Deploy Cloudflare Tunnel on RamNode VPS

What You Will Need

• • A RamNode VPS running Ubuntu 22.04 or 24.04 (Debian also works)
• • A domain name with DNS managed by Cloudflare (free plan is sufficient)
• • A Cloudflare account with at least one active zone
• • Root or sudo access on your VPS
• • One or more local services to expose (web server, API, SSH, etc.)

Recommended VPS Specifications

View Cloud VPS Plans →

Install from the official APT repository for automatic updates.

sudo mkdir -p --mode=0755 /usr/share/keyrings

curl -fsSL https://pkg.cloudflare.com/cloudflare-main.gpg \
  | sudo tee /usr/share/keyrings/cloudflare-main.gpg > /dev/null

echo "deb [signed-by=/usr/share/keyrings/cloudflare-main.gpg] \
  https://pkg.cloudflare.com/cloudflared $(lsb_release -cs) main" \
  | sudo tee /etc/apt/sources.list.d/cloudflared.list

sudo apt update
sudo apt install -y cloudflared

cloudflared --version

Link your VPS to your Cloudflare account. This generates a certificate that authorizes tunnel and DNS management.

cloudflared tunnel login

This outputs a URL. Copy and paste it into your browser, select the domain you want to use, and authorize. After authorization, a certificate is saved to:

~/.cloudflared/cert.pem

cloudflared tunnel create my-ramnode-tunnel

Created tunnel my-ramnode-tunnel with id a1b2c3d4-e5f6-7890-abcd-ef1234567890

The tunnel credentials JSON file is stored at ~/.cloudflared/<UUID>.json. Make a note of the tunnel UUID — you'll reference it in the configuration file.

sudo mkdir -p /etc/cloudflared
sudo nano /etc/cloudflared/config.yml

Basic Configuration (Single Service)

tunnel: a1b2c3d4-e5f6-7890-abcd-ef1234567890
credentials-file: /root/.cloudflared/a1b2c3d4-e5f6-7890-abcd-ef1234567890.json

ingress:
  - hostname: app.example.com
    service: http://localhost:8080
  - service: http_status:404

Multi-Service Configuration

Route multiple subdomains through a single tunnel:

tunnel: a1b2c3d4-e5f6-7890-abcd-ef1234567890
credentials-file: /root/.cloudflared/a1b2c3d4-e5f6-7890-abcd-ef1234567890.json

ingress:
  - hostname: app.example.com
    service: http://localhost:8080

  - hostname: api.example.com
    service: http://localhost:3000

  - hostname: grafana.example.com
    service: http://localhost:3001

  - hostname: ssh.example.com
    service: ssh://localhost:22

  - service: http_status:404

Configuration Options Reference

Create DNS records that point your hostnames to the tunnel:

cloudflared tunnel route dns my-ramnode-tunnel app.example.com
cloudflared tunnel route dns my-ramnode-tunnel api.example.com
cloudflared tunnel route dns my-ramnode-tunnel grafana.example.com

Each command creates a CNAME record pointing to your tunnel's unique hostname. Verify the records in your Cloudflare dashboard under DNS settings — each should show the orange proxy icon enabled.

Run the tunnel manually before setting it up as a service:

cloudflared tunnel --config /etc/cloudflared/config.yml run

You should see log output indicating connections to multiple Cloudflare edge locations. Open your configured hostname in a browser to confirm your service is accessible.

Troubleshooting Common Issues

For production, run cloudflared as a background service that starts on boot and restarts on failure.

sudo cloudflared service install

This creates a systemd unit file and copies your configuration to system directories.

# Start the tunnel
sudo systemctl start cloudflared

# Enable on boot
sudo systemctl enable cloudflared

# Check status
sudo systemctl status cloudflared

# View logs
sudo journalctl -u cloudflared -f

Restrict Inbound Firewall Rules

Since all traffic flows through the tunnel, you can block inbound HTTP/HTTPS entirely:

# Allow SSH (keep unless tunneling SSH too)
sudo ufw allow 22/tcp

# Deny all other inbound traffic
sudo ufw default deny incoming
sudo ufw default allow outgoing

# Enable the firewall
sudo ufw enable
sudo ufw status verbose

Enable Cloudflare Access (Zero Trust)

Put authentication in front of any tunneled service — especially admin panels and dashboards:

1. Navigate to the Cloudflare Zero Trust dashboard at one.dash.cloudflare.com
2. Go to Access → Applications and create a new self-hosted application
3. Set the application domain to match your tunneled hostname
4. Configure an Access policy (e.g., allow specific email addresses or IdP groups)
5. Save and test in an incognito window

Keep cloudflared Updated

sudo apt update && sudo apt upgrade -y
sudo systemctl restart cloudflared

Monitor Tunnel Health

Enable Prometheus-compatible metrics by adding to your config:

metrics: localhost:2000

This exposes metrics at http://localhost:2000/metrics for integration with Grafana and Prometheus.

Docker Integration

Point the tunnel at Docker container ports or use Docker's internal network:

ingress:
  - hostname: app.example.com
    service: http://172.17.0.2:8080        # Docker container IP

  - hostname: db-admin.example.com
    service: http://host.docker.internal:8081  # Host-mapped port

  - service: http_status:404

Load Balancing & Replicas

Run multiple instances of the same tunnel across different servers for high availability. Each replica uses the same UUID and credentials. Cloudflare distributes traffic automatically.

cloudflared tunnel --config /etc/cloudflared/config.yml run

Private Networking with WARP

For internal services that shouldn't be publicly accessible, use Cloudflare Tunnel with the WARP client. Team members connect through WARP and access internal IPs or hostnames directly, without public DNS exposure.