Cloudflare Tunnel Setup
Expose your DevPanel services to the internet through a Cloudflare Tunnel — no open inbound ports, no static IP required.
Before you start
- ·A Cloudflare account with a domain added
- ·DevPanel installed and running
- ·A service deployed that you want to expose publicly
Part 1 — Get a Cloudflare API Token
DevPanel needs an API token to create DNS records and manage tunnels on your behalf. Create one with the minimum required permissions.
Log in to Cloudflare
Go to dash.cloudflare.com and sign in to your account.
Open API Tokens
Navigate to My Profile → API Tokens (top-right avatar menu), then click "API Tokens" in the sidebar.
Click "Create Token" → "Create Custom Token"
On the API Tokens page, click "Create Token". Scroll to the bottom and choose "Create Custom Token", then click "Get started".
Add the required permissions
Add all four permission rows below exactly as shown:
| Scope | Resource | Access |
|---|---|---|
| Account | Account Settings | Read |
| Account | Cloudflare Tunnel | Edit |
| Zone | Zone | Read |
| Zone | DNS | Edit |
Click "Continue to summary" → "Create Token"
Review the summary, then click Create Token. Copy the token immediately — it is shown only once.
Save your token now
Cloudflare displays the token value only once after creation. Copy it to a safe place before leaving the page. If you lose it, you will need to create a new one.
Part 2 — Create a Cloudflare Tunnel
Tunnels let your services be reached from the internet without opening any inbound firewall ports.
Log in to the Zero Trust Dashboard
Go to one.dash.cloudflare.com and select your account. In the sidebar, click "Zero Trust".
Select your account
If prompted, choose the account that owns the domain you want to use.
Navigate to "Networks" → "Tunnels"
In the Zero Trust sidebar, expand "Networks" and click "Tunnels".
Click "Create a Tunnel"
On the Tunnels list page, click the blue "Create a tunnel" button.
Select "Cloudflared" and click "Next"
Choose the "Cloudflared" connector type (the default). Click "Next" to continue.
Name your tunnel and save
Give the tunnel a descriptive name — e.g. "devpanel-prod" or "my-server". Click "Save tunnel".
Copy the tunnel token
After saving, Cloudflare shows a connector install command containing your tunnel token. Copy the token value (the long string after --token). You will paste it into DevPanel next.
Part 3 — Connect the Tunnel in DevPanel
Add your Cloudflare API token
Open DevPanel → Settings → Cloudflare. Paste the API token from Part 1 and click "Save". DevPanel validates the token and loads your zones.
Open the service you want to expose
Navigate to your project, open the service, and go to the "Domains" tab.
Add a domain and select your tunnel
Click "Add Domain". Enter the subdomain (e.g. app.example.com), select your Cloudflare zone, and choose the tunnel you created in Part 2. Set the local service port.
Save and verify
DevPanel creates the DNS CNAME record pointing to your tunnel and configures the route. Your service is now accessible publicly — without any open ports on your server.
How it works
No inbound ports
The cloudflared connector on your server makes an outbound connection to Cloudflare. Your firewall needs no inbound rules for ports 80/443.
DNS CNAME record
DevPanel creates a CNAME record (e.g. app.example.com → <tunnel-id>.cfargotunnel.com) via the Cloudflare API automatically.
TLS handled by Cloudflare
Cloudflare terminates TLS at the edge. Traffic between the tunnel and your server travels over an encrypted tunnel — no Let's Encrypt certificate needed.
Works behind NAT
Because the connection is outbound, tunnels work on home networks, private VPCs, or any server without a public IP.