Cloudflare Tunnel (Remote Access)
ArgusAI supports secure remote access via Cloudflare Tunnel, allowing you to access your dashboard from anywhere without port forwarding or VPN configuration.
Overview
Cloudflare Tunnel creates a secure, encrypted connection from your ArgusAI server to Cloudflare's global network. This enables:
- Remote Access: View cameras and events from anywhere via custom domain
- No Port Forwarding: All connections are outbound from your network
- TLS 1.3 Encryption: End-to-end encrypted traffic
- DDoS Protection: Cloudflare's global edge network protection
- CGNAT Compatible: Works on any ISP, including those with carrier-grade NAT
How It Works
┌─────────────────────────────────────────────────────────────────┐
│ Your Home Network │
│ │
│ ┌──────────────┐ ┌──────────────┐ │
│ │ ArgusAI │ ◄──────►│ cloudflared │ ────► (outbound) │
│ │ localhost │ │ daemon │ │
│ │ :8000 │ │ │ │
│ └──────────────┘ └──────────────┘ │
│ │ │
└────────────────────────────────────│────────────────────────────┘
│ TLS 1.3
▼
┌────────────────────────┐
│ Cloudflare Edge │
│ (Global Network) │
└────────────┬───────────┘
│ HTTPS
▼
┌────────────────────────┐
│ Your Phone/Laptop │
│ argusai.example.com │
└────────────────────────┘
Prerequisites
Before setting up Cloudflare Tunnel:
- Cloudflare Account - Sign up at cloudflare.com (free)
- Domain on Cloudflare - Your domain must use Cloudflare's nameservers
- ArgusAI Running - Backend accessible at
localhost:8000
Installation
Linux (Debian/Ubuntu)
# Add Cloudflare's GPG key
curl -fsSL https://pkg.cloudflare.com/cloudflare-main.gpg | sudo tee /usr/share/keyrings/cloudflare-main.gpg >/dev/null
# Add the repository
echo "deb [signed-by=/usr/share/keyrings/cloudflare-main.gpg] https://pkg.cloudflare.com/cloudflared $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/cloudflared.list
# Install
sudo apt update
sudo apt install cloudflared
Linux (RHEL/CentOS/Fedora)
sudo rpm -ivh https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-x86_64.rpm
macOS
brew install cloudflared
Windows
# Using Chocolatey
choco install cloudflared
# Or using Winget
winget install Cloudflare.cloudflared
Verify Installation
cloudflared --version
Creating a Tunnel
Step 1: Access Zero Trust Dashboard
- Log in to dash.cloudflare.com
- Click Zero Trust in the left sidebar
- Set up a team name if prompted
Step 2: Create Tunnel
- Navigate to Networks > Tunnels
- Click Create a tunnel
- Select Cloudflared connector type
- Name your tunnel (e.g.,
argusai-home) - Click Save tunnel
Step 3: Copy Token
After saving, Cloudflare displays a tunnel token. Copy this token - you'll need it for ArgusAI configuration.
Token Security
Never share or commit your tunnel token. It grants access to your tunnel.
Step 4: Configure Hostname
- Click Next after copying the token
- Add a public hostname:
- Subdomain:
argusai(or your preference) - Domain: Select your domain
- Type:
HTTP - URL:
localhost:8000
- Subdomain:
- Click Save hostname
ArgusAI Configuration
Using the Settings UI
- Open ArgusAI at
http://localhost:3000 - Navigate to Settings > Integrations
- Find the Cloudflare Tunnel section
- Toggle Enable Tunnel
- Paste your tunnel token
- Click Save Settings
- Click Test Connection
Status Indicators
| Status | Indicator | Meaning |
|---|---|---|
| Disconnected | Gray | Tunnel not running |
| Connecting | Yellow (pulsing) | Starting up |
| Connected | Green | Active and working |
| Error | Red | Failed (see error message) |
Additional Metrics
When connected, the UI displays:
- Uptime: Connection duration
- Last Connected: Timestamp
- Reconnect Count: Auto-reconnection count
Troubleshooting
cloudflared Not Found
Cause: Binary not installed or not in PATH.
Solution:
# Verify installation
which cloudflared
# If not found, reinstall following platform-specific instructions
Invalid Tunnel Token
Cause: Token corrupted or expired.
Solution:
- Go to Cloudflare Zero Trust > Tunnels
- Click your tunnel > Configure > Overview
- Click Generate new token
- Update token in ArgusAI settings
Connection Timeout
Cause: Outbound connections blocked.
Solution:
- Verify internet:
ping cloudflare.com - Check port 443 outbound is allowed
- Configure proxy if needed:
export HTTPS_PROXY=http://proxy:8080
Tunnel Connects but Site Doesn't Load
Cause: Backend not running or hostname misconfigured.
Solution:
- Verify ArgusAI backend:
curl http://localhost:8000/api/v1/health - Check hostname configuration in Cloudflare:
- Type:
HTTP(not HTTPS) - URL:
localhost:8000
- Type:
Permission Denied
Cause: cloudflared lacks execution permissions.
Solution:
sudo chmod +x /usr/local/bin/cloudflared
Security Best Practices
Token Security
- Never share your tunnel token publicly
- Never commit tokens to version control
- Rotate tokens if compromised:
- Cloudflare Zero Trust > Tunnels
- Click tunnel > Configure > Overview
- Generate new token
- Update in ArgusAI
Optional: Cloudflare Access
Add authentication before users can access ArgusAI:
- Go to Zero Trust > Access > Applications
- Add a self-hosted application
- Configure your ArgusAI domain
- Add authentication rules (email, identity provider, etc.)
Recommendations
- Use a custom domain rather than Cloudflare subdomains
- Consider a subdomain like
home.yourdomain.comfor privacy - Keep cloudflared updated for security patches:
# Debian/Ubuntu
sudo apt update && sudo apt upgrade cloudflared
# macOS
brew upgrade cloudflared
Benefits Summary
| Feature | Benefit |
|---|---|
| No port forwarding | No router configuration needed |
| CGNAT compatible | Works with any ISP |
| TLS 1.3 | End-to-end encryption |
| DDoS protection | Cloudflare edge network |
| Free tier | Personal use supported |
| Auto-reconnect | Survives network changes |
Related Documentation
- Full Tunnel Setup Guide - Comprehensive reference
- Cloud Relay Architecture - Technical design
- Cloudflare Tunnel Docs - Official documentation