
cloudflared tunnel info YOUR_TUNNEL_NAME
# Check connection quality
ping raspberry.yourdomain.com
Service Monitoring
Set up monitoring using Cloudflare Analytics:
- Enable Tunnel metrics
- Monitor latency and uptime
- Set up alerts for downtime
Security Best Practices
-
Regular Updates
# Update cloudflared sudo apt-get update sudo apt-get upgrade cloudflared -
Access Controls
- Implement least privilege access
- Use time-based access rules
- Enable audit logging
-
Network Security
- Use isolated networks
- Implement firewall rules
- Monitor traffic patterns
Conclusion
You now have a secure, reliable way to access your Raspberry Pi remotely through Cloudflare Tunnel. This setup provides:
- Zero-trust security model
- DDoS protection
- SSL/TLS encryption
- No exposed IP addresses
- Automatic failover and high availability
Additional Resources
Updates and Maintenance
Remember to:
- Regularly update
cloudflared - Monitor service status
- Review access logs
- Update security policies
- Keep Raspberry Pi OS updated
For questions or feedback, please leave a comment below or visit our GitHub repository.
Last updated: December 3, 2023