Lawful, privacy-focused publishing
Cloudflare Tunnel home hosting without exposing your IP address
This guide shows how to hide your home IP from visitors with Cloudflare Tunnel, weigh the real costs around the setup, and decide when VPN routing or GhostlyShare is the better fit.
The privacy boundary is key: visitors don’t need your residential IP, but Cloudflare still knows your account, and a VPN provider can see you’re connecting to Cloudflare.
This is intended for legitimate self-hosting, testing, publishing, and research. It does not support fraud, malware, phishing, harassment, or illegal activities.
Contents
Cloudflare Tunnel costs and setup options
Short answer: Cloudflare Tunnel is often enough for a small test or hobby site, but do not budget only for the tunnel. The real costs usually come from the domain, optional VPN routing, always-on hardware or a VPS alternative.
| Cost item | When it matters | How to plan it |
|---|---|---|
| Cloudflare Tunnel and cloudflared | Needed for the stable public route from Cloudflare to your local service. | For many small tests, the tunnel itself can start without a separate tunnel bill. Check Cloudflare's current limits before you depend on it. |
| Domain and DNS | Needed when the site should have a real hostname instead of a temporary preview URL. | Plan this as a yearly registrar cost, and keep owner data, payment method and account recovery in your privacy model. |
| Optional VPN routing | Only needed when Cloudflare should see a VPN exit IP instead of the connector's residential IP. | Treat it as a monthly provider cost. A kill switch and stable routing matter more than the cheapest plan. |
| Always-on home hardware | Needed when the tunnel should run without depending on your daily laptop. | Budget for a Raspberry Pi, mini PC or Windows host, plus electricity, updates, backups and replacements. |
| VPS or GhostlyShare alternative | Use a VPS for a stable public server; use GhostlyShare for temporary demos, previews or webhook callbacks. | A VPS is usually a monthly server cost. GhostlyShare is the lighter path when you do not need a permanent route. |
Cloudflare changes limits and plan details over time. Check the official limits and pricing pages before you treat a setup as production-ready.
What this setup truly protects
The practical aim isn’t to vanish from all providers but to prevent ordinary visitors, scanners, and routine DNS lookups from discovering your residential IP or accessing your router directly.
DNS can direct to Cloudflare rather than a home address, preventing casual lookups from revealing the hosting location.
A named tunnel only makes outbound connections, so inbound port forwarding for the website is unnecessary.
Your site can remain on localhost or a private interface while Cloudflare manages public access.
This provides privacy from visitors, not invisibility from Cloudflare, your VPN provider, or your account history.
Who can still identify you
The best way to consider anonymous home hosting is to separate audiences, each learning a different part of the story.
Visitors
- They can see your public hostname, TLS surface, and any content, headers, analytics, and cookies you deliberately expose.
- They typically see Cloudflare edge IPs rather than your home IP when DNS points only to the tunnel.
- They can fingerprint the admin browser if you log into the same backend from the same device or browser profile.
Cloudflare
- Cloudflare is aware of the account, zone, tunnel UUID, configured hostnames, and tunnel status.
- Cloudflare also observes the source IP used by cloudflared to connect, either your home IP or the VPN exit IP.
- A VPN can conceal your residential source IP from Cloudflare, but it does not eliminate the link to your Cloudflare account.
VPN provider
- The VPN provider can still detect your device maintaining encrypted traffic to Cloudflare.
- If your VPN is linked to your usual email or payment identity, that connection remains outside the tunnel.
- A VPN alters the source IP Cloudflare observes but does not remove the trust you place in the VPN provider.
Your wider identity trail
- Domain registrar info, recovery emails, payments, and reused usernames can still link the project to you.
- Logging into admin panels from a personal browser profile can link the site to your everyday identity.
- In practice, anonymity relies as much on operational discipline as on the tunnel itself.
How the traffic flow operates
The straightforward path: public side ends at Cloudflare, private side remains a local service accessible only by cloudflared.
Requests your hostname and connects to Cloudflare's edge network.
Terminates HTTPS, applies rules, and forwards requests into the named tunnel.
Maintains outbound-only tunnel connections from your Windows device to Cloudflare.
Responds on localhost or another private origin address without direct internet exposure.
If cloudflared uses a VPN first, Cloudflare sees the VPN exit IP as the source instead of your residential IP. Without a kill switch, cloudflared may reconnect via the normal ISP route if the VPN drops.

Small always-on box for a home tunnel
A Raspberry Pi or similar low-power mini computer is useful when the tunnel should stay online without tying the setup to your daily laptop. Keep the OS patched, use a wired connection where possible, and still test the VPN failure case before trusting it.
What cloudflared.exe does on Windows
cloudflared.exe is neither a VPN nor an anonymity network. It acts as the Cloudflare connector, authenticating tunnels, maintaining persistent outbound connections, and linking public hostnames to local services.
You can log in once, create a named tunnel, and reuse it for a stable hostname rather than using temporary links.
Cloudflare states that each tunnel maintains several persistent connections to ensure resilience if one path fails.
A configuration file can route app.example.com to http://localhost:3000 without exposing localhost as a public origin.
You can test the tunnel in a terminal first, then convert it into a persistent Windows service.
Cloudflare Tunnel supports HTTP, HTTPS, TCP, SSH, RDP, and similar private services, but this guide focuses on websites.
For precise vendor workflow, compare your setup with Cloudflare local tunnel instructions and the Windows service guide.
Windows setup: cloudflared.exe step-by-step
This method assumes your website works locally and your domain uses Cloudflare DNS. The example uses app.example.com and a local service on port 3000.
Use PowerShell 7 for all commands below. Replace sample hostname, tunnel name, and local service before copying.
Step 1: define reusable values
Start in PowerShell 7 and replace the sample hostname, tunnel name, and local service with your own values before proceeding.
$TunnelName = "ghostly-home-site"
$PublicHostname = "app.example.com"
$LocalService = "http://localhost:3000"
$CloudflaredHome = "C:\Cloudflared\bin"
$ConfigPath = "$env:USERPROFILE\.cloudflared\config.yml"Step 2: prepare cloudflared.exe
Rename the downloaded binary, create a dedicated folder, and copy the executable there.
Rename-Item "$env:USERPROFILE\Downloads\cloudflared-windows-amd64.exe" "cloudflared.exe"
New-Item -ItemType Directory -Force $CloudflaredHome
Copy-Item "$env:USERPROFILE\Downloads\cloudflared.exe" "$CloudflaredHome\cloudflared.exe"Step 3: change to working folder and verify the binary
Navigate to the folder and confirm cloudflared.exe starts without errors before authenticating.
Set-Location $CloudflaredHome
.\cloudflared.exe --versionStep 4: log in and authorise the Cloudflare zone
This opens your browser to approve the zone. The account certificate is saved in your default .cloudflared directory.
.\cloudflared.exe tunnel loginStep 5: create the named tunnel and save its UUID
Create the tunnel, then paste the UUID from the command output into the variable below for reuse in subsequent commands.
.\cloudflared.exe tunnel create $TunnelName
$TunnelId = "<paste-the-tunnel-uuid-from-the-create-output>"Step 6: write config.yml line by line
These commands create the local config.yml in your Windows profile, telling the tunnel which public hostname forwards to which local service.
Set-Content $ConfigPath "tunnel: $TunnelId"
Add-Content $ConfigPath "credentials-file: $env:USERPROFILE\.cloudflared\$TunnelId.json"
Add-Content $ConfigPath ""
Add-Content $ConfigPath "ingress:"
Add-Content $ConfigPath " - hostname: $PublicHostname"
Add-Content $ConfigPath " service: $LocalService"
Add-Content $ConfigPath " - service: http_status:404"Step 7: review and validate the configuration
Print the file once to review, then let cloudflared validate ingress rules before publishing DNS.
Get-Content $ConfigPath
.\cloudflared.exe tunnel ingress validateStep 8: create DNS route and inspect the tunnel
This instructs Cloudflare which hostname should route to the named tunnel before live traffic begins.
.\cloudflared.exe tunnel route dns $TunnelName $PublicHostname
.\cloudflared.exe tunnel info $TunnelNameStep 9: run the tunnel in the foreground
Keep this PowerShell 7 window open while testing the site from another network. Stop it with Ctrl+C when finished.
.\cloudflared.exe tunnel run $TunnelNameOnly proceed after the interactive tunnel works. Run the commands below in an elevated PowerShell 7 window, as the service uses the system profile path and registry entry.
Service step 1: install the Windows service shell
Open an elevated PowerShell 7 window for this optional step and install the Cloudflared service first.
Set-Location $CloudflaredHome
.\cloudflared.exe service installService step 2: copy cert.pem, credentials, and config to the system profile
The Windows service runs under the system profile, requiring its own .cloudflared folder with certificate, tunnel credentials, and config.yml.
$SystemCloudflaredHome = "C:\Windows\System32\config\systemprofile\.cloudflared"
New-Item -ItemType Directory -Force $SystemCloudflaredHome
Copy-Item "$env:USERPROFILE\.cloudflared\cert.pem" "$SystemCloudflaredHome\cert.pem"
Copy-Item "$env:USERPROFILE\.cloudflared\$TunnelId.json" "$SystemCloudflaredHome\$TunnelId.json"
Set-Content "$SystemCloudflaredHome\config.yml" "tunnel: $TunnelId"
Add-Content "$SystemCloudflaredHome\config.yml" "credentials-file: $SystemCloudflaredHome\$TunnelId.json"
Add-Content "$SystemCloudflaredHome\config.yml" ""
Add-Content "$SystemCloudflaredHome\config.yml" "ingress:"
Add-Content "$SystemCloudflaredHome\config.yml" " - hostname: $PublicHostname"
Add-Content "$SystemCloudflaredHome\config.yml" " service: $LocalService"
Add-Content "$SystemCloudflaredHome\config.yml" " - service: http_status:404"Service step 3: set ImagePath to system config and start the service
Cloudflare's Windows service docs require the Cloudflared ImagePath to point to the system-profile config file.
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Cloudflared" -Name ImagePath -Value "C:\Cloudflared\bin\cloudflared.exe --config=C:\Windows\System32\config\systemprofile\.cloudflared\config.yml tunnel run"
sc.exe start cloudflaredThis follows Cloudflare's Windows service process: copy cert.pem and tunnel credentials to the system profile, create a system-profile config.yml, then set the Cloudflared service ImagePath to that config.
VPN placement and security guidelines
The tunnel’s privacy depends on the underlying route. To show Cloudflare a VPN exit IP instead of a residential IP, the VPN must be active before cloudflared starts.
Check the host’s public IP first. If it shows the ISP IP, Cloudflare will see that IP when the tunnel connects.
If the VPN disconnects without firewall enforcement, cloudflared may reconnect via the usual residential route.
Bind your web service to localhost or a private interface where possible, ensuring the tunnel is the sole public access point.
Cloudflare warns that debug logs may record request URLs, methods, protocols, content lengths, and headers. Use standard logging for daily use.
Optional VPN selections and comparison
Looking for a quick VPN option or a wider comparison?
If you want a straightforward start, the rotating VPN button below opens a current option. For broader comparison, use the full provider directory.
Current featured choice: NordVPN
If the tunnel stops but the DNS record stays active, visitors usually see a Cloudflare error until the connector returns. This is noisy but preferable to silently leaking your home IP.
Verification checklist before trusting it
Don’t assume privacy just because the site loads once. Verify the route as an operator, not a marketer.
A brief external check should reveal Cloudflare-facing records instead of a residential IP address.
Verify the machine's public IP first to understand what Cloudflare will detect from the connector.
Test from mobile data or another external network to avoid local routing shortcuts.
Simulate a failure once. If cloudflared reconnects via the ISP route, the privacy model is compromised.
When GhostlyShare is the simpler option
For temporary public previews, quick client demos, or webhook callback URLs, GhostlyShare is simpler, avoiding much manual Cloudflare dashboard, DNS, and config.yml setup.
Use manual cloudflared for full control over tunnel, DNS, service account path, and long-term hosting. Use GhostlyShare for quicker setup with less infrastructure.
See GhostlyShareFAQs
Does Cloudflare still identify me?
Yes. Cloudflare still knows the account, zone, tunnel, and source IP reaching its edge. A VPN can replace the residential IP Cloudflare sees but does not remove the Cloudflare account link.
Can visitors see my home IP address?
Normally, visitors won’t see your home IP if your DNS points only to Cloudflare and you haven’t exposed the origin otherwise. They reach Cloudflare’s edge and the public hostname, not your residential IP.
Is router port forwarding necessary?
No. Cloudflare Tunnel only makes outbound connections, so the connector contacts Cloudflare rather than awaiting inbound internet traffic.
Is Cloudflare Tunnel free for home hosting?
Many small tests can start without paying for the tunnel itself, but the real answer depends on Cloudflare's current plan limits, your domain, optional Access features, VPN and hardware. Check pricing before you depend on it for a public project.
Is Cloudflare Tunnel the same as a VPN?
No. Cloudflare Tunnel publishes a local service through outbound connector connections. A VPN changes the connector's network path; it does not turn Cloudflare Tunnel into a consumer VPN or make the project anonymous by itself.
Can I run cloudflared.exe only when required?
Yes. Run the tunnel interactively from PowerShell for temporary use. Convert to a Windows service to keep it running after logoff or reboot.
What happens if the VPN disconnects
Without a kill switch, cloudflared may reconnect via the usual residential route, exposing your home ISP IP to Cloudflare. This makes failure scenarios as important as success.
Is this sufficient to anonymise the entire project?
No. Domain registration, payments, recovery emails, browser fingerprints, and admin behaviour can still identify you. The tunnel addresses only part of the exposure.
Related guides
See what Cloudflare Tunnel hides, what Cloudflare and a VPN provider can still see, and why Tunnel plus VPN improves routing privacy, not full anonymity.
ExplainerWhat Is a VPN? Understanding Privacy, Security, and AnonymityUnderstand network layer basics before relying on a VPN to conceal the source IP Cloudflare sees.
ExplainerCheck Your Online Fingerprint and Tracking RisksUse the fingerprint page to minimise browser clues that could link your admin sessions.
ToolGhostlyShare: share localhost on Windows and LinuxUse the simpler desktop method for a public preview link without manual Cloudflare setup.
ToolGhostlyDDns: keep Cloudflare DNS records in syncUse dynamic DNS when you choose a DNS-based self-hosting path instead of a tunnel-only setup.
ToolGhostlyHosting: deploy Blazor on an Ubuntu VPSUse the VPS route when you prefer a public server over always-on hardware at home.
ToolGhostlyBridge: manage servers and tunnel workflowsUse the desktop server workflow when a VPS, SSH, uploads or tunnel management fits better than home hosting.
DirectoryVPN providers worldwide: compare audits, privacy, and suitabilityUse the full VPN directory to compare providers before selecting one for the tunnel route.