EXPOSE your home network to the INTERNET!! (it's safe)

TL;DR

Cloudflare Tunnel exposes home services without opening inbound firewall ports or forwarding 80/443.

Briefing Cornell Notes

Briefing

Exposing a home network to the public internet can be done without opening firewall ports or punching holes through the router. The approach uses Cloudflare Tunnel to create an outbound, secure tunnel from a device inside the home network to Cloudflare, then maps public subdomains to internal services—each with HTTPS and its own SSL certificate. The result is remote access to things like a website, Proxmox, or a NAS from anywhere, even when the home connection uses restrictive setups such as CGNAT.

Instead of configuring a reverse proxy like Nginx or forwarding ports 80/443 to internal IPs, the setup relies on Cloudflare’s Zero Trust “tunnels” feature. Every exposed service gets a dedicated subdomain under the user’s domain, and Cloudflare handles encryption so the home device doesn’t need to manage public-facing certificates. Even if the internal service uses self-signed certificates, Cloudflare can be configured to skip TLS verification for that upstream, allowing internal apps to work without reissuing certificates.

The setup requires only a domain name, plus a computer or server already running inside the home network. The domain can be purchased from any registrar; the walkthrough uses Google Domains as an example, costing roughly $12 per year. On the internal server, Cloudflare Tunnel is installed using the appropriate package for the environment—Docker is highlighted as a convenient option. After installation, the tunnel connects outward to Cloudflare, meaning the home firewall typically doesn’t need inbound rules.

A Cloudflare account is then created, the domain is added as a site, and Cloudflare name servers are configured at the registrar so DNS points to Cloudflare. From there, the Zero Trust dashboard is used to create a tunnel on a free plan (the interface still prompts for a $0 payment step). Once the tunnel is active, the user routes public hostnames to internal services by specifying the service type (for example, HTTPS for Proxmox) and the internal private IP and port.

In the example, Proxmox is mapped to a subdomain like proxmox.<domain>, pointing to an internal address such as 10.77.73.8 on port 8006. For Proxmox instances using self-signed certs, the configuration can disable TLS verification so the tunnel still connects cleanly. Testing from outside the home network confirms that the Proxmox web interface loads properly and that remote clients can access the same services without any direct exposure of the home network.

The same tunnel can route additional services. A NAS is added by creating another hostname (for example, nas.<domain>) mapped to the NAS’s internal IP and port (such as 5001) with TLS verification disabled if needed. With multiple services attached to one tunnel, Cloudflare provides the “public” layer—subdomains, HTTPS, and certificate handling—while the home network stays insulated from direct inbound traffic. The overall takeaway is a streamlined, certificate-friendly, firewall-light method for publishing home-hosted services securely to the internet.

Cornell Notes

Cloudflare Tunnel exposes home-network services to the internet without opening inbound firewall ports or forwarding 80/443. A device inside the home runs Cloudflare Tunnel (Docker is one option), which creates an outbound secure connection to Cloudflare. Cloudflare then maps public subdomains on the user’s domain to internal services like Proxmox or a NAS, providing HTTPS and SSL certificates automatically. For internal services using self-signed certificates, the tunnel can be configured to skip TLS verification so everything still works. This setup is designed to work across different home network types, including CGNAT, because it doesn’t rely on inbound connectivity to the home router.

How does Cloudflare Tunnel avoid the usual risks of exposing a home network?

Instead of forwarding ports or punching holes through the firewall (common with reverse proxies and port forwarding), the tunnel runs as an outbound connection from inside the home to Cloudflare. Cloudflare becomes the public-facing entry point, while internal services remain reachable only through the established tunnel. That’s why the walkthrough emphasizes that no firewall changes are required and no inbound ports like 80/443 need to be exposed.

What makes the setup “HTTPS-ready” for internal services?

Each exposed service is assigned its own subdomain under the user’s domain, and Cloudflare issues/handles the SSL certificate for that public hostname. The internal service can still use self-signed certificates; Cloudflare can be configured with an upstream setting to disable TLS verification (under TLS settings) so the tunnel can connect even when the internal certificate isn’t trusted publicly.

What are the minimum components needed to publish a home service?

The essentials are (1) a domain name, (2) a computer or server inside the home network to run Cloudflare Tunnel, and (3) a Cloudflare account with the domain added. The internal server installs Cloudflare Tunnel (with Docker as a highlighted option), then the tunnel is configured to route specific subdomains to internal IP addresses and ports.

How does the tunnel route Proxmox to the internet?

After creating the tunnel, the configuration adds a public hostname like proxmox.<domain> and selects the service type as HTTPS. It then points to the Proxmox server’s internal private IP and port (example: 10.77.73.8 on port 8006). If Proxmox uses a self-signed certificate, the tunnel can set TLS verification to “no TLS Verify” so the connection succeeds.

Can multiple home services share the same tunnel?

Yes. Once the tunnel is active, additional public hostnames can be configured under the same tunnel. The walkthrough adds a NAS by mapping nas.<domain> to the NAS’s internal IP and port (example: port 5001), again using settings like disabling TLS verification when appropriate.

Why does the method work even with CGNAT or restrictive ISP setups?

Because the tunnel is outbound from the home network to Cloudflare, it doesn’t depend on receiving inbound connections from the internet to the home router. That design sidesteps common CGNAT limitations that break traditional inbound port forwarding.

Review Questions

What specific configuration choices allow Cloudflare Tunnel to connect to an internal service that uses a self-signed certificate?
Describe the difference between exposing a home network via port forwarding/reverse proxy and exposing it via Cloudflare Tunnel.
If a Proxmox service is reachable internally at a private IP and port, what steps are needed to map it to a public subdomain?

Key Points

1
Cloudflare Tunnel exposes home services without opening inbound firewall ports or forwarding 80/443.
2
A single outbound tunnel from an internal server to Cloudflare becomes the secure public entry point.
3
Each published service gets its own subdomain and Cloudflare-managed SSL certificate.
4
For internal apps using self-signed certificates, Cloudflare Tunnel can disable TLS verification for the upstream connection.
5
The setup requires a domain name, a Cloudflare account, and a home device running Cloudflare Tunnel (Docker is one supported path).
6
DNS must point to Cloudflare by updating the domain’s name servers at the registrar.
7
The same tunnel can route multiple services (e.g., Proxmox and a NAS) by adding additional public hostnames.

Highlights

No port forwarding or firewall “holes” are needed; the home device initiates an outbound tunnel to Cloudflare.

Cloudflare provides HTTPS and certificates per subdomain, even when internal services use self-signed certs.

CGNAT and other restrictive home network setups don’t block the approach because it avoids inbound connectivity requirements.

Topics

Cloudflare Tunnel
Home Network Exposure
Zero Trust
Proxmox Publishing
NAS Access

Mentioned

Cloudflare
Proxmox
Red Hat Enterprise Linux
Google Domains
Docker
Elon Musk
CGNAT
TLS
SSL
IP