Raspberry Pi tunnel setup

Cloudflare Tunnel on Raspberry Pi for an always-on home server

Use this guide when a Raspberry Pi or small mini PC should keep cloudflared online for a real hostname. It covers setup, systemd, safety checks, and when GhostlyShare or the ghs CLI is the lighter choice.

The goal is a stable outbound connector, not magic anonymity. Visitors do not need router access, but Cloudflare, your accounts, and your own operating habits still matter.

Best use case: a small service that must stay reachable.

A Raspberry Pi is useful when a tunnel should survive laptop sleep, desktop logoff, and normal daily work. GhostlyShare can also fit long-running shares when you prefer the app or CLI workflow over manual service files.

Short answer: use a Raspberry Pi when the tunnel must stay online

A Raspberry Pi is a good Cloudflare Tunnel connector when the website, dashboard, webhook endpoint, or lab service should stay reachable without depending on your daily laptop. It is not the only long-running option; GhostlyShare can also be the simpler tunnel workflow.

NeedUseWhy
Always-on hostname for a home serviceCloudflare Tunnel on Raspberry PiThe Pi can stay online, reboot predictably, and run cloudflared as a Linux service.
Preview, webhook callback, or managed shareGhostlyShareGhostlyShare keeps the tunnel workflow in the app or CLI, which can be simpler than hand-maintaining cloudflared config.
Production app with stronger isolationVPS or managed hostingA public server is usually easier to monitor, back up, and separate from a home network.

The simple architecture: visitor, Cloudflare, Pi, local service

Cloudflare Tunnel keeps the origin side outbound. The Raspberry Pi opens connector connections to Cloudflare, and Cloudflare maps your public hostname to a local service such as localhost:3000 or a LAN address.

Visitor

The visitor reaches your public hostname and Cloudflare's edge, not a router port on your home connection.

Cloudflare

Cloudflare owns the public edge, DNS zone, tunnel mapping, and request path for the hostname.

Raspberry Pi

cloudflared runs on the Pi and keeps outbound connector sessions open to Cloudflare.

Local service

The real app can stay on localhost, another port, or a LAN host that the Pi can reach.

Do not treat this as a privacy wall against every party. It mainly prevents visitors and random scans from reaching your home router or learning the origin directly.

Prepare the Raspberry Pi before installing cloudflared

Most broken tunnel setups are not caused by Cloudflare. They come from an unstable device, a changing local service address, or a config file that the service user cannot read.

Use a boring Linux base

Start with Raspberry Pi OS or Debian, apply updates, and prefer 64-bit when the device supports it.

Stabilize the local network

Give the Pi a reliable network path, preferably wired Ethernet or a DHCP reservation if the service reaches LAN hosts.

Check the local app first

Make sure the app works locally before involving Cloudflare, DNS, or systemd.

Decide what should stay private

Do not expose admin panels by accident. Put private tools behind Cloudflare Access or keep them local.

Hardware pick: choose a Raspberry Pi 5 kit, not just the bare board

For a tunnel connector, a Raspberry Pi 5 kit is the safer default than a loose board. You want the board, a stable USB-C power supply, cooling or a case fan, and storage you trust before you blame Cloudflare for random disconnects.

Raspberry Pi 5 kit used as a small Cloudflare Tunnel home server
Recommended hardware

Raspberry Pi 5 kit for a small Cloudflare Tunnel home server

Search for a Raspberry Pi 5 kit with a reliable USB-C power supply, cooling, a case, and storage. 4 GB is enough for cloudflared; 8 GB gives more room when the Pi also runs the app.

Show on Amazon
As an Amazon Associate I earn from qualifying purchases.
Buying checklist

Prefer the official Raspberry Pi 27W USB-C power supply or an equivalent 5V/5A supply, and do not skip cooling. Weak power and heat can look like tunnel instability even when the cloudflared config is correct.

Cloudflare Tunnel Raspberry Pi setup runbook

Use the Cloudflare dashboard or official docs for the current package command for your Pi architecture. Keep the commands below as a safe order of work, not as a promise that package URLs never change.

1

Step 1: update the Pi and confirm the architecture

Install updates first, then check the architecture so you copy the right cloudflared package command from Cloudflare.

ShellLinux shell
sudo apt update
sudo apt upgrade -y
dpkg --print-architecture
2

Step 2: install cloudflared from the current official command

Use the Cloudflare dashboard or docs for the current Linux command that matches your architecture. Verify the binary after installation.

ShellLinux shell
# Paste the current official Cloudflare install command for your Pi here.
cloudflared --version
3

Step 3: authenticate and create a named tunnel

Authorize the Cloudflare zone, create a named tunnel, and copy the tunnel UUID from the output.

ShellLinux shell
cloudflared tunnel login
cloudflared tunnel create home-pi
4

Step 4: write an explicit config.yml

Replace the tunnel UUID, hostname, local service, and credentials path before you run it. The fallback rule should stay last.

ShellLinux shell
mkdir -p ~/.cloudflared
nano ~/.cloudflared/config.yml
ShellLinux shell
tunnel: <tunnel-uuid>
credentials-file: /home/pi/.cloudflared/<tunnel-uuid>.json

ingress:
  - hostname: app.example.com
    service: http://localhost:3000
  - service: http_status:404
5

Step 5: validate, route DNS, and run in the foreground

Validate the ingress rules, create the DNS route, then keep the tunnel in the foreground while you test from another network.

ShellLinux shell
cloudflared tunnel ingress validate
cloudflared tunnel route dns home-pi app.example.com
cloudflared tunnel run home-pi

Run cloudflared as a Linux service with the right config path

The important detail on Linux is the config path. If you install a service with sudo, the home directory can become root's home, so the service may not find the config you tested as the pi user.

1

Service step 1: install the service with an explicit config path

This avoids the common sudo home-directory mismatch between the tested pi user config and the service account.

ShellLinux shell
sudo cloudflared --config /home/pi/.cloudflared/config.yml service install
2

Service step 2: enable the service and check status

Start cloudflared through systemd, then verify that it uses the expected config and stays healthy.

ShellLinux shell
sudo systemctl enable --now cloudflared
systemctl status cloudflared
3

Service step 3: read logs and test a restart

Use the logs to catch config path, credentials, DNS, and local service errors before you depend on the route.

ShellLinux shell
journalctl -u cloudflared -f
sudo systemctl restart cloudflared
systemctl status cloudflared

Operations checklist for a small always-on tunnel

A home tunnel becomes boring in a good way only when reboot, updates, logs, and access rules are boring too. Test the boring parts before you share the URL widely.

Reboot test

Restart the Pi and confirm the hostname works without opening an SSH session first.

Access rules

Put private apps behind Cloudflare Access, strong app login, or a local-only network boundary.

Updates

Patch the OS and cloudflared regularly, then verify the service after updates.

Log hygiene

Do not publish logs or screenshots with tunnel IDs, account emails, hostnames, or private service names.

Backups

Back up the config intentionally, but protect tunnel credentials like secrets.

Privacy limit

This setup hides the origin from visitors; it does not hide your Cloudflare account, domain trail, or admin behavior.

Where GhostlyShare and the ghs CLI fit

GhostlyShare is the lighter path when you want Cloudflare-like local sharing without maintaining raw cloudflared config yourself. It can fit quick previews, webhook callbacks, scripted flows, and long-running shares when you manage uptime intentionally.

Use the Pi tunnel for manual control; use GhostlyShare for a managed tunnel workflow.

That split is about control, not duration. Raspberry Pi plus cloudflared gives you systemd, explicit config paths, DNS ownership, and a low-level service. GhostlyShare gives you a simpler app or CLI workflow that can be short-lived or long-running depending on how you run it.

Troubleshooting: the failures that usually matter first

SymptomLikely causeFirst check
Cloudflare error page instead of the appTunnel is down, service URL is wrong, or the local app is not listening.Run systemctl status cloudflared, journalctl, and curl the local service on the Pi.
Service works in foreground but not after installsystemd is using a different home directory or config path.Install the service again with an explicit --config path to /home/pi/.cloudflared/config.yml.
Hostname does not reach the tunnelDNS route, hostname, or Cloudflare zone is not connected to the named tunnel.Confirm the public hostname in Zero Trust and run cloudflared tunnel info home-pi.
Admin page is publicly reachableThe ingress rule points at a private tool without an access layer.Move it behind Cloudflare Access or keep that service local-only.

Official docs worth checking before you rely on it

Keep the Cloudflare vendor docs open while you set up the Pi. Product names, package commands, dashboard screens, and plan limits can change.

Frequently asked questions about Raspberry Pi Cloudflare Tunnel

FAQ

Is a Raspberry Pi good for Cloudflare Tunnel?

Yes, when you want an always-on connector for a small home server or lab service. It is low-power, predictable, and easier to leave online than a daily laptop.

Do I need router port forwarding?

No. Cloudflare Tunnel uses outbound connector connections from cloudflared to Cloudflare, so visitors do not need a direct inbound route to your router.

Should I use GhostlyShare CLI instead?

Use GhostlyShare or the ghs CLI when you want app-managed local sharing for previews, webhooks, scripted sharing, or a long-running share you intentionally keep online. Use Raspberry Pi plus cloudflared when you want full control over service files, ingress config, and the host OS.

Does this make my home server anonymous?

No. It can hide the origin from visitors, but Cloudflare account data, domain records, payments, logs, content, and admin behavior can still connect the project to you.