← Back to Skills Marketplace
Cloudflare Agent Tunnel
by
maverick-software
· GitHub ↗
· v1.1.0
465
Downloads
0
Stars
1
Active Installs
2
Versions
Install in OpenClaw
/install cloudflare-agent-tunnel
Description
Give each OpenClaw agent its own secure HTTPS URL using Cloudflare Tunnel (cloudflared). No SSL certificates to manage, no ports to expose publicly. Use when...
README (SKILL.md)
Cloudflare Agent Tunnel
Give each OpenClaw agent a permanent, secure HTTPS URL via Cloudflare Tunnel — no SSL certs, no nginx, no open ports.
How It Works
User → https://koda.yourdomain.com
↓ (Cloudflare edge — TLS termination here)
Cloudflare Tunnel (encrypted)
↓
cloudflared process on VPS
↓
http://localhost:18789 (OpenClaw gateway)
- Cloudflare handles TLS — no cert management on the server
- The local port never needs to be open to the internet
- Each agent gets its own
cloudflaredprocess + systemd service
✅ Preferred Method — Named Tunnel (Permanent, Free Cloudflare Account)
Always use this method. Gives a permanent URL tied to your domain. Requires a free Cloudflare account — takes 2 minutes to set up.
Step 1: Install cloudflared
curl -fsSL https://pkg.cloudflare.com/cloudflare-main.gpg | tee /usr/share/keyrings/cloudflare-main.gpg >/dev/null
echo "deb [signed-by=/usr/share/keyrings/cloudflare-main.gpg] https://pkg.cloudflare.com/cloudflared any main" \
| tee /etc/apt/sources.list.d/cloudflared.list
apt-get update -qq && apt-get install -y cloudflared
Step 2: Authenticate — give the user this URL
Run on the VPS:
cloudflared tunnel login
This prints a Cloudflare auth URL. Give that URL to the user — they open it in their browser, log into their Cloudflare account, and click Authorize. This saves /root/.cloudflared/cert.pem on the VPS.
Poll for completion:
# Wait until cert.pem appears (user has authorized)
until [ -f /root/.cloudflared/cert.pem ]; do sleep 3; done && echo "Authorized!"
Step 3: Create the tunnel
cloudflared tunnel create openclaw-koda
# Outputs a UUID — note it
TUNNEL_UUID=$(cloudflared tunnel list --output json | python3 -c \
"import json,sys; t=[x for x in json.load(sys.stdin) if x['name']=='openclaw-koda']; print(t[0]['id'])")
Step 4: Write tunnel config
mkdir -p /etc/cloudflared
cat > /etc/cloudflared/openclaw-koda.yml \x3C\x3C EOF
tunnel: ${TUNNEL_UUID}
credentials-file: /root/.cloudflared/${TUNNEL_UUID}.json
ingress:
- hostname: koda.yourdomain.com
service: http://localhost:18789
- service: http_status:404
EOF
Step 5: Route DNS
cloudflared tunnel route dns openclaw-koda koda.yourdomain.com
# Automatically creates CNAME: koda.yourdomain.com → \x3CUUID>.cfargotunnel.com
The domain must use Cloudflare nameservers. If it doesn't yet, the user transfers DNS management to Cloudflare (free, takes ~5 min).
Step 6: Install as systemd service
cat > /etc/systemd/system/cloudflared-koda.service \x3C\x3C 'EOF'
[Unit]
Description=Cloudflare Tunnel — openclaw-koda
After=network.target openclaw.service
[Service]
Type=simple
User=root
ExecStart=/usr/bin/cloudflared tunnel --no-autoupdate --config /etc/cloudflared/openclaw-koda.yml run
Restart=always
RestartSec=5
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable cloudflared-koda
systemctl start cloudflared-koda
systemctl is-active cloudflared-koda
Step 7: Update OpenClaw allowedOrigins
"gateway": {
"controlUi": {
"allowedOrigins": [
"http://localhost:18789",
"https://koda.yourdomain.com"
]
}
}
Then: systemctl restart openclaw-koda
Step 8: Lock down the port
Block direct public access — all traffic must go through the tunnel:
ufw deny 18789
ufw reload
Quick Tunnel (Fallback Only — Temporary)
⚠️ Use only as a temporary fallback when no domain is available. The URL is random and resets every time the service restarts. Switch to a named tunnel as soon as a domain is ready.
# Start quick tunnel — prints a random https://*.trycloudflare.com URL
cloudflared tunnel --url http://localhost:18789 --no-autoupdate
# Or as a systemd service (URL logged to /var/log/cloudflared-openclaw.log)
ExecStart=/usr/bin/cloudflared tunnel --no-autoupdate --url http://localhost:18789
Read the assigned URL:
grep -o 'https://[a-z0-9-]*\.trycloudflare\.com' /var/log/cloudflared-openclaw.log | tail -1
Multi-Agent Setup (One VPS, Multiple Agents)
Each agent = one OpenClaw gateway port + one named tunnel + one systemd service.
Port 18789 → openclaw-koda.service + cloudflared-koda.service → koda.yourdomain.com
Port 18790 → openclaw-alex.service + cloudflared-alex.service → alex.yourdomain.com
Port 18791 → openclaw-jordan.service + cloudflared-jordan.service → jordan.yourdomain.com
Critical: Do NOT use cloudflared service install for multiple agents — it only supports one tunnel and overwrites the system service. Always write individual systemd service files per agent.
Custom Domains
Key facts:
- Domain must use Cloudflare nameservers (transfer at your registrar — free)
- Cloudflare issues and auto-renews TLS certs
- CNAME records created automatically via
cloudflared tunnel route dns - Free Cloudflare plan: unlimited tunnels, unlimited bandwidth
See references/custom-domains.md for a full walkthrough.
Managing Tunnels
# Status
systemctl list-units "cloudflared-*" --no-pager
# Logs
journalctl -u cloudflared-koda -f
# List named tunnels
cloudflared tunnel list
# Delete a tunnel
cloudflared tunnel delete openclaw-koda
systemctl disable cloudflared-koda && rm /etc/systemd/system/cloudflared-koda.service
Usage Guidance
This skill appears to do exactly what it says: set up Cloudflare tunnels and persistent systemd services for OpenClaw agents. Before installing, consider: (1) you must run the script as root (it modifies /etc and systemd); (2) cloudflared will store authentication files in /root/.cloudflared — anyone with those files can run that tunnel, so protect them and delete them when decommissioning; (3) the process requires you to authorize Cloudflare via a browser URL — do not share that URL with untrusted parties; (4) the script installs cloudflared from Cloudflare's apt repo (pkg.cloudflare.com), which is expected; (5) after setup, update OpenClaw allowedOrigins and firewall rules as instructed to avoid exposing the service directly. If you are not comfortable granting root-level changes or storing Cloudflare tunnel credentials on this host, do not install; otherwise this skill is coherent and appropriate for the described purpose.
Capability Analysis
Type: OpenClaw Skill
Name: cloudflare-agent-tunnel
Version: 1.1.0
The skill bundle provides a legitimate utility for configuring Cloudflare Tunnels to securely expose OpenClaw agents via HTTPS. The included bash script (scripts/tunnel-setup.sh) and instructions (SKILL.md) automate the installation of the official cloudflared binary, creation of systemd services, and configuration of DNS records. While the script requires root privileges to manage system services and firewall rules (ufw), its actions are transparent, well-documented, and strictly aligned with the stated purpose of network tunneling.
Capability Assessment
Purpose & Capability
Name/description match the included SKILL.md and script: both create cloudflared named or quick tunnels, DNS routing, and systemd services to expose per-agent HTTPS URLs. All requested actions relate to tunnel setup.
Instruction Scope
Instructions and script perform system-level actions (install apt package, write /etc/cloudflared, /etc/systemd/system, edit firewall, read/write /root/.cloudflared). These are necessary for persistent tunnels but require root and access to the machine's service config and Cloudflare credentials. The guidance to hand the cloudflared auth URL to a human for browser auth is expected but should be done only by the machine owner.
Install Mechanism
No hidden downloads; the script installs cloudflared from Cloudflare's official apt repo (pkg.cloudflare.com) via curl to fetch the signing key then apt-get. This is a standard, traceable install method.
Credentials
The skill declares no environment variables or external credentials. It does rely on cloudflared's credential files stored under /root/.cloudflared (created by cloudflared login/create). That is expected and proportional for named tunnels.
Persistence & Privilege
The skill's script and instructions create and enable systemd services and write persistent credential files under /root/.cloudflared. Persistent system changes are required for the stated purpose, but they are high-privilege operations — run only on hosts you control and trust.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install cloudflare-agent-tunnel - After installation, invoke the skill by name or use
/cloudflare-agent-tunnel - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.1.0
Prefer named tunnel method — always use cloudflared login + permanent URL. Quick tunnel demoted to fallback-only with clear warning. Added polling pattern for auth URL flow.
v1.0.0
Initial release — per-agent Cloudflare Tunnels for OpenClaw. Covers quick tunnels, named tunnels, multi-agent VPS setup, custom domains, and systemd service management.
Metadata
Frequently Asked Questions
What is Cloudflare Agent Tunnel?
Give each OpenClaw agent its own secure HTTPS URL using Cloudflare Tunnel (cloudflared). No SSL certificates to manage, no ports to expose publicly. Use when... It is an AI Agent Skill for Claude Code / OpenClaw, with 465 downloads so far.
How do I install Cloudflare Agent Tunnel?
Run "/install cloudflare-agent-tunnel" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Cloudflare Agent Tunnel free?
Yes, Cloudflare Agent Tunnel is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Cloudflare Agent Tunnel support?
Cloudflare Agent Tunnel is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Cloudflare Agent Tunnel?
It is built and maintained by maverick-software (@maverick-software); the current version is v1.1.0.
More Skills