June 30, 2025
uncatgorized

How to Securely Bind DNS to a Private IP Using Cloudflare Tunnels (2025 Guide)

Amritpalby Amritpal
cloudflare

In today’s digital landscape, securing and accessing private infrastructure without exposing it to the public internet is a top priority for programmers, cybersecurity experts, and DevOps professionals. Cloudflare Tunnels (formerly Argo Tunnel) offers a secure, scalable solution to bind your DNS to a private IP address, enabling seamless access to internal services without opening firewall ports or relying on VPNs. Whether you’re hosting a web server, API, or internal dashboard, Cloudflare Tunnels provide zero-trust access with minimal setup.

This comprehensive guide walks you through setting up Cloudflare Tunnels to bind a DNS record to a private IP address. We’ll cover prerequisites, step-by-step configuration, security best practices, and troubleshooting tips, all tailored for technical audiences like DevOps engineers and cybersecurity experts.

Why Use Cloudflare Tunnels?

Cloudflare Tunnels create a secure, encrypted connection between your origin server (e.g., a private web server) and Cloudflare’s global network. By binding a DNS record to a private IP, you can:

  • Expose internal services securely: Access private servers without public IP addresses or open ports.
  • Implement zero-trust security: Use Cloudflare Access for identity-based authentication.
  • Simplify infrastructure: Eliminate complex VPN setups or firewall rules.
  • Scale globally: Leverage Cloudflare’s CDN for low-latency access worldwide.
  • Future-proof: Compatible with modern DevOps workflows and hybrid cloud setups.

This approach is ideal for developers hosting applications, cybersecurity professionals securing internal tools, and DevOps teams managing private infrastructure in 2024.

Prerequisites for Setting Up Cloudflare Tunnels

Before diving in, ensure you have the following:

  1. Cloudflare Account: A free or paid Cloudflare account with a registered domain.
  2. Domain Configured: Your domain (e.g., example.com) added to Cloudflare with DNS management enabled.
  3. Server with Private IP: A server (e.g., on-premise, VPS, or home network) running a service (e.g., web server on 192.168.1.100).
  4. Cloudflared Installed: The cloudflared daemon installed on your server.
  5. Basic Linux Knowledge: Familiarity with terminal commands (we’ll use Ubuntu as an example).
  6. Optional: Cloudflare Access for zero-trust authentication.

Step-by-Step Guide to Set Up Cloudflare Tunnels

Follow these steps to bind a DNS record to a private IP using Cloudflare Tunnels. We’ll use an example of a web server running on 192.168.1.100:8080 accessible via app.example.com.

Step 1: Install cloudflared on Your Server

The cloudflared daemon establishes the secure tunnel between your server and Cloudflare.

  1. Download cloudflared:
    • On your Ubuntu server, download the latest cloudflared binary: 
      wget https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb
    • For other architectures (e.g., ARM), check the Cloudflare GitHub releases.
  2. Install the Package: 
    sudo dpkg -i cloudflared-linux-amd64.deb
    • If dependencies are missing, fix them: 
      sudo apt update
sudo apt install -f
  3. Verify Installation: 
    cloudflared --version
    • Expected output: cloudflared version 2024.x.x.

Step 2: Authenticate cloudflared with Cloudflare

  1. Log in to Cloudflare:
    • Run the login command to authenticate your server with your Cloudflare account: 
      cloudflared login
    • This opens a browser window. Log in to Cloudflare, select your domain, and authorize cloudflared. A certificate file is saved to ~/.cloudflared/cert.pem.
  2. Verify Authentication:
    • Ensure the certificate exists: 
      ls ~/.cloudflared/
    • You should see cert.pem.

Step 3: Create a Cloudflare Tunnel

  1. Create the Tunnel:
    • Run the following to create a named tunnel: 
      cloudflared tunnel create my-tunnel
    • Replace my-tunnel with a unique name. This generates a tunnel ID and a JSON credentials file (e.g., ~/.cloudflared/<tunnel-id>.json).
    • Output example: 
      Tunnel credentials written to /home/user/.cloudflared/1234-uuid.json
  2. Verify Tunnel Creation:
    • List all tunnels: 
      cloudflared tunnel list
    • Note the tunnel ID for the next steps.

Step 4: Configure the Tunnel

  1. Create a Configuration File:
    • Create a YAML file to define how the tunnel routes traffic: 
      nano ~/.cloudflared/config.yml
    • Add the following configuration: 
      tunnel: <tunnel-id>
credentials-file: /home/user/.cloudflared/<tunnel-id>.json
ingress:
  - hostname: app.example.com
    service: http://192.168.1.100:8080
  - service: http_status:404
    • Replace <tunnel-id> with your tunnel ID.
    • Replace app.example.com with your desired DNS record.
    • Replace 192.168.1.100:8080 with your private IP and port.
    • The http_status:404 rule ensures unmatched requests return a 404 error.
  2. Validate the Configuration: 
    cloudflared tunnel --config ~/.cloudflared/config.yml ingress validate

Step 5: Bind DNS to the Tunnel

  1. Create a DNS Record:
    • Log in to the Cloudflare Dashboard.
    • Navigate to DNS > Records for your domain.
    • Add a new CNAME record:
      • Type: CNAME
      • Name: app (for app.example.com)
      • Target: <tunnel-id>.cfargotunnel.com
      • Proxy Status: Proxied (orange cloud)
    • Replace <tunnel-id> with your tunnel ID.
  2. Verify DNS:
    • Wait for DNS propagation (usually <5 minutes with Cloudflare).
    • Test with: 
      dig app.example.com

Step 6: Run the Tunnel

  1. Start the Tunnel:
    • Run the tunnel using the configuration file: 
      cloudflared tunnel --config ~/.cloudflared/config.yml run my-tunnel
    • This establishes a connection to Cloudflare’s edge.
  2. Run as a Service (Recommended for Production):
    • Install cloudflared as a system service for automatic startup: 
      sudo cloudflared service install --config ~/.cloudflared/config.yml
    • Start the service: 
      sudo systemctl start cloudflared
sudo systemctl enable cloudflared
    • Check status: 
      systemctl status cloudflared

Step 7: Test the Setup

  1. Access the Service:
    • Open a browser and navigate to https://app.example.com.
    • You should see your web server’s content (e.g., a webpage hosted on 192.168.1.100:8080).
  2. Verify Connectivity:
    • From another machine, test: 
      curl https://app.example.com
    • Ensure the response matches your server’s output.
  3. Check Tunnel Logs: 
    journalctl -u cloudflared -f

Enhancing Security with Cloudflare Access

For cybersecurity experts, integrating Cloudflare Access adds zero-trust authentication:

  1. Enable Cloudflare Access:
    • In the Cloudflare Dashboard, go to Access > Applications.
    • Add an application for app.example.com.
    • Configure policies (e.g., allow specific emails or SSO providers).
  2. Test Access:
    • Try accessing app.example.com. You’ll be prompted to authenticate via your identity provider (e.g., Google, Okta).
  3. Best Practice: Use short-lived certificates or tokens for enhanced security.

Troubleshooting Common Issues

  1. Tunnel Not Connecting:
    • Cause: cloudflared can’t reach Cloudflare’s edge.
    • Fix: Check internet connectivity: 
      ping 1.1.1.1
    • Ensure cert.pem is valid: 
      cloudflared login
  2. DNS Resolution Fails:
    • Cause: Incorrect CNAME or propagation delay.
    • Fix: Verify the CNAME record and check propagation: 
      dig app.example.com
  3. Service Unreachable:
    • Cause: Incorrect private IP or port in config.yml.
    • Fix: Confirm the service is running: 
      curl http://192.168.1.100:8080
  4. Port Conflicts:
    • Cause: Another process is using the tunnel port.
    • Fix: Check for conflicts: 
      sudo netstat -tuln | grep 8080

 

Conclusion

Cloudflare Tunnels offer a powerful, secure way to bind DNS records to private IPs, making them ideal for DevOps professionals, programmers, and cybersecurity experts. By following this guide, you can set up a tunnel to expose internal services like web servers or APIs without compromising security. Integrate Cloudflare Access for zero-trust authentication, automate with DevOps tools, and monitor for reliability.

Amritpal

I’m the owner of “DevOpsTechy.online” and been in the industry for almost 6+ years. What I’ve noticed particularly about the industry is that it reacts slowly to the rapidly changing world of technology. I’ve done my best to introduce new technology into the community with the hopes that more technology can be utilized to serve our customers. I’m going to educate and at times demonstrate that technology can help businesses innovate and thrive. Throwing in a little bit of fun and entertainment couldn’t hurt right?

Amritpal

I’m the owner of “DevOpsTechy.online” and been in the industry for almost 6+ years. What I’ve noticed particularly about the industry is that it reacts slowly to the rapidly changing world of technology. I’ve done my best to introduce new technology into the community with the hopes that more technology can be utilized to serve our customers. I’m going to educate and at times demonstrate that technology can help businesses innovate and thrive. Throwing in a little bit of fun and entertainment couldn’t hurt right?

View all posts by Amritpal →

You might also like

apache

configure ModSecurity with Apache

linux

Add and Remove Users in Linux

ubuntu

Secure your Ubuntu server with CSF Firewall 2023

apache

Apache2 and php fpm performance optimization 2023

ubuntu

Install Jira on Ubuntu with Nginx, RDS and Let’s Encrypt 2023

Leave a Reply

Your email address will not be published. Required fields are marked *