← Back to Skills Marketplace
qoohsuan

Cloudflare Tunnel Manager

by Qoohsuan · GitHub ↗ · v1.0.0 · MIT-0
cross-platform ✓ Security Clean
252
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install cloudflare-tunnel-manager
Description
Create and manage secure Cloudflare Tunnels using cloudflared. Expose local services to the internet safely, configure DNS routing, set up zero-trust access...
README (SKILL.md)

Cloudflare Tunnel

Create secure tunnels to expose local services through Cloudflare's network without opening inbound firewall ports. Supports HTTP/HTTPS services, TCP tunnels, and zero-trust access controls.

Prerequisites

  • Cloudflare account with a domain
  • cloudflared CLI installed
  • Domain DNS managed by Cloudflare
  • Local services running (web servers, APIs, etc.)

Installation

macOS (Homebrew)

brew install cloudflare/cloudflare/cloudflared

Linux

# Download latest release
wget https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64
chmod +x cloudflared-linux-amd64
sudo mv cloudflared-linux-amd64 /usr/local/bin/cloudflared

Windows

# Using winget
winget install --id Cloudflare.cloudflared

# Or download from GitHub releases

Usage

Authentication

Login to Cloudflare:

# Login (opens browser for OAuth)
cloudflared tunnel login

# Verify authentication
cloudflared tunnel list

Basic Tunnel Setup

Create and run a tunnel:

# Create named tunnel
cloudflared tunnel create mytunnel

# Run tunnel for HTTP service
cloudflared tunnel --url http://localhost:3000

# Run tunnel with custom hostname
cloudflared tunnel --url http://localhost:3000 --hostname app.yourdomain.com

# Quick temporary tunnel (random subdomain)
cloudflared tunnel --url http://localhost:8080

Persistent Tunnel Configuration

Create tunnel and configure DNS:

# Create tunnel
cloudflared tunnel create production-app
# Note the tunnel ID from output

# Create DNS record
cloudflared tunnel route dns production-app app.yourdomain.com

# Create config file
mkdir -p ~/.cloudflared

Configuration file (~/.cloudflared/config.yml):

tunnel: production-app
credentials-file: /Users/username/.cloudflared/TUNNEL_ID.json

ingress:
  # Main app
  - hostname: app.yourdomain.com
    service: http://localhost:3000
  
  # API service
  - hostname: api.yourdomain.com
    service: http://localhost:4000
    
  # Static files
  - hostname: static.yourdomain.com
    service: http://localhost:8080
    
  # WebSocket service
  - hostname: ws.yourdomain.com
    service: ws://localhost:5000
    
  # SSH access (requires Cloudflare for Teams)
  - hostname: ssh.yourdomain.com
    service: ssh://localhost:22
    
  # Default rule (required)
  - service: http_status:404

Run configured tunnel:

# Run with config file
cloudflared tunnel run production-app

# Run in background
cloudflared tunnel run production-app &

# Check tunnel status
cloudflared tunnel info production-app

Advanced Configuration

Multiple services configuration:

tunnel: multi-service-tunnel
credentials-file: /Users/username/.cloudflared/TUNNEL_ID.json

ingress:
  # Main website
  - hostname: yourdomain.com
    service: http://localhost:3000
    
  # Admin panel with authentication
  - hostname: admin.yourdomain.com
    service: http://localhost:3001
    originRequest:
      noTLSVerify: true
      
  # Development API
  - hostname: dev-api.yourdomain.com
    service: http://localhost:4000
    originRequest:
      httpHostHeader: localhost:4000
      
  # Load balancer for multiple instances
  - hostname: lb.yourdomain.com
    service: http://localhost:3000
    originRequest:
      bastionMode: true
      
  # File server with custom headers
  - hostname: files.yourdomain.com
    service: http://localhost:8000
    originRequest:
      httpHostHeader: files.local
      originServerName: files.local
      
  # Default catch-all
  - service: http_status:404

Advanced origin request options:

originRequest:
  # Disable TLS verification (for self-signed certs)
  noTLSVerify: true
  
  # Custom HTTP headers
  httpHostHeader: internal.service.local
  
  # Connection timeout
  connectTimeout: 30s
  
  # Keep alive settings
  keepAliveConnections: 100
  keepAliveTimeout: 90s
  
  # Proxy settings
  proxyAddress: http://proxy:8080
  proxyPort: 8080
  
  # Bastion mode for kubectl/ssh
  bastionMode: true

Service Management

Tunnel management commands:

# List all tunnels
cloudflared tunnel list

# Get tunnel info
cloudflared tunnel info TUNNEL_NAME

# Delete tunnel
cloudflared tunnel delete TUNNEL_NAME

# Clean up unused tunnels
cloudflared tunnel cleanup TUNNEL_NAME

# Update tunnel
cloudflared tunnel route dns TUNNEL_NAME new-subdomain.yourdomain.com

DNS management:

# Add DNS route
cloudflared tunnel route dns mytunnel app.yourdomain.com

# List DNS routes
cloudflared tunnel route list

# Delete DNS route
cloudflared tunnel route delete ROUTE_ID

Zero Trust Access Control

Access policy configuration (via Cloudflare Dashboard):

  1. Go to Cloudflare Zero Trust → Access → Applications

  2. Add application:

    • Application type: Self-hosted
    • App domain: admin.yourdomain.com
    • Policy name: Admin Access

  3. Create access policy:

    • Allow/Block/Bypass
    • Include: Email domain contains @yourcompany.com
    • Require: Country is in Taiwan

Service authentication token:

# Create service token for API access
# (Done via Cloudflare Dashboard → Zero Trust → Access → Service Tokens)

# Use service token in requests
curl -H "CF-Access-Client-Id: TOKEN_ID" \
     -H "CF-Access-Client-Secret: TOKEN_SECRET" \
     https://api.yourdomain.com/data

System Service Setup

Linux systemd service:

# /etc/systemd/system/cloudflared-tunnel.service
[Unit]
Description=Cloudflare Tunnel
After=network.target

[Service]
Type=simple
User=cloudflared
ExecStart=/usr/local/bin/cloudflared tunnel run production-app
Restart=always
RestartSec=5

[Install]
WantedBy=multi-user.target

# Enable and start service
sudo systemctl enable cloudflared-tunnel
sudo systemctl start cloudflared-tunnel
sudo systemctl status cloudflared-tunnel

macOS LaunchAgent:

\x3C!-- ~/Library/LaunchAgents/com.cloudflare.tunnel.plist -->
\x3C?xml version="1.0" encoding="UTF-8"?>
\x3C!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
\x3Cplist version="1.0">
\x3Cdict>
    \x3Ckey>Label\x3C/key>
    \x3Cstring>com.cloudflare.tunnel\x3C/string>
    \x3Ckey>ProgramArguments\x3C/key>
    \x3Carray>
        \x3Cstring>/usr/local/bin/cloudflared\x3C/string>
        \x3Cstring>tunnel\x3C/string>
        \x3Cstring>run\x3C/string>
        \x3Cstring>production-app\x3C/string>
    \x3C/array>
    \x3Ckey>RunAtLoad\x3C/key>
    \x3Ctrue/>
    \x3Ckey>KeepAlive\x3C/key>
    \x3Ctrue/>
\x3C/dict>
\x3C/plist>

# Load and start LaunchAgent
launchctl load ~/Library/LaunchAgents/com.cloudflare.tunnel.plist
launchctl start com.cloudflare.tunnel

Monitoring and Troubleshooting

Health checking:

# Check tunnel connectivity
curl -H "Host: yourdomain.com" http://localhost:3000

# Test external access
curl https://yourdomain.com

# Check tunnel logs
cloudflared tunnel --loglevel debug run production-app

# Monitor metrics (if enabled)
curl http://localhost:2000/metrics

Common troubleshooting:

# Check tunnel status
cloudflared tunnel info production-app

# Validate config file
cloudflared tunnel ingress validate

# Test ingress rules
cloudflared tunnel ingress rule https://app.yourdomain.com

# Debug connection
cloudflared tunnel --loglevel debug run production-app

Production Example Setup

Complete production deployment:

#!/bin/bash
# setup-cloudflare-tunnel.sh

TUNNEL_NAME="propower-production"
DOMAIN="api.pro-power.cc"

echo "Setting up Cloudflare Tunnel: $TUNNEL_NAME"

# Create tunnel
cloudflared tunnel create $TUNNEL_NAME

# Get tunnel ID
TUNNEL_ID=$(cloudflared tunnel list | grep $TUNNEL_NAME | awk '{print $1}')

# Create DNS records
cloudflared tunnel route dns $TUNNEL_NAME $DOMAIN
cloudflared tunnel route dns $TUNNEL_NAME api.$DOMAIN

# Create config file
cat > ~/.cloudflared/config.yml \x3C\x3C EOF
tunnel: $TUNNEL_NAME
credentials-file: $HOME/.cloudflared/$TUNNEL_ID.json

ingress:
  - hostname: $DOMAIN
    service: http://localhost:3000
  - hostname: api.$DOMAIN
    service: http://localhost:4000
  - service: http_status:404

metrics: localhost:2000
EOF

echo "Configuration created. Start tunnel with:"
echo "cloudflared tunnel run $TUNNEL_NAME"

Backup and Migration

Backup tunnel configuration:

# Backup credentials and config
cp ~/.cloudflared/*.json ~/backup/
cp ~/.cloudflared/config.yml ~/backup/

# Export tunnel list
cloudflared tunnel list > ~/backup/tunnel-list.txt

Migration to new server:

# Copy credentials to new server
scp ~/.cloudflared/*.json user@newserver:~/.cloudflared/
scp ~/.cloudflared/config.yml user@newserver:~/.cloudflared/

# Test on new server
ssh user@newserver "cloudflared tunnel run production-app --dry-run"

This skill enables secure, firewall-friendly exposure of local services through Cloudflare's global network with built-in DDoS protection and zero-trust access controls.

Usage Guidance
This skill is a how-to for cloudflared and appears internally consistent. Before using it: install cloudflared from Cloudflare's official releases (verify checksums), protect the credentials JSON files and service tokens it references, avoid enabling insecure options (e.g., noTLSVerify) unless you understand the risk, and review the full systemd/unit examples before installing them. Because the skill is instruction-only, it does not itself install or run code — but following its commands will run cloudflared and interact with your Cloudflare account, so proceed only if you trust the instructions and your Cloudflare account security.
Capability Analysis
Type: OpenClaw Skill Name: cloudflare-tunnel-manager Version: 1.0.0 The skill provides comprehensive documentation and command-line examples for managing Cloudflare Tunnels using the official 'cloudflared' utility. It includes legitimate installation procedures from GitHub, configuration templates for various services (HTTP, SSH, WebSockets), and persistence setup via systemd and macOS LaunchAgents. No evidence of data exfiltration, malicious execution, or prompt injection was found; the content is entirely consistent with its stated purpose of network management.
Capability Assessment
Purpose & Capability
The name/description (Cloudflare Tunnel Manager) match the SKILL.md: it documents installing cloudflared, creating tunnels, DNS routing, Zero Trust policies, and systemd setup. No unrelated credentials, binaries, or config paths are requested.
Instruction Scope
Instructions are focused on cloudflared usage and Cloudflare account resources. A few options (noTLSVerify, proxyAddress, bastionMode) can weaken security if misused; the skill documents creating service tokens and storing credentials files (expected). The systemd snippet is appropriate for running a tunnel but user should inspect the full unit file (SKILL.md was truncated in the listing).
Install Mechanism
No install spec is bundled with the skill (instruction-only). The Linux install recommends downloading from the project's GitHub Releases, and macOS/Windows use Homebrew/winget — these are standard distribution channels. As always, verify the binary and checksums from Cloudflare's official sources before installing.
Credentials
The skill does not request environment variables, secrets, or unrelated credentials. It shows how to obtain and use Cloudflare service tokens and tunnel credential files, which is proportionate to the task.
Persistence & Privilege
The skill is not marked always:true and is user-invocable. It does not attempt to modify other skills or system-wide agent configuration. The provided systemd instructions are standard for running the tunnel as a service.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install cloudflare-tunnel-manager
  3. After installation, invoke the skill by name or use /cloudflare-tunnel-manager
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release: Cloudflare Tunnel setup and management
Metadata
Slug cloudflare-tunnel-manager
Version 1.0.0
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is Cloudflare Tunnel Manager?

Create and manage secure Cloudflare Tunnels using cloudflared. Expose local services to the internet safely, configure DNS routing, set up zero-trust access... It is an AI Agent Skill for Claude Code / OpenClaw, with 252 downloads so far.

How do I install Cloudflare Tunnel Manager?

Run "/install cloudflare-tunnel-manager" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Cloudflare Tunnel Manager free?

Yes, Cloudflare Tunnel Manager is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Cloudflare Tunnel Manager support?

Cloudflare Tunnel Manager is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Cloudflare Tunnel Manager?

It is built and maintained by Qoohsuan (@qoohsuan); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463368 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259467 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200457 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191163 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190189 · by oswalpalash

💬 Comments