The `cloudflared tunnel` command is used to manage Cloudflare Tunnels (formerly Argo Tunnels), which provide a secure way to expose local services to the internet through Cloudflare's network without opening inbound firewall ports. It handles the entire lifecycle of a tunnel, including creation, deletion, management, and routing traffic.

Syntax

Subcommands

* `cloudflared tunnel create <tunnel-name>`: Creates a new tunnel. This generates a UUID for the tunnel and a credential file (`<UUID>.json`) in the default `~/.cloudflared` directory, or a specified directory.

* `cloudflared tunnel delete <tunnel-name or UUID>`: Deletes an existing tunnel. This removes the tunnel from Cloudflare's network and locally deletes its credential file.

* `cloudflared tunnel list`: Lists all tunnels associated with your Cloudflare account.

* `cloudflared tunnel run <tunnel-name or UUID>`: Starts the `cloudflared` daemon for a specific tunnel, connecting it to Cloudflare's network. This command requires a configuration file (`config.yaml`) to specify which services to expose.

* `cloudflared tunnel route dns <tunnel-name or UUID> <hostname>`: Creates a DNS record that points to the specified tunnel, making the service accessible via that hostname. If the hostname already exists, it will be updated.

* `cloudflared tunnel route ip add <IP/CIDR>`: Adds an IP route to the tunnel, directing traffic for the specified IP address or CIDR block through the tunnel. Used for private routing.

* `cloudflared tunnel route ip delete <IP/CIDR>`: Deletes an IP route from the tunnel.

* `cloudflared tunnel logout`: Logs out the `cloudflared` client, removing cached credentials.

Common Flags

* `--origincert <path>`: Specify the path to the origin certificate. Default is `~/.cloudflared/cert.pem`.

* `--config <path>`: Specify the path to the configuration file for the tunnel daemon. Default is `~/.cloudflared/config.yaml`.

* `--credentials-file <path>`: Specify the path to the tunnel credentials file. Default is `~/.cloudflared/<UUID>.json`.

* `--metrics <address>`: Expose Prometheus metrics at the specified address.

* `--loglevel <level>`: Set the logging level (e.g., `info`, `warn`, `error`, `debug`).

Usage Examples

#### 1. Authenticate `cloudflared`

First, you need to authenticate `cloudflared` with your Cloudflare account. This will open a browser window for login.

#### 2. Create a new tunnel

Create a tunnel named `my-web-tunnel`. This will output the tunnel ID and create a credential file like `a1b2c3d4-e5f6-7890-1234-567890abcdef.json`.

#### 3. Configure the tunnel (config.yaml)

Create a `config.yaml` file (e.g., in `~/.cloudflared/config.yaml`) to define what services the tunnel should expose. Replace `<TUNNEL_UUID>` with your tunnel's actual UUID.

Alternatively, for a simpler setup exposing just one service:

#### 4. Route a DNS hostname to the tunnel

Make `myapp.example.com` point to your tunnel. This creates a CNAME record in your Cloudflare DNS settings.

#### 5. Run the tunnel

Start the `cloudflared` daemon to connect your local service (e.g., `localhost:8080`) to Cloudflare via the tunnel. This command will keep running.

If you want to run it without a `config.yaml` and directly expose a service:

#### 6. List all tunnels

#### 7. Delete a tunnel

Delete the tunnel named `my-web-tunnel`.

Explanation

Cloudflare Tunnels eliminate the need for traditional inbound firewall rules, port forwarding, or VPNs. Instead, `cloudflared` establishes outbound-only connections to Cloudflare's global network. When a request for your configured hostname (e.g., `myapp.example.com`) hits Cloudflare, Cloudflare routes that request securely through the existing tunnel to your `cloudflared` daemon, which then forwards it to your local service (e.g., `localhost:8080`). This creates a secure, private connection from Cloudflare's edge to your origin, enhancing security and simplifying network configuration.