Cloudflare Tunnel was previously named Warp during the beta phase. As Warp was added to the Argo product family, Cloudflare changed the name to Argo Tunnel to match. Once Cloudflare decided that there is no longer required users to purchase Argo to create Tunnels, Argo Tunnel has been renamed to Cloudflare Tunnel.

In this post, I am gonna show how you can use Cloudflare Tunnel (free) to access our home lab internal network with a couple of simple steps and also how you can make this access secure.

Related posts:


Steps to Install Cloudflared in Windows

You will need a free Cloudflare account to log in and also you will need your own domain DNS records to be managed by Cloudflare.

  • Free Cloudflare accound
  • Free Domain (

1 Add a tunnel

2 Create a new tunnel

3 Install and run a connector

  1. Download
  2. Double Click to run the installer cloudflared-windows-amd64.msi. The files will be installed under folder: C:\Program Files (x86)\cloudflared. You will not get a prompt the Cloudflared service has been installed successfully this kind of message. As long as you confirmed file from C:\Program Files (x86)\cloudflared folder, you are good to go for next step. 
  3. Open Command Prompt or Powershell as Administrator.
  4. Run the following command:

Content Loaded


cloudflared.exe service install eyJhIjoiN2YzNjkyNmRlOTI3ZWQ3NmEwYThhOGYyNWFhZjMxOGMiLCJ0IjoiOTkwMmE0ZTQtZWVjZS00ZTdmLWIyODctODgwMzQwMGY1YmUxIiwicyI6Ik9XSXlNR0poTVRFdE1qUTNNUzAwTkRka0xXSmhNMkl0T0dNMU9EQTJPR0UwWXpKbCJ9

PS C:\Users\WDAGUtilityAccount> cloudflared.exe service install eyJhIjoiN2YzNjkyNmRlOTI3ZWQ3NmEwYThhOGYyNWFhZjMxOGMiLCJ0IjoiOTkwMmE0ZTQtZWVjZS00ZTdmLWIyODctODgwMzQwMGY1YmUxIiwicyI6Ik9XSXlNR0poTVRFdE1qUTNNUzAwTkRka0xXSmhNMkl0T0dNMU9EQTJPR0UwWXpKbCJ9 2023-09-17T13:11:49Z INF Installing cloudflared Windows service 2023-09-17T13:11:49Z INF cloudflared agent service is installed windowsServiceName=Cloudflared 2023-09-17T13:11:49Z INF Agent service for cloudflared installed successfully windowsServiceName=Cloudflared PS C:\Users\WDAGUtilityAccount>

4 Route traffic to your applications

Save the configuration. 

Steps to Install Cloudflared in Docker

1. Install Docker

  • apt update
  • apt install
  • apt update

2. Install Portainer (Option)

  • docker volume create portainer_data
  • docker run -d -p 9000:9000 –name portainer –restart always -v /var/run/docker.sock:/var/run/docker.sock -v portainer_data:/data portainer/portainer-ce:latest

3. Install and run Cloudfalred Docker


docker run cloudflare/cloudflared:latest tunnel --no-autoupdate run --token eyJhIjoiN2YzNjkyNmRlOTI3ZWQ3NmEwYThhOGYyNWFhZjMxOGMiLCJ0IjoiMTYyYTljNWItOGIyNy00MGJiLWJiMzctOTg3YTg3NTMzNzUwIiwicyI6Ik1tWmpOamsxTkdJdE9USmlaaTAwTVdWbExUa3haamt0WVRZM05tTmhPRFpsWmpFeiJ9

4. Console output

You might want to add -d into your docker command to make it run in a daemon mode at the background. 


docker run <b><i><u>-d</u></i></b> cloudflare/cloudflared:latest tunnel --no-autoupdate run --token eyJhIjoiN2YzNjkyNmRlOTI3ZWQ3NmEwYThhOGYyNWFhZjMxOGMiLCJ0IjoiMTYyYTljNWItOGIyNy00MGJiLWJiMzctOTg3YTg3NTMzNzUwIiwicyI6Ik1tWmpOamsxTkdJdE9USmlaaTAwTVdWbExUa3haamt0WVRZM05tTmhPRFpsWmpFeiJ9

netsec@hpthin:~$ sudo -i
[sudo] password for netsec:
root@hpthin:~# apt update
Hit:1 focal InRelease
Get:2 focal-updates InRelease [114 kB]
Hit:3 focal InRelease
Get:4 focal-backports InRelease [108 kB]
Get:5 focal-security InRelease [114 kB]
Get:6 focal-updates/main amd64 Packages [2,852 kB]
Fetched 3,188 kB in 4s (805 kB/s)
Reading package lists… Done
Building dependency tree¨C69CReading state information… Done¨C70C102 packages can be upgraded. Run ‘apt list –upgradable’ to see them.¨C71Croot@hpthin:~#¨C72Croot@hpthin:~# apt install¨C73CReading package lists… Done¨C74CBuilding dependency tree¨C75CReading state information… Done¨C76CSuggested packages:¨C77C  aufs-tools cgroupfs-mount | cgroup-lite debootstrap docker-doc rinse zfs-fuse | zfsutils¨C78CThe following packages will be upgraded:¨C79C¨C80C1 upgraded, 0 newly installed, 0 to remove and 101 not upgraded.¨C81CNeed to get 26.4 MB of archives.¨C82CAfter this operation, 27.0 MB disk space will be freed.¨C83CGet:1 focal-updates/universe amd64 amd64 24.0.5-0ubuntu1~20.04.1 [26.4 MB]¨C84CFetched 26.4 MB in 3s (8,473 kB/s)¨C85CPreconfiguring packages …¨C86C(Reading database … 145184 files and directories currently installed.)¨C87CPreparing to unpack …/docker.io_24.0.5-0ubuntu1~20.04.1_amd64.deb …¨C88CUnpacking (24.0.5-0ubuntu1~20.04.1) over (20.10.21-0ubuntu1~20.04.2) …¨C89CSetting up (24.0.5-0ubuntu1~20.04.1) …¨C90CProcessing triggers for man-db (2.9.1-1) …¨C91Croot@hpthin:~# docker version¨C92CClient:¨C93C Version:           24.0.5¨C94C API version:       1.43¨C95C Go version:        go1.20.3¨C96C Git commit:        24.0.5-0ubuntu1~20.04.1¨C97C Built:             Mon Aug 21 19:50:14 2023¨C98C OS/Arch:           linux/amd64¨C99C Context:           default¨C100CServer:¨C101C Engine:¨C102C  Version:          24.0.5¨C103C  API version:      1.43 (minimum version 1.12)¨C104C  Go version:       go1.20.3¨C105C  Git commit:       24.0.5-0ubuntu1~20.04.1¨C106C  Built:            Mon Aug 21 19:50:14 2023¨C107C  OS/Arch:          linux/amd64¨C108C  Experimental:     false¨C109C containerd:¨C110C  Version:          1.6.12-0ubuntu1~20.04.3¨C111C  GitCommit:¨C112C runc:¨C113C  Version:          1.1.4-0ubuntu1~20.04.3¨C114C  GitCommit:¨C115C docker-init:¨C116C  Version:          0.19.0¨C117C  GitCommit:¨C118Croot@hpthin:~# docker run cloudflare/cloudflared:latest tunnel –no-autoupdate run –token eyJhIjoiN2YzNjkyNmRlOTI3ZWQ3NmEwYThhOGYyNWFhZjMxOGMiLCJ0IjoiMTYyYTljNWItOGIyNy00MGJiLWJiMzctOTg3YTg3NTMzNzUwIiwicyI6Ik1tWmpOamsxTkdJdE9USmlaaTAwTVdWbExUa3haamt0WVRZM05tTmhPRFpsWmpFeiJ9¨C119CUnable to find image ‘cloudflare/cloudflared:latest’ locally¨C120Clatest: Pulling from cloudflare/cloudflared¨C121Cdd5ad9c9c29f: Pull complete¨C122C960043b8858c: Pull complete¨C123Cb4ca4c215f48: Pull complete¨C124Ceebb06941f3e: Pull complete¨C125C02cd68c0cbf6: Pull complete¨C126Cd3c894b5b2b0: Pull complete¨C127Cb40161cd83fc: Pull complete¨C128C46ba3f23f1d3: Pull complete¨C129C4fa131a1b726: Pull complete¨C130C01f38fc88b34: Pull complete¨C131C6e24d515f042: Pull complete¨C132C0460cb7a0f85: Pull complete¨C133Cb39375cac515: Pull complete¨C134CDigest: sha256:93561dfa0032006354be56476f09e3d8743d53d202368672c2847c1631f7be50¨C135CStatus: Downloaded newer image for cloudflare/cloudflared:latest¨C136C2023-09-23T17:29:02Z INF Starting tunnel tunnelID=162a9c5b-8b27-40bb-bb37-987a87533750¨C137C2023-09-23T17:29:02Z INF Version 2023.8.2¨C138C2023-09-23T17:29:02Z INF GOOS: linux, GOVersion: go1.20.6, GoArch: amd64¨C139C2023-09-23T17:29:02Z INF Settings: map[no-autoupdate:true token:¨C251C]¨C140C2023-09-23T17:29:02Z INF Generated Connector ID: 33cee496-81df-4d32-a8a7-56cd4310ef93¨C141C2023-09-23T17:29:02Z INF Initial protocol quic¨C142C2023-09-23T17:29:02Z INF ICMP proxy will use as source for IPv4¨C143C2023-09-23T17:29:02Z INF ICMP proxy will use :: as source for IPv6¨C144C2023-09-23T17:29:02Z INF Starting metrics server on¨C145C2023/09/23 17:29:03 failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See for details.¨C146C2023-09-23T17:29:03Z INF Registered tunnel connection connIndex=0 connection=8959d98a-e305-4f86-8c16-ed2616281795 event=0 ip= location=yyz01 protocol=quic¨C147C2023-09-23T17:29:03Z INF Registered tunnel connection connIndex=1 connection=31892503-d646-4c1b-a4ac-0b6a10ab175a event=0 ip= location=ord02 protocol=quic¨C148C2023-09-23T17:29:03Z INF Updated to new configuration config=null version=0¨C149C2023-09-23T17:29:04Z INF Registered tunnel connection connIndex=2 connection=45771c08-0818-4d92-91fa-bb501c908f7e event=0 ip= location=ord11 protocol=quic¨C150C2023-09-23T17:29:05Z INF Registered tunnel connection connIndex=3 connection=30b37439-8e18-424b-bb36-6187fa658584 event=0 ip= location=yyz01 protocol=quic¨C151C2023-09-23T17:34:58Z INF Updated to new configuration config=”{\”ingress\”:[{\”service\”:\”\”,\”hostname\”:\”\”,\”originRequest\”:{}},{\”service\”:\”http_status:404\”}],\”warp-routing\”:{\”enabled\”:false}}” version=1¨C152C2023-09-23T17:40:58Z ERR  error=”stream 105 canceled by remote with error code 0″ cfRay=80b4931c9926a228-YYZ event=1 ingressRule=0 originService=¨C153C2023-09-23T17:40:58Z ERR Request failed error=”stream 105 canceled by remote with error code 0″ connIndex=3 dest= event=0 ip= type=http¨C154C2023-09-23T17:40:58Z ERR  error=”stream 97 canceled by remote with error code 0″ cfRay=80b4931adeeca228-YYZ event=1 ingressRule=0 originService=¨C155C2023-09-23T17:40:58Z ERR Request failed error=”stream 97 canceled by remote with error code 0″ connIndex=3 dest= event=0 ip= type=http¨C156C2023-09-23T17:40:58Z ERR  error=”stream 109 canceled by remote with error code 0″ cfRay=80b4931d19a9a228-YYZ event=1 ingressRule=0 originService=¨C157C2023-09-23T17:40:58Z ERR Request failed error=”stream 109 canceled by remote with error code 0″ connIndex=3 dest= event=0 ip= type=http¨C158C2023-09-23T17:40:58Z ERR  error=”stream 101 canceled by remote with error code 0″ cfRay=80b4931b8fdfa228-YYZ event=1 ingressRule=0 originService=¨C159C2023-09-23T17:40:58Z ERR Request failed error=”stream 101 canceled by remote with error code 0″ connIndex=3 dest= event=0 ip= type=http¨C160C^C2023-09-23T17:41:52Z INF Initiating graceful shutdown due to signal interrupt …¨C161C2023-09-23T17:41:52Z INF Unregistered tunnel connection connIndex=0 event=0 ip=¨C162C2023-09-23T17:41:52Z ERR Failed to serve quic connection error=”context canceled” connIndex=0 event=0 ip=¨C163C2023-09-23T17:41:52Z INF Retrying connection in up to 1s connIndex=0 event=0 ip=¨C164C2023-09-23T17:41:52Z INF Unregistered tunnel connection connIndex=1 event=0 ip=¨C165C2023-09-23T17:41:52Z ERR Failed to serve quic connection error=”context canceled” connIndex=1 event=0 ip=¨C166C2023-09-23T17:41:52Z INF Retrying connection in up to 1s connIndex=1 event=0 ip=¨C167C2023-09-23T17:41:52Z INF Unregistered tunnel connection connIndex=2 event=0 ip=¨C168C2023-09-23T17:41:52Z ERR Failed to serve quic connection error=”context canceled” connIndex=2 event=0 ip=¨C169C2023-09-23T17:41:52Z INF Retrying connection in up to 1s connIndex=2 event=0 ip=¨C170C2023-09-23T17:41:52Z INF Unregistered tunnel connection connIndex=3 event=0 ip=¨C171C2023-09-23T17:41:52Z ERR Failed to serve quic connection error=”context canceled” connIndex=3 event=0 ip=¨C172C2023-09-23T17:41:52Z INF Retrying connection in up to 1s connIndex=3 event=0 ip=¨C173C2023-09-23T17:41:52Z ERR no more connections active and exiting¨C174C2023-09-23T17:41:52Z INF Tunnel server stopped¨C175C2023-09-23T17:41:52Z ERR icmp router terminated error=”context canceled”¨C176C2023-09-23T17:41:52Z INF Metrics server stopped¨C177Croot@hpthin:~# docker run -d cloudflare/cloudflared:latest tunnel –no-autoupdate run –token eyJhIjoiN2YzNjkyNmRlOTI3ZWQ3NmEwYThhOGYyNWFhZjMxOGMiLCJ0IjoiMTYyYTljNWItOGIyNy00MGJiLWJiMzctOTg3YTg3NTMzNzUwIiwicyI6Ik1tWmpOamsxTkdJdE9USmlaaTAwTVdWbExUa3haamt0WVRZM05tTmhPRFpsWmpFeiJ9¨C178C6faf071af6dd1e145ed4ea03c93471fe8aa83dc4c6c0b232cdea4ff91d181c65¨C179Croot@hpthin:~#

Access Policy – OneTime Password

One Time PIN

By default, One Time Password has been added for your authentication method. 

1 Add an application

Accept all available identity providers:

2  Add policies

3  Setup

4  Access to

Set Up Google as an IdP (Identity Provider)

You can add other authentication methods such as Google, GitHub as an identity provider. 

Set up Google as an identity provider

  1. Visit the Google Cloud Platform console. Create a new project, name the project, and select Create.
  2. On the project home page, go to APIs & Services on the sidebar and select Dashboard.
  3. On the sidebar, go to Credentials and select Configure Consent Screen at the top of the page.Location of credential settings at the top of the Google Cloud Platform dashboard.
  4. Choose External as the User Type. Since this application is not being created in a Google Workspace account, any user with a Gmail address can login.
  5. Name the application, add a support email, and input contact fields. Google Cloud Platform requires an email in your account.In the Scopes section, we recommend adding the scope. This is not required for the integration, but shows authenticating users what information is being gathered. You do not need to add test users.
  6. Return to the APIs & Services page, select Create Credentials > OAuth client ID, and name the application.Location of OAuth client ID settings on Google Cloud Platform credentials page.
  7. Under Authorized JavaScript origins, in the URIs field, enter your team domain.
  8. Under Authorized redirect URIs, in the URIs field, enter your team domain followed by this callback at the end of the path: /cdn-cgi/access/callback. For example:
    <span class="CodeBlock--rows" style="box-sizing: inherit; cursor: text; display: block; margin: 0px;"><span class="CodeBlock--rows-content" style="box-sizing: inherit; display: inline-block; margin: 0px; min-width: 100%;"><span class="CodeBlock--row" style="box-sizing: inherit; display: block; margin: 0px; position: relative; width: 768.25px;"><span class="CodeBlock--row-indicator" style="box-sizing: inherit; margin: 0px;"></span><div class="CodeBlock--row-content" style="box-sizing: inherit; margin: 0px; padding: 0 var(--padding-horizontal); white-space: pre;"><span class="CodeBlock--token-plain" style="box-sizing: inherit; margin: 0px;">https://&lt;your-team-name&gt;.<div class="rfBrowextIocHighlightLink nonClickable" key="" link="" risk-score="0" style="background-color: rgba(255, 255, 255, 0); border-radius: 3px; box-sizing: inherit; display: inline-block; margin: 0px; padding-right: 5px; transition: background-color 0.3s ease 0s; white-space-collapse: collapse;" unique-id="9241733039016"><span class="rfBrowextIocHighlightLink__title" style="box-sizing: inherit; display: inline; margin: 0px; padding-left: 3px; vertical-align: middle;"></span></div>/cdn-cgi/access/callback</span></div></span></span></span>
  9. Google will present the OAuth Client ID and Secret values. The secret field functions like a password and should not be shared. Copy both values.
  10. In Zero TrustOpen external link, go to Settings > Authentication.
  11. Under Login methods, select Add new. Choose Google on the next page.
  12. Input the Client ID and Client Secret fields generated previously.
  13. (Optional) Enable Proof of Key Exchange (PKCE)Open external link. PKCE will be performed on all login attempts.
  14. Select Save.



By Jonny

Leave a Reply