Run Cloudflared on a VPS: Reliable Hostnames & TCP Tunnels

Posted on January 10, 2026 | Category: Networking | Reading time: 6 minutes

Why run Cloudflared on a VPS?

Running Cloudflared on a remote VPS gives you a reliable outbound connection to Cloudflare so your hostname and tunnels don't depend on a local PC being online. This is ideal when your MikroTik or home router is behind CGNAT and you need a stable way to reach WebFig, admin consoles, or TCP services.

High-level steps

  1. Create a small VPS (Ubuntu / Debian are excellent choices).
  2. Install cloudflared on the VPS and authenticate it to your Cloudflare account (via cloudflared login).
  3. Create a named tunnel and start it as a systemd service so it restarts automatically.
  4. Use the tunnel to forward HTTP(S) or raw TCP to your internal host (over an SSH reverse tunnel or via a second secure tunnel to your LAN gateway).

Install and create a tunnel (example)

# on VPS (Ubuntu/Debian)
sudo apt update && sudo apt install -y curl
curl -L https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb -o cloudflared.deb
sudo dpkg -i cloudflared.deb

# authenticate (opens a browser flow)
cloudflared login

# create tunnel
cloudflared tunnel create my-network

# create a systemd service (auto restart)
cloudflared tunnel run my-network

Forwarding TCP (e.g. WebFig on port 8291)

Cloudflared supports TCP tunneling. If you need WebFig or Winbox which use TCP, create a tunnel for that port and route it to your internal IP via an SSH reverse tunnel or a secure connection from your router to the VPS. For MikroTik devices, many users run a small SSH reverse tunnel from the MikroTik (or local Linux host) to the VPS, then route the Cloudflared TCP connection to the SSH endpoint on the VPS.

Systemd service example

[Unit]
Description=cloudflared tunnel
After=network.target

[Service]
Type=simple
ExecStart=/usr/local/bin/cloudflared tunnel run my-network
Restart=on-failure
RestartSec=5

[Install]
WantedBy=multi-user.target

Reliability tips

  • Run cloudflared as a service and enable it: sudo systemctl enable --now cloudflared.
  • Monitor tunnel health from the Cloudflare dashboard and log tunnel status locally.
  • Use strong authentication and limit access to sensitive admin services.
  • Combine Cloudflare tunnel for web services with WireGuard for administrative access for the best of both worlds (web friendly + full network access).

Conclusion

Moving Cloudflared to a VPS removes the single-point-of-failure of a desktop host and gives you consistent DNS, tunneling, and TCP forwarding for services behind CGNAT. For ModernISP setups we recommend Cloudflared for public web access and WireGuard for admin access.

Want a step-by-step VPS setup + systemd file deployed? Contact us and we’ll provision and secure it for you.