← 返回 Skills 市场
Cloudflare Agent Tunnel
作者
maverick-software
· GitHub ↗
· v1.1.0
465
总下载
0
收藏
1
当前安装
2
版本数
在 OpenClaw 中安装
/install cloudflare-agent-tunnel
功能描述
Give each OpenClaw agent its own secure HTTPS URL using Cloudflare Tunnel (cloudflared). No SSL certificates to manage, no ports to expose publicly. Use when...
使用说明 (SKILL.md)
Cloudflare Agent Tunnel
Give each OpenClaw agent a permanent, secure HTTPS URL via Cloudflare Tunnel — no SSL certs, no nginx, no open ports.
How It Works
User → https://koda.yourdomain.com
↓ (Cloudflare edge — TLS termination here)
Cloudflare Tunnel (encrypted)
↓
cloudflared process on VPS
↓
http://localhost:18789 (OpenClaw gateway)
- Cloudflare handles TLS — no cert management on the server
- The local port never needs to be open to the internet
- Each agent gets its own
cloudflaredprocess + systemd service
✅ Preferred Method — Named Tunnel (Permanent, Free Cloudflare Account)
Always use this method. Gives a permanent URL tied to your domain. Requires a free Cloudflare account — takes 2 minutes to set up.
Step 1: Install cloudflared
curl -fsSL https://pkg.cloudflare.com/cloudflare-main.gpg | tee /usr/share/keyrings/cloudflare-main.gpg >/dev/null
echo "deb [signed-by=/usr/share/keyrings/cloudflare-main.gpg] https://pkg.cloudflare.com/cloudflared any main" \
| tee /etc/apt/sources.list.d/cloudflared.list
apt-get update -qq && apt-get install -y cloudflared
Step 2: Authenticate — give the user this URL
Run on the VPS:
cloudflared tunnel login
This prints a Cloudflare auth URL. Give that URL to the user — they open it in their browser, log into their Cloudflare account, and click Authorize. This saves /root/.cloudflared/cert.pem on the VPS.
Poll for completion:
# Wait until cert.pem appears (user has authorized)
until [ -f /root/.cloudflared/cert.pem ]; do sleep 3; done && echo "Authorized!"
Step 3: Create the tunnel
cloudflared tunnel create openclaw-koda
# Outputs a UUID — note it
TUNNEL_UUID=$(cloudflared tunnel list --output json | python3 -c \
"import json,sys; t=[x for x in json.load(sys.stdin) if x['name']=='openclaw-koda']; print(t[0]['id'])")
Step 4: Write tunnel config
mkdir -p /etc/cloudflared
cat > /etc/cloudflared/openclaw-koda.yml \x3C\x3C EOF
tunnel: ${TUNNEL_UUID}
credentials-file: /root/.cloudflared/${TUNNEL_UUID}.json
ingress:
- hostname: koda.yourdomain.com
service: http://localhost:18789
- service: http_status:404
EOF
Step 5: Route DNS
cloudflared tunnel route dns openclaw-koda koda.yourdomain.com
# Automatically creates CNAME: koda.yourdomain.com → \x3CUUID>.cfargotunnel.com
The domain must use Cloudflare nameservers. If it doesn't yet, the user transfers DNS management to Cloudflare (free, takes ~5 min).
Step 6: Install as systemd service
cat > /etc/systemd/system/cloudflared-koda.service \x3C\x3C 'EOF'
[Unit]
Description=Cloudflare Tunnel — openclaw-koda
After=network.target openclaw.service
[Service]
Type=simple
User=root
ExecStart=/usr/bin/cloudflared tunnel --no-autoupdate --config /etc/cloudflared/openclaw-koda.yml run
Restart=always
RestartSec=5
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable cloudflared-koda
systemctl start cloudflared-koda
systemctl is-active cloudflared-koda
Step 7: Update OpenClaw allowedOrigins
"gateway": {
"controlUi": {
"allowedOrigins": [
"http://localhost:18789",
"https://koda.yourdomain.com"
]
}
}
Then: systemctl restart openclaw-koda
Step 8: Lock down the port
Block direct public access — all traffic must go through the tunnel:
ufw deny 18789
ufw reload
Quick Tunnel (Fallback Only — Temporary)
⚠️ Use only as a temporary fallback when no domain is available. The URL is random and resets every time the service restarts. Switch to a named tunnel as soon as a domain is ready.
# Start quick tunnel — prints a random https://*.trycloudflare.com URL
cloudflared tunnel --url http://localhost:18789 --no-autoupdate
# Or as a systemd service (URL logged to /var/log/cloudflared-openclaw.log)
ExecStart=/usr/bin/cloudflared tunnel --no-autoupdate --url http://localhost:18789
Read the assigned URL:
grep -o 'https://[a-z0-9-]*\.trycloudflare\.com' /var/log/cloudflared-openclaw.log | tail -1
Multi-Agent Setup (One VPS, Multiple Agents)
Each agent = one OpenClaw gateway port + one named tunnel + one systemd service.
Port 18789 → openclaw-koda.service + cloudflared-koda.service → koda.yourdomain.com
Port 18790 → openclaw-alex.service + cloudflared-alex.service → alex.yourdomain.com
Port 18791 → openclaw-jordan.service + cloudflared-jordan.service → jordan.yourdomain.com
Critical: Do NOT use cloudflared service install for multiple agents — it only supports one tunnel and overwrites the system service. Always write individual systemd service files per agent.
Custom Domains
Key facts:
- Domain must use Cloudflare nameservers (transfer at your registrar — free)
- Cloudflare issues and auto-renews TLS certs
- CNAME records created automatically via
cloudflared tunnel route dns - Free Cloudflare plan: unlimited tunnels, unlimited bandwidth
See references/custom-domains.md for a full walkthrough.
Managing Tunnels
# Status
systemctl list-units "cloudflared-*" --no-pager
# Logs
journalctl -u cloudflared-koda -f
# List named tunnels
cloudflared tunnel list
# Delete a tunnel
cloudflared tunnel delete openclaw-koda
systemctl disable cloudflared-koda && rm /etc/systemd/system/cloudflared-koda.service
安全使用建议
This skill appears to do exactly what it says: set up Cloudflare tunnels and persistent systemd services for OpenClaw agents. Before installing, consider: (1) you must run the script as root (it modifies /etc and systemd); (2) cloudflared will store authentication files in /root/.cloudflared — anyone with those files can run that tunnel, so protect them and delete them when decommissioning; (3) the process requires you to authorize Cloudflare via a browser URL — do not share that URL with untrusted parties; (4) the script installs cloudflared from Cloudflare's apt repo (pkg.cloudflare.com), which is expected; (5) after setup, update OpenClaw allowedOrigins and firewall rules as instructed to avoid exposing the service directly. If you are not comfortable granting root-level changes or storing Cloudflare tunnel credentials on this host, do not install; otherwise this skill is coherent and appropriate for the described purpose.
功能分析
Type: OpenClaw Skill
Name: cloudflare-agent-tunnel
Version: 1.1.0
The skill bundle provides a legitimate utility for configuring Cloudflare Tunnels to securely expose OpenClaw agents via HTTPS. The included bash script (scripts/tunnel-setup.sh) and instructions (SKILL.md) automate the installation of the official cloudflared binary, creation of systemd services, and configuration of DNS records. While the script requires root privileges to manage system services and firewall rules (ufw), its actions are transparent, well-documented, and strictly aligned with the stated purpose of network tunneling.
能力评估
Purpose & Capability
Name/description match the included SKILL.md and script: both create cloudflared named or quick tunnels, DNS routing, and systemd services to expose per-agent HTTPS URLs. All requested actions relate to tunnel setup.
Instruction Scope
Instructions and script perform system-level actions (install apt package, write /etc/cloudflared, /etc/systemd/system, edit firewall, read/write /root/.cloudflared). These are necessary for persistent tunnels but require root and access to the machine's service config and Cloudflare credentials. The guidance to hand the cloudflared auth URL to a human for browser auth is expected but should be done only by the machine owner.
Install Mechanism
No hidden downloads; the script installs cloudflared from Cloudflare's official apt repo (pkg.cloudflare.com) via curl to fetch the signing key then apt-get. This is a standard, traceable install method.
Credentials
The skill declares no environment variables or external credentials. It does rely on cloudflared's credential files stored under /root/.cloudflared (created by cloudflared login/create). That is expected and proportional for named tunnels.
Persistence & Privilege
The skill's script and instructions create and enable systemd services and write persistent credential files under /root/.cloudflared. Persistent system changes are required for the stated purpose, but they are high-privilege operations — run only on hosts you control and trust.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install cloudflare-agent-tunnel - 安装完成后,直接呼叫该 Skill 的名称或使用
/cloudflare-agent-tunnel触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.1.0
Prefer named tunnel method — always use cloudflared login + permanent URL. Quick tunnel demoted to fallback-only with clear warning. Added polling pattern for auth URL flow.
v1.0.0
Initial release — per-agent Cloudflare Tunnels for OpenClaw. Covers quick tunnels, named tunnels, multi-agent VPS setup, custom domains, and systemd service management.
元数据
常见问题
Cloudflare Agent Tunnel 是什么?
Give each OpenClaw agent its own secure HTTPS URL using Cloudflare Tunnel (cloudflared). No SSL certificates to manage, no ports to expose publicly. Use when... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 465 次。
如何安装 Cloudflare Agent Tunnel?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install cloudflare-agent-tunnel」即可一键安装,无需额外配置。
Cloudflare Agent Tunnel 是免费的吗?
是的,Cloudflare Agent Tunnel 完全免费(开源免费),可自由下载、安装和使用。
Cloudflare Agent Tunnel 支持哪些平台?
Cloudflare Agent Tunnel 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Cloudflare Agent Tunnel?
由 maverick-software(@maverick-software)开发并维护,当前版本 v1.1.0。
推荐 Skills