Remotely-managed tunnel

If you created a Cloudflare Tunnel from the dashboard, the tunnel runs as a service on your OS.

Add tunnel run parameters

You can modify the Cloudflare Tunnel service with one or more general-purpose tunnel parameters.

Linux

On Linux, Cloudflare Tunnel installs itself as a system service using systemctl. By default, the service will be named cloudflared.service. To configure your tunnel on Linux:

1. Open cloudflared.service.

   sudo systemctl edit --full cloudflared.service

2. Modify the cloudflared tunnel run command with the desired configuration flag. For example,

   [Unit]
   Description=Cloudflare Tunnel
   After=network.target
   
   [Service]
   TimeoutStartSec=0
   Type=notify
   ExecStart=/usr/local/bin/cloudflared tunnel --loglevel debug --logfile /var/log/cloudflared/cloudflared.log run --token <TOKEN VALUE>
   Restart=on-failure
   RestartSec=5s
   
   [Install]
   WantedBy=multi-user.target

3. Restart cloudflared.service:

   sudo systemctl restart cloudflared

4. To verify the new configuration, check the service status:

   sudo systemctl status cloudflared

   ● cloudflared.service - cloudflared
    Loaded: loaded (/etc/systemd/system/cloudflared.service; enabled; preset: enabled)
    Active: active (running) since Wed 2024-10-09 20:02:59 UTC; 2s ago
   Main PID: 2157 (cloudflared)
     Tasks: 8 (limit: 1136)
    Memory: 16.3M
       CPU: 136ms
    CGroup: /system.slice/cloudflared.service
            └─2157 /usr/bin/cloudflared tunnel --loglevel debug --logfile /var/log/cloudflared/cloudflared.log run --token eyJhIjoi...

macOS

On macOS, Cloudflare Tunnel installs itself as a launch agent using launchctl. By default, the agent will be called com.cloudflare.cloudflared. To configure your tunnel on macOS:

1. Stop the cloudflared service.

   sudo launchctl stop com.cloudflare.cloudflared

2. Unload the configuration file.

   sudo launchctl unload /Library/LaunchDaemons/com.cloudflare.cloudflared.plist

3. Open /Library/LaunchDaemons/com.cloudflare.cloudflared.plist in a text editor.

4. Modify the ProgramArguments key with the desired configuration flag. For example,

   <plist version="1.0">
       <dict>
           <key>Label</key>
           <string>com.cloudflare.cloudflared</string>
           <key>ProgramArguments</key>
           <array>
               <string>/opt/homebrew/bin/cloudflared</string>
               <string>tunnel</string>
               <string>--logfile</string>
               <string><PATH></string>
               <string>--loglevel</string>
               <string>debug</string>
               <string>run</string>
               <string>--token</string>
               <string><TOKEN VALUE> </string>
           </array>

5. Load the updated configuration file.

   sudo launchctl load /Library/LaunchDaemons/com.cloudflare.cloudflared.plist

6. Start the cloudflared service.

   sudo launchctl start com.cloudflare.cloudflared

Windows

On Windows, Cloudflare Tunnel installs itself as a system service using the Registry Editor. By default, the service will be named cloudflared. To configure your tunnel on Windows:

1. Open the Registry Editor.

2. Go to HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Services > cloudflared.

3. Double-click ImagePath.

4. Modify Value data with the desired configuration flag. For example,

   C:\Program Files (x86)\cloudflared\.\cloudflared.exe tunnel --loglevel debug --logfile <PATH> run --token <TOKEN VALUE>

Update origin configuration

To configure how cloudflared sends requests to your public hostname services:

1. In Zero Trust ↗, go to Networks > Tunnels.
2. Choose a tunnel and select Configure.
3. Select the Public Hostname tab.
4. Choose a route and select Edit.
5. Under Additional application settings, modify one or more origin configuration parameters.
6. Select Save hostname.

Tunnel permissions

A remotely-managed tunnel only requires the tunnel token to run. Anyone with access to the token will be able to run the tunnel.

View the tunnel token

To get the token for a remotely-managed tunnel:

Dashboard

1. In Zero Trust ↗, go to Networks > Tunnels.
2. Select a cloudflared tunnel and select Edit.
3. Copy cloudflared installation command.
4. Paste the installation command into any text editor. The token value is of the form eyJhIjoiNWFiNGU5Z...

API

Make a GET request to the Cloudflare Tunnel token endpoint:

curl https://api.cloudflare.com/client/v4/accounts/{account_id}/cfd_tunnel/{tunnel_id}/token \
--header "Authorization: Bearer <API_TOKEN>"

{
  "success": true,
  "errors": [],
  "messages": [],
  "result": "eyJhIjoiNWFiNGU5Z..."
}

Rotate a token without service disruption

Cloudflare recommends rotating the tunnel token at a regular cadence to reduce the risk of token compromise. You can rotate a token with minimal disruption to users as long as the tunnel is served by at least two cloudflared replicas. To ensure service availability, we recommend performing token rotations outside of working hours or in a maintenance window.

To rotate a tunnel token:

1. Refresh the token on Cloudflare:

   Dashboard
   1. In Zero Trust ↗, go to Networks > Tunnels.
   2. Select a cloudflared tunnel and select Edit.
   3. Select Refresh token.
   4. Copy the cloudflared installation command for your operating system. This command contains the new token.
   API

   1. Generate a random base64 string (minimum size 32 bytes) to use as a tunnel secret:

      openssl rand -base64 32

      AQIDBAUGBwgBAgMEBQYHCAECAwQFBgcIAQIDBAUGBwg=

   2. Make a PATCH request to the Cloudflare Tunnel endpoint:

      curl --request PATCH \
      https://api.cloudflare.com/client/v4/accounts/{account_id}/cfd_tunnel/{tunnel_id} \
      --header 'Content-Type: application/json' \
      --header "Authorization: Bearer <API_TOKEN>" \
      --data '{
        "name": "Example tunnel",
        "tunnel_secret": "AQIDBAUGBwgBAgMEBQYHCAECAwQFBgcIAQIDBAUGBwg="
      }'

      {
        "success": true,
        "errors": [],
        "messages": [],
        "result": {
          "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415",
          "account_tag": "699d98642c564d2e855e9661899b7252",
          "created_at": "2024-12-04T22:03:26.291225Z",
          "deleted_at": null,
          "name": "Example tunnel",
          "connections": [],
          "conns_active_at": null,
          "conns_inactive_at": "2024-12-04T22:03:26.291225Z",
          "tun_type": "cfd_tunnel",
          "metadata": {},
          "status": "inactive",
          "remote_config": true,
          "token": "eyJhIjoiNWFiNGU5Z..."
        }
      }

   3. Copy the token value shown in the output.

   After refreshing the token, cloudflared can no longer establish new connections to Cloudflare using the old token. However, existing connectors will remain active and the tunnel will continue serving traffic.

2. On half of your cloudflared replicas, update cloudflared to use the new token. For example, on a Linux host:

   sudo cloudflared service install <TOKEN>

3. Restart cloudflared:

   sudo systemctl restart cloudflared.service

4. Confirm that the service started correctly:

   sudo systemctl status cloudflared

   While these replicas are connecting to Cloudflare with the new token, traffic will automatically route through the other replicas.

5. Wait 10 minutes for traffic to route through the new connectors.

6. Repeat steps 2, 3, and 4 for the second half of the replicas.

The tunnel token is now fully rotated. The old token is no longer in use.

Rotate a compromised token

If your tunnel token is compromised, we recommend taking the following steps:

1. Refresh the token using the dashboard or API. Refer to Step 1 of Rotate a token without service disruption.

2. Delete all connections between cloudflared and Cloudflare:

   curl --request DELETE \
   https://api.cloudflare.com/client/v4/accounts/{account_id}/cfd_tunnel/{tunnel_id}/connections \
   --header "Authorization: Bearer <API_TOKEN>"

   This will clean up any unauthorized connections and prevent users from connecting to your network.

3. On each cloudflared replica, update cloudflared to use the new token. For example, on a Linux host:

   sudo cloudflared service install <TOKEN>

4. Restart cloudflared:

   sudo systemctl restart cloudflared.service

5. Confirm that the service started correctly:

   sudo systemctl status cloudflared

The tunnel token is now fully rotated. The old token is no longer in use.

Account-scoped roles

Minimum permissions needed to create, delete, and configure tunnels for an account:

• Cloudflare Access

Additional permissions needed to route traffic to a public hostname:

• DNS

Was this helpful?

What did you like?

Accurate

Easy to understand

Solved my problem

Helped me decide to use the product

Other

What went wrong?

Hard to understand

Incorrect information

Missing the information

Other

Thank you for helping improve Cloudflare's documentation!