Skip to content

How to set up Cloudflare Tunnel on your Umbrel

Jump to bottom
Oleg Koretsky edited this page Jul 9, 2025 · 11 revisions

The Cloudflare Tunnel app allows you setting up a secure tunnel to access your Umbrel apps from the Internet using Cloudflare network. With Tunnel, you do not send traffic to an external IP — instead, this app containing a lightweight tunneling daemon (cloudflared) creates outbound-only connections to Cloudflare's global network.

In order to use app, you must have a set-up Cloudflare account with added domains.

Only web apps can be exposed. Cloudflare Tunnel only supports HTTP(S) and WebSocket traffic. Other protocols, like in Electrum or Stratum, will not pass through.

⚠ Apps accessible from the Internet incentivize attackers and bots to hack into them. Only expose harmless apps or those having strong internal access control.

Create a tunnel on Cloudflare

  1. Open the Cloudflare Zero trust dashboard. On the menu on the left, expand the Networks section and go to the Tunnels page:
  1. Create a new tunnel by clicking the "Create a tunnel" button:
  • Select the "Cloudflared" type
  • Enter the name of your tunnel (it will only be shown in the Cloudflare dashboard)
  • Click the "Save tunnel" button:

Configure the Umbrel tunnel app

  1. From your newly created tunnel configuration page on Cloudflare, copy the connector running command. It doesn't matter which environment you select at the top – each command contains the same token.

⚠ Handle this command carefully. It includes a sensitive token that allows the connector to run. Anyone with access to this token will be able to run the tunnel.

  1. Open the Cloudflare Tunnel Umbrel app dashboard and go to Settings. Paste the copied command to the "Connector token" field and click the "Save & Restart" button:
  1. Wait for the tunnel to restart. Once it is running, you'll see that there are no routes – we'll add them next.

Add routes to expose apps

Go to the tunnel configuration page on Cloudflare and enter the "Public Hostname" tab:

To add a new route, click the "Add a public hostname" button and follow one of the instructions below.

💡 You can add as many routes as you want under the "Public Hostname" tab. No need to run multiple tunnels for this.

Simple: route to an unprotected app

If the app you want to expose is not protected by the Umbrel authentication (you don't have to enter the Umbrel password to access it), expose it by adding a rote from a desired subdomain directly to the app port. For example, to expose the mempool app on port 3006, fill the hostname creation form as in the following example:

Here, we've specified the subdomain and the domain to access the app from the Internet. In the service section, we've selected HTTP type and entered the URL under which you visit the app in the local network – in this case it is rp4.local:3006, but your Umbrel's hostname will be different.

Advanced: route to a protected app

If the app you want to expose is protected by the Umbrel authentication (you have to enter the Umbrel password to access it), there are two ways do the thing:

  • Either disable the Umbrel auth for it by adding the PROXY_AUTH_ADD: "false" app proxy env option to the app docker-compose file, and then expose the app as an unprotected one;
  • Or make a route directly to the app web interface container by finding out its internal hostname and port, which is to be described below.

⚠ Apps accessible from the Internet incentivize attackers and bots to hack into them. If you expose a protected app, make sure it has strong internal access control.

In order to find out the name of the app web interface container, you have to examine its docker-compose file in the Umbrel apps repository, but unlike the first option with disabling the auth, this one doesn't require SSH access to your Umbrel.

For example, let's expose PhotoPrism app, which not only has its own access control, but is also protected by Umbrel.

  1. Find the app directory in the Umbrel apps repository. For PhotoPrism it is photoprism;
  2. Under the app directory, open the docker-compose.yml file;
  3. At the top of the file, take a look at app_proxy configuration. We are looking for the APP_HOST and APP_PORT options:

If APP_HOST or APP_PORT option instead of a value has a variable reference, like ${ELECTRS_APP_PORT}, look for the value in the exports.sh file under the app directory.

So, from the docker-compose file, we've found out that the PhotoPrism web interface is directly accessible at photoprism_web_1:8087. This address only works within the private Umbrel local network, but the tunnel app is also in it, so the address is reachable.

Fill the Cloudflare Public hostname creation form as in the following example:

Here, we've specified the subdomain and the domain to access the app from the Internet. In the service section, we've selected HTTP type and entered the internal app hostname and port – in this case it is photoprism_web_1:8087, but for other apps they will be different.

Verify your route

  1. Open the Cloudflare Tunnel Umbrel app dashboard and check if your newly added rote have appeared:
  1. Follow the route public endpoint by clicking it and check if your app is accessible:

Clone this wiki locally