Skip to content

Remotely-managed tunnel

If you created a Cloudflare Tunnel from the dashboard, the tunnel runs as a service on your OS.

Add tunnel run parameters

You can modify the Cloudflare Tunnel service with one or more general-purpose tunnel parameters.

On Linux, Cloudflare Tunnel installs itself as a system service using systemctl. By default, the service will be named cloudflared.service. To configure your tunnel on Linux:

  1. Open cloudflared.service.

    Terminal window
    sudo systemctl edit --full cloudflared.service
  2. Modify the cloudflared tunnel run command with the desired configuration flag. For example,

    [Unit]
    Description=Cloudflare Tunnel
    After=network.target
    [Service]
    TimeoutStartSec=0
    Type=notify
    ExecStart=/usr/local/bin/cloudflared tunnel --loglevel debug --logfile /var/log/cloudflared/cloudflared.log run --token <TOKEN VALUE>
    Restart=on-failure
    RestartSec=5s
    [Install]
    WantedBy=multi-user.target
  3. Restart cloudflared.service:

    Terminal window
    sudo systemctl restart cloudflared
  4. To verify the new configuration, check the service status:

    Terminal window
    sudo systemctl status cloudflared
    cloudflared.service - cloudflared
    Loaded: loaded (/etc/systemd/system/cloudflared.service; enabled; preset: enabled)
    Active: active (running) since Wed 2024-10-09 20:02:59 UTC; 2s ago
    Main PID: 2157 (cloudflared)
    Tasks: 8 (limit: 1136)
    Memory: 16.3M
    CPU: 136ms
    CGroup: /system.slice/cloudflared.service
    └─2157 /usr/bin/cloudflared tunnel --loglevel debug --logfile /var/log/cloudflared/cloudflared.log run --token eyJhIjoi...

Update origin configuration

To configure how cloudflared sends requests to your public hostname services:

  1. In Zero Trust, go to Networks > Tunnels.
  2. Choose a tunnel and select Configure.
  3. Select the Public Hostname tab.
  4. Choose a route and select Edit.
  5. Under Additional application settings, modify one or more origin configuration parameters.
  6. Select Save hostname.

Tunnel permissions

A remotely-managed tunnel only requires the tunnel token to run. Anyone with access to the token will be able to run the tunnel. You can get a tunnel’s token from the dashboard or via the API.

Account members with Cloudflare Access and DNS permissions will be able to create, delete, and configure all tunnels for the account.