Cloudflare Tunnels on Proxmox (LXC)

This guide allows you to expose your home lab services (like Home Assistant, Plex, or Dashboards) to the internet securely without opening ports on your router.

Prerequisites

A Proxmox Server.
A domain name managed by Cloudflare (e.g., yourdomain.com).
Cloudflare Zero Trust account (Free tier is fine).

Step 1: Create the Tunnel in Cloudflare

First, you must “register” the tunnel on Cloudflare’s end so they can give you a unique ID.

Log into Cloudflare Zero Trust.
Navigate to Networks -> Tunnels.
Click Create a Tunnel.
Select Cloudflared and click Next.
Name the Tunnel: Give it a name like Proxmox-LXC and click Save Tunnel.

Step 2: Run the Proxmox Helper Script

We will use the famous “Tteck” scripts to automate the creation of the LXC container.

Go to your Proxmox Web UI.
Click on your Node Name (e.g., pve) and open the Shell.
Go to the Proxmox Helper Scripts site and copy the Cloudflared script command. It looks like this:
Bash
```
bash -c "$(wget -qLO - https://github.com/tteck/Proxmox/raw/main/ct/cloudflared.sh)"
```
Paste it into your Proxmox Shell and hit Enter.
Wizard Steps:
- Create Cloudflared LXC? -> Yes.
- Use Default Settings? -> Yes (or Advanced if you want to set a specific IP).
- Install DNS over HTTPS (DoH)? -> No (The video notes this can cause issues).

[IMAGE DESC: Proxmox Shell terminal with the script running and the “Create Cloudflared LXC” prompt visible.]

Step 3: Connect Proxmox to Cloudflare

Now that the container is built, we need to “marry” it to your Cloudflare account.

Go back to your Cloudflare Zero Trust dashboard (where you left off in Step 1).
Under “Choose environment,” select Debian and 64-bit.
Look for the box that says “If you already have cloudflared installed…” and copy the long command starting with cloudflared service install....
Go back to Proxmox. Find your new Cloudflared LXC container (e.g., ID 105).
Open the Console of that container and paste the command you just copied. Hit Enter.

[IMAGE DESC: The Cloudflare dashboard showing the long ‘token’ command, and the Proxmox LXC console where that command is being pasted.]

Step 4: Map your Public Subdomain

Once the console says “Connected,” the tunnel is live. Now you tell it which local IP to show to the world.

In Cloudflare, click Next until you see Public Hostname.
Public Hostname Settings:
- Subdomain: speed (This will make speed.yourdomain.com).
- Domain: Select your domain from the dropdown.
Service Settings:
- Type: HTTP (usually).
- URL: Enter the Internal IP and Port of the service you want to see (e.g., 192.168.1.50:8080).

⚠️ WARNING: As mentioned in the video, do not add a trailing slash (e.g., 192.168.1.50:8080/guacamole/). Cloudflare expects just the IP and Port.

Click Save Hostname.

[IMAGE DESC: The Cloudflare Hostname setup page with ‘speed’, ‘[suspicious link removed]’, and the local IP address filled in.]

Step 5: Test it!

Open a new tab in your browser.
Type in https://speed.yourdomain.com.
You should now see your internal dashboard or service appearing over the internet!