Without a public IP, if you want to access your home server from the internet, you used to have only two options: either buy a VPS and file for ICP备案, or use穿透 tools like FRP or Ngrok. The former costs money and requires paperwork; the latter is either paid or unstable.
Recently I discovered an official do-gooder feature from Cloudflare — Cloudflare Tunnel. It’s free, comes with built-in HTTPS, requires no ICP filing, and directly exposes your intranet services to the public internet. I’ve tested it personally, and the speed is surprisingly decent.
Why Public IPs Are So Hard to Get
Let’s start with some background.
For home broadband in China, public IPv4 addresses have long been a scarce resource. ISPs basically assign private NAT addresses by default. Want to apply for a public IP? Some regions simply say no, some require you to sweet-talk customer service, and some might revoke it after a while.
IPv6 is indeed widespread now, with addresses to spare. But the problem is — many network environments don’t fully support IPv6 yet. If the client side doesn’t have IPv6, they still can’t connect.
So if you want to build a publicly accessible service, the traditional paths are:
- Buy a VPS: Alibaba Cloud, Tencent Cloud, Huawei Cloud… prices range from a few dozen to a few hundred RMB per year. But domestic servers must be filed for ICP备案. The process isn’t complicated, but it is tedious, taking anywhere from a few days to a week or two.
- Use穿透 tools: FRP (self-hosted), Ngrok, Peanut Shell… either you need a server with a public IP to relay, or you use third-party paid services with limited free tiers.
Cloudflare Tunnel basically made this path free.
What Is Cloudflare Tunnel
In simple terms, Cloudflare Tunnel is an official reverse tunneling tool from Cloudflare. It runs a lightweight client (called cloudflared) on your intranet server. This client actively connects outward to Cloudflare’s edge network, establishing an encrypted tunnel.
When external users access your service, their requests first hit Cloudflare’s edge nodes, then get forwarded through this tunnel to your intranet server. Your server needs no public IP, no open firewall ports, not even router configuration.
Even better, Cloudflare automatically assigns you a subdomain (under your bound domain) and includes an HTTPS certificate. So as long as you have a domain on Cloudflare (even a free .workers.dev domain or your own), configure the Tunnel, and outsiders can access your intranet HTTP service via https://xxx.yourdomain.com.
Step-by-Step Guide
Here’s the actual process I followed.
Prerequisites
- A Cloudflare account
- A domain managed on Cloudflare (you can register a cheap one, or change your existing domain’s NS to Cloudflare)
- An intranet server (in my case, the Ubuntu 22.04 box running the Hugo blog)
Step 1: Create a Tunnel
Log in to the Cloudflare dashboard → find “Zero Trust” in the left menu (formerly Teams) → click “Networks” → “Tunnels” → click “Create a tunnel”.
Select the Cloudflared type, name your tunnel something like home-server.
Step 2: Install cloudflared
After creation, the page will prompt you to install cloudflared on your server and run a command. The system auto-recommends installation based on your environment. For Ubuntu/Debian it’s usually:
| |
After running, cloudflared runs as a system service in the background, automatically connecting to Cloudflare.
Back in the dashboard, you’ll see the tunnel status change to “Healthy”, with uptime displayed.
Step 3: Configure Routes
The tunnel is up, but you still need to tell Cloudflare: which domain points to which intranet service.
On the tunnel details page, click “Public Hostname” → “Add a public hostname”:
- Subdomain: e.g.,
blog(final address will beblog.yourdomain.com) - Domain: select your domain on Cloudflare
- Type: HTTP
- URL:
http://localhost:80(pointing to local Nginx, i.e., our Hugo blog)
Save. Wait a few seconds, open https://blog.yourdomain.com, and you should see your intranet blog.
Personal Testing Experience
I tested this on my home broadband (China Telecom 300M, no public IPv4) for a few days. Here’s the rundown:
| Metric | Experience |
|---|---|
| Access speed | First paint 2-4s, static assets load normally, smooth browsing |
| Stability | Ran continuously for 48h without dropout, cloudflared auto-restarts |
| HTTPS | Auto certificate, zero manual config, full marks |
| Latency | Depends on Cloudflare edge node; China traffic usually routes through Hong Kong or Singapore nodes, 150-300ms |
| Bandwidth | Cloudflare free tier has no traffic limit (fair use policy), more than enough for personal blogs |
Summary: For personal blogs, small service demos, and remote debugging, it’s perfectly adequate. For high concurrency or video streaming, the free tier might not hold up — but that’s another story.
Limitations and Notes
- Domain must be on Cloudflare: Either registered there or with DNS hosted there. This is a hard requirement.
- Free tier has limited features: Custom ports, finer access controls, etc., require paid upgrades.
- Slower than direct connection: Traffic goes through Cloudflare relay, so it’s slower than direct public IP access. But it’s free and stable.
- HTTP forwarding limits: If the target URL is
localhost, cloudflared must run on the same machine. For other devices on the LAN, use the internal IP, e.g.,http://192.168.1.100:80.
Conclusion
Cloudflare Tunnel is a very practical free intranet penetration solution, especially suitable for:
- Home broadband users without public IPs
- Lightweight needs that want to avoid ICP filing and VPS costs
- Quickly exposing intranet services for testing or demoing
Simple to configure, built-in HTTPS, unlimited traffic, and it’s free. Cloudflare is truly a do-gooder, hahaha.
If you also have intranet services you want to expose, give it a try. Feel free to reach out if you have questions.