Start small: run a one-off tunnel to a test website. Then graduate to a named tunnel with a custom domain and persistent Windows service. You’ll never mess with port forwarding again. Cloudflared is maintained by Cloudflare, Inc. This guide is unofficial but follows best practices as of 2025.
Enter and its Windows executable: cloudflared-windows-amd64.exe . This tool creates secure, outbound-only tunnels from your Windows PC to Cloudflare’s global edge network. No open firewall ports. No static IP required. Just fast, encrypted access from anywhere.
cloudflared.exe tunnel run my-first-tunnel Your local service is now live at https://myapp.yourdomain.com . For persistent operation (reboots, logoffs), install Cloudflared as a Windows service.
cloudflared.exe tunnel login A browser window will open. Log in to your Cloudflare account and select the domain you want to use. This generates a cert.pem file in %USERPROFILE%\.cloudflared\ . That certificate is your global API credential—keep it safe. Tunnels are persistent connections with their own configuration. Let’s create one. cloudflared-windows-amd64.exe
If you run a web server on your Windows machine—whether for development, home automation, or a personal website—you know that exposing it to the internet can be risky. Port forwarding is messy, dynamic DNS is a hassle, and your ISP might block incoming traffic altogether.
cloudflared.exe tunnel --url http://localhost:3000 Cloudflare gives you a random https://random-name.trycloudflare.com URL. This uses Cloudflare’s Quick Tunnels feature—no authentication, no config. “Access is denied” – Run Command Prompt or PowerShell as Administrator when installing the service or writing to Program Files .
cloudflared.exe tunnel route dns my-first-tunnel myapp.yourdomain.com This creates a DNS record at Cloudflare pointing to the tunnel. Create a configuration file config.yml in %USERPROFILE%\.cloudflared\ : Start small: run a one-off tunnel to a test website
For TCP services, you must also set up Cloudflare Access (or use cloudflared access tcp on the client side). For temporary sharing (e.g., a demo), you don’t even need a domain. Run:
– Ensure outbound TCP port 443 (HTTPS) and UDP 443 are allowed for cloudflared.exe . 10. Updating Cloudflared Cloudflared updates frequently. To update manually:
net start cloudflared Or use the Services GUI ( services.msc ). The service automatically runs at boot. | Local Service | Example URL | Config service line | |------------------------|--------------------------------------|--------------------------------------| | IIS (default website) | http://localhost:80 | service: http://localhost:80 | | Node.js dev server | http://localhost:3000 | service: http://localhost:3000 | | Jellyfin / Plex | http://localhost:8096 | service: http://localhost:8096 | | SMB / RDP (via Access) | tcp://localhost:3389 | service: tcp://localhost:3389 | | SSH | tcp://localhost:22 | service: tcp://localhost:22 | Cloudflared is maintained by Cloudflare, Inc
cloudflared.exe service install This creates a service named “Cloudflare Tunnel Agent”. Start it:
– Cloudflared does not listen on ports locally (it connects outbound). The error may be your local web server.
– Add cloudflared.exe as an exception in Windows Defender or your third-party AV.