Cloudflare Tunnel vs Port Forwarding – Why You Should Switch
If you run a home server – whether it is Home Assistant, Grafana, Nextcloud, or anything else – you probably want to access it remotely. The most common advice is to forward a port on your router. It works, but it comes with serious drawbacks.
What Port Forwarding Actually Does
When you forward port 8123 to your Home Assistant, you are telling your router: “any request coming in on port 8123 from the internet, send it to my RPi”. Your home IP address becomes publicly reachable on that port.
The problem: bots constantly scan the internet for open ports. Within minutes of opening a port, you will see failed login attempts in your logs. If your software has a vulnerability, it is exposed to the entire internet.
Additional issues:
- Requires a static or dynamic DNS setup (DuckDNS, etc.)
- Does not work if your ISP uses CGNAT (very common with mobile broadband)
- Manual HTTPS setup required
- No access control – anyone who knows your IP can try to connect
How Cloudflare Tunnel Works
Cloudflare Tunnel works differently. Instead of opening a port, your server creates an outbound connection to Cloudflare’s network. Cloudflare then proxies traffic to your server through this connection.
Nothing is exposed inbound. Your home IP stays hidden. Bots cannot scan your services because there is no open port to find.
| Port Forwarding | Cloudflare Tunnel | |
|---|---|---|
| Exposes home IP | Yes | No |
| Bots scan open ports | Yes | No |
| HTTPS / SSL | Manual setup | Automatic |
| Works behind CGNAT | Often not | Always |
| Access control | None | Email-based policies |
| Cost | Free | Free |
Setting It Up
- Create a free account at cloudflare.com
- Add your domain to Cloudflare (even a cheap .xyz domain works)
- Go to Zero Trust → Networks → Tunnels → Create a tunnel
- Run the cloudflared connector on your server (Docker is the easiest way)
- Add public hostnames pointing to your local services
The entire setup takes about 15 minutes.
Access Control with Zero Trust
Once the tunnel is running, you can add Cloudflare Access policies. This means only your email address (or specific email addresses) can reach your services. Cloudflare sends an OTP code to the email before granting access – effectively free 2FA for your entire home server.
Even if someone discovers your URLs, they cannot access your services without the email OTP.
Conclusion
Port forwarding is a quick solution that trades security for convenience. Cloudflare Tunnel gives you the same remote access with better security, automatic HTTPS, and it works even behind CGNAT – all for free.
If you are running a home server of any kind, switching to Cloudflare Tunnel is worth the 15 minutes it takes to set up.