Cloudflare Docs
Cloudflare Zero Trust
Cloudflare Docs
Cloudflare Zero Trust
Edit this page
Report an issue with this page
Log into the Cloudflare dashboard
Set theme to dark (⇧+D)
  1. Products
  2. Cloudflare Zero Trust
  3. ...
  4. ...
  5. Configure a tunnel
  6. Remotely-managed tunnel

Configure a remotely-managed tunnel

If you created a Cloudflare Tunnel from the dashboard, the tunnel runs as a service on your OS.

​​ Add tunnel run parameters

You can modify the Cloudflare Tunnel service with one or more general-purpose tunnel parameters.

On Linux, Cloudflare Tunnel installs itself as a system service using systemctl. By default, the service will be named cloudflared.service. To configure your tunnel on Linux:

  1. Open cloudflared.service.

    $ sudo systemctl edit --full cloudflared.service

  2. Modify the cloudflared tunnel run command with the desired configuration flag. For example,

    [Unit]
    Description=Cloudflare Tunnel
    After=network.target
    

    [Service]
    TimeoutStartSec=0
    Type=notify
    ExecStart=/usr/local/bin/cloudflared tunnel --loglevel debug --logfile <PATH> run --token <TOKEN VALUE>
    Restart=on-failure
    RestartSec=5s

On macOS, Cloudflare Tunnel installs itself as a launch agent using launchctl. By default, the agent will be called com.cloudflare.cloudflared. To configure your tunnel on macOS:

  1. Stop the cloudflared service.

    $ sudo launchctl stop com.cloudflare.cloudflared

  2. Unload the configuration file.

    $ sudo launchctl unload /Library/LaunchDaemons/com.cloudflare.cloudflared.plist

  3. Open /Library/LaunchDaemons/com.cloudflare.cloudflared.plist in a text editor.

  4. Modify the ProgramArguments key with the desired configuration flag. For example,

    <plist version="1.0">
        <dict>
            <key>Label</key>
            <string>com.cloudflare.cloudflared</string>
            <key>ProgramArguments</key>
            <array>
                <string>/opt/homebrew/bin/cloudflared</string>
                <string>tunnel</string>
                <string>--logfile</string>
                <string><PATH></string>
                <string>--loglevel</string>
                <string>debug</string>
                <string>run</string>
                <string>--token</string>
                <string><TOKEN VALUE> </string>
            </array>

  5. Load the updated configuration file.

    $ sudo launchctl load /Library/LaunchDaemons/com.cloudflare.cloudflared.plist

  6. Start the cloudflared service.

    $ sudo launchctl start com.cloudflare.cloudflared

On Windows, Cloudflare Tunnel installs itself as a system service using the Registry Editor. By default, the service will be named cloudflared. To configure your tunnel on Windows:

  1. Open the Registry Editor.

  2. Go to HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Services > cloudflared.

  3. Double-click ImagePath.

  4. Modify Value data with the desired configuration flag. For example,

    C:\Program Files (x86)\cloudflared\.\cloudflared.exe tunnel --loglevel debug --logfile <PATH> run --token <TOKEN VALUE>

Modify cloudflared service in the Registry Editor

​​ Update origin configuration

To configure how cloudflared sends requests to your public hostname services:

  1. In Zero Trust, go to Networks > Tunnels.
  2. Choose a tunnel and select Configure.
  3. Select the Public Hostname tab.
  4. Choose a route and select Edit.
  5. Under Additional application settings, modify one or more origin configuration parameters.
  6. Select Save hostname.

​​ Tunnel permissions

A remotely-managed tunnel only requires the tunnel token to run. Anyone with access to the token will be able to run the tunnel. You can get a tunnel’s token from the dashboard or via the API.

Account members with Cloudflare Access and DNS permissions will be able to create, delete, and configure all tunnels for the account.