Lawful, privacy-focused publishing
Host a website anonymously from home using Cloudflare Tunnel and a VPN
This guide explains how to conceal your home IP from visitors by publishing a local site via Cloudflare Tunnel, optionally routing cloudflared through a VPN first.
The privacy boundary is key: visitors don’t need your residential IP, but Cloudflare still knows your account, and a VPN provider can see you’re connecting to Cloudflare.
This is intended for legitimate self-hosting, testing, publishing, and research. It does not support fraud, malware, phishing, harassment, or illegal activities.
Contents
What this setup truly protects
The practical aim isn’t to vanish from all providers but to prevent ordinary visitors, scanners, and routine DNS lookups from discovering your residential IP or accessing your router directly.
DNS can direct to Cloudflare rather than a home address, preventing casual lookups from revealing the hosting location.
A named tunnel only makes outbound connections, so inbound port forwarding for the website is unnecessary.
Your site can remain on localhost or a private interface while Cloudflare manages public access.
This provides privacy from visitors, not invisibility from Cloudflare, your VPN provider, or your account history.
Who can still identify you
The best way to consider anonymous home hosting is to separate audiences, each learning a different part of the story.
Visitors
- They can see your public hostname, TLS surface, and any content, headers, analytics, and cookies you deliberately expose.
- They typically see Cloudflare edge IPs rather than your home IP when DNS points only to the tunnel.
- They can fingerprint the admin browser if you log into the same backend from the same device or browser profile.
Cloudflare
- Cloudflare is aware of the account, zone, tunnel UUID, configured hostnames, and tunnel status.
- Cloudflare also observes the source IP used by cloudflared to connect, either your home IP or the VPN exit IP.
- A VPN can conceal your residential source IP from Cloudflare, but it does not eliminate the link to your Cloudflare account.
VPN provider
- The VPN provider can still detect your device maintaining encrypted traffic to Cloudflare.
- If your VPN is linked to your usual email or payment identity, that connection remains outside the tunnel.
- A VPN alters the source IP Cloudflare observes but does not remove the trust you place in the VPN provider.
Your wider identity trail
- Domain registrar info, recovery emails, payments, and reused usernames can still link the project to you.
- Logging into admin panels from a personal browser profile can link the site to your everyday identity.
- In practice, anonymity relies as much on operational discipline as on the tunnel itself.
How the traffic flow operates
The straightforward path: public side ends at Cloudflare, private side remains a local service accessible only by cloudflared.
Requests your hostname and connects to Cloudflare's edge network.
Terminates HTTPS, applies rules, and forwards requests into the named tunnel.
Maintains outbound-only tunnel connections from your Windows device to Cloudflare.
Responds on localhost or another private origin address without direct internet exposure.
If cloudflared uses a VPN first, Cloudflare sees the VPN exit IP as the source instead of your residential IP. Without a kill switch, cloudflared may reconnect via the normal ISP route if the VPN drops.
What cloudflared.exe does on Windows
cloudflared.exe is neither a VPN nor an anonymity network. It acts as the Cloudflare connector, authenticating tunnels, maintaining persistent outbound connections, and linking public hostnames to local services.
You can log in once, create a named tunnel, and reuse it for a stable hostname rather than using temporary links.
Cloudflare states that each tunnel maintains several persistent connections to ensure resilience if one path fails.
A configuration file can route app.example.com to http://localhost:3000 without exposing localhost as a public origin.
You can test the tunnel in a terminal first, then convert it into a persistent Windows service.
Cloudflare Tunnel supports HTTP, HTTPS, TCP, SSH, RDP, and similar private services, but this guide focuses on websites.
For precise vendor workflow, compare your setup with Cloudflare local tunnel instructions and the Windows service guide.
Windows setup: cloudflared.exe step-by-step
This method assumes your website works locally and your domain uses Cloudflare DNS. The example uses app.example.com and a local service on port 3000.
Use PowerShell 7 for all commands below. Replace sample hostname, tunnel name, and local service before copying.
Step 1: define reusable values
Start in PowerShell 7 and replace the sample hostname, tunnel name, and local service with your own values before proceeding.
$TunnelName = "ghostly-home-site"
$PublicHostname = "app.example.com"
$LocalService = "http://localhost:3000"
$CloudflaredHome = "C:\Cloudflared\bin"
$ConfigPath = "$env:USERPROFILE\.cloudflared\config.yml"Step 2: prepare cloudflared.exe
Rename the downloaded binary, create a dedicated folder, and copy the executable there.
Rename-Item "$env:USERPROFILE\Downloads\cloudflared-windows-amd64.exe" "cloudflared.exe"
New-Item -ItemType Directory -Force $CloudflaredHome
Copy-Item "$env:USERPROFILE\Downloads\cloudflared.exe" "$CloudflaredHome\cloudflared.exe"Step 3: change to working folder and verify the binary
Navigate to the folder and confirm cloudflared.exe starts without errors before authenticating.
Set-Location $CloudflaredHome
.\cloudflared.exe --versionStep 4: log in and authorise the Cloudflare zone
This opens your browser to approve the zone. The account certificate is saved in your default .cloudflared directory.
.\cloudflared.exe tunnel loginStep 5: create the named tunnel and save its UUID
Create the tunnel, then paste the UUID from the command output into the variable below for reuse in subsequent commands.
.\cloudflared.exe tunnel create $TunnelName
$TunnelId = "<paste-the-tunnel-uuid-from-the-create-output>"Step 6: write config.yml line by line
These commands create the local config.yml in your Windows profile, telling the tunnel which public hostname forwards to which local service.
Set-Content $ConfigPath "tunnel: $TunnelId"
Add-Content $ConfigPath "credentials-file: $env:USERPROFILE\.cloudflared\$TunnelId.json"
Add-Content $ConfigPath ""
Add-Content $ConfigPath "ingress:"
Add-Content $ConfigPath " - hostname: $PublicHostname"
Add-Content $ConfigPath " service: $LocalService"
Add-Content $ConfigPath " - service: http_status:404"Step 7: review and validate the configuration
Print the file once to review, then let cloudflared validate ingress rules before publishing DNS.
Get-Content $ConfigPath
.\cloudflared.exe tunnel ingress validateStep 8: create DNS route and inspect the tunnel
This instructs Cloudflare which hostname should route to the named tunnel before live traffic begins.
.\cloudflared.exe tunnel route dns $TunnelName $PublicHostname
.\cloudflared.exe tunnel info $TunnelNameStep 9: run the tunnel in the foreground
Keep this PowerShell 7 window open while testing the site from another network. Stop it with Ctrl+C when finished.
.\cloudflared.exe tunnel run $TunnelNameOnly proceed after the interactive tunnel works. Run the commands below in an elevated PowerShell 7 window, as the service uses the system profile path and registry entry.
Service step 1: install the Windows service shell
Open an elevated PowerShell 7 window for this optional step and install the Cloudflared service first.
Set-Location $CloudflaredHome
.\cloudflared.exe service installService step 2: copy cert.pem, credentials, and config to the system profile
The Windows service runs under the system profile, requiring its own .cloudflared folder with certificate, tunnel credentials, and config.yml.
$SystemCloudflaredHome = "C:\Windows\System32\config\systemprofile\.cloudflared"
New-Item -ItemType Directory -Force $SystemCloudflaredHome
Copy-Item "$env:USERPROFILE\.cloudflared\cert.pem" "$SystemCloudflaredHome\cert.pem"
Copy-Item "$env:USERPROFILE\.cloudflared\$TunnelId.json" "$SystemCloudflaredHome\$TunnelId.json"
Set-Content "$SystemCloudflaredHome\config.yml" "tunnel: $TunnelId"
Add-Content "$SystemCloudflaredHome\config.yml" "credentials-file: $SystemCloudflaredHome\$TunnelId.json"
Add-Content "$SystemCloudflaredHome\config.yml" ""
Add-Content "$SystemCloudflaredHome\config.yml" "ingress:"
Add-Content "$SystemCloudflaredHome\config.yml" " - hostname: $PublicHostname"
Add-Content "$SystemCloudflaredHome\config.yml" " service: $LocalService"
Add-Content "$SystemCloudflaredHome\config.yml" " - service: http_status:404"Service step 3: set ImagePath to system config and start the service
Cloudflare's Windows service docs require the Cloudflared ImagePath to point to the system-profile config file.
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Cloudflared" -Name ImagePath -Value "C:\Cloudflared\bin\cloudflared.exe --config=C:\Windows\System32\config\systemprofile\.cloudflared\config.yml tunnel run"
sc.exe start cloudflaredThis follows Cloudflare's Windows service process: copy cert.pem and tunnel credentials to the system profile, create a system-profile config.yml, then set the Cloudflared service ImagePath to that config.
VPN placement and security guidelines
The tunnel’s privacy depends on the underlying route. To show Cloudflare a VPN exit IP instead of a residential IP, the VPN must be active before cloudflared starts.
Check the host’s public IP first. If it shows the ISP IP, Cloudflare will see that IP when the tunnel connects.
If the VPN disconnects without firewall enforcement, cloudflared may reconnect via the usual residential route.
Bind your web service to localhost or a private interface where possible, ensuring the tunnel is the sole public access point.
Cloudflare warns that debug logs may record request URLs, methods, protocols, content lengths, and headers. Use standard logging for daily use.
Optional VPN selections and comparison
Looking for a quick VPN option or a wider comparison?
If you want a straightforward start, the rotating VPN button below opens a current option. For broader comparison, use the full provider directory.
Current featured choice: NordVPN
If the tunnel stops but the DNS record stays active, visitors usually see a Cloudflare error until the connector returns. This is noisy but preferable to silently leaking your home IP.
Verification checklist before trusting it
Don’t assume privacy just because the site loads once. Verify the route as an operator, not a marketer.
A brief external check should reveal Cloudflare-facing records instead of a residential IP address.
Verify the machine's public IP first to understand what Cloudflare will detect from the connector.
Test from mobile data or another external network to avoid local routing shortcuts.
Simulate a failure once. If cloudflared reconnects via the ISP route, the privacy model is compromised.
When GhostlyShare is the simpler option
For temporary public previews, quick client demos, or webhook callback URLs, GhostlyShare is simpler, avoiding much manual Cloudflare dashboard, DNS, and config.yml setup.
Use manual cloudflared for full control over tunnel, DNS, service account path, and long-term hosting. Use GhostlyShare for quicker setup with less infrastructure.
See GhostlyShareFAQs on anonymous home hosting
Does Cloudflare still identify me?
Yes. Cloudflare still knows the account, zone, tunnel, and source IP reaching its edge. A VPN can replace the residential IP Cloudflare sees but does not remove the Cloudflare account link.
Can visitors see my home IP address?
Normally, visitors won’t see your home IP if your DNS points only to Cloudflare and you haven’t exposed the origin otherwise. They reach Cloudflare’s edge and the public hostname, not your residential IP.
Is router port forwarding necessary?
No. Cloudflare Tunnel only makes outbound connections, so the connector contacts Cloudflare rather than awaiting inbound internet traffic.
Can I run cloudflared.exe only when required?
Yes. Run the tunnel interactively from PowerShell for temporary use. Convert to a Windows service to keep it running after logoff or reboot.
What happens if the VPN disconnects
Without a kill switch, cloudflared may reconnect via the usual residential route, exposing your home ISP IP to Cloudflare. This makes failure scenarios as important as success.
Is this sufficient to anonymise the entire project?
No. Domain registration, payments, recovery emails, browser fingerprints, and admin behaviour can still identify you. The tunnel addresses only part of the exposure.
Related guides
Understand network layer basics before relying on a VPN to conceal the source IP Cloudflare sees.
Explainer Check Your Online Fingerprint and Tracking RisksUse the fingerprint page to minimise browser clues that could link your admin sessions.
Tool GhostlyShare: share localhost on Windows and LinuxUse the simpler desktop method for a public preview link without manual Cloudflare setup.
Directory VPN providers worldwide: compare audits, privacy, and suitabilityUse the full VPN directory to compare providers before selecting one for the tunnel route.