Installing Cloudflare Tunnel (cloudflared) on Raspberry Pi 5

Prerequisites

• Raspberry Pi 5 with a 64‑bit OS (ARM64) and outbound Internet access.
• A Cloudflare account and a domain managed by Cloudflare (nameservers pointed to Cloudflare).
• A service running locally on your Pi to expose—in examples below, http://localhost:2002.

Install cloudflared on Raspberry Pi 5 (ARM64)

Install from the official .deb (quick)

wget https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-arm64.deb
sudo dpkg -i cloudflared-linux-arm64.deb

The first command downloads the latest ARM64 build of cloudflared from GitHub; the second installs it system‑wide. Prefer this when you want a quick setup; switch to the APT repository later for automatic updates.

Alternative: use Cloudflare's APT repository (recommended for auto‑updates)

# Add Cloudflare package signing key & repo (Debian/Ubuntu)
curl -fsSL https://pkg.cloudflare.com/cloudflare-main.gpg | sudo tee /usr/share/keyrings/cloudflare-archive-keyring.gpg >/dev/null
echo "deb [signed-by=/usr/share/keyrings/cloudflare-archive-keyring.gpg] https://pkg.cloudflare.com/cloudflared $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/cloudflared.list
sudo apt update && sudo apt install -y cloudflared

Using the APT repo lets you update with apt upgrade later.

Authenticate and create a named tunnel

Log in and authorize your account/zone

cloudflared tunnel login

This opens a browser to authenticate the CLI to your Cloudflare account.

(Optional) Create a tunnel

cloudflared tunnel create rpi5-tunnel
cloudflared tunnel list

Creating a tunnel registers it and writes a credentials JSON. Listing tunnels lets you confirm it exists.

Route a hostname via the tunnel (DNS)

cloudflared tunnel route dns rpi5-tunnel rpi5whoiam.hlab.au

This creates a CNAME record for rpi5whoiam.hlab.au that targets your tunnel subdomain, so traffic is routed through Cloudflare to your Pi.

Create config.yml with ingress rules

Define which local service each hostname should reach:

# ~/.cloudflared/config.yml  (or specify a custom path with --config)
tunnel: <TUNNEL-UUID>
credentials-file: /root/.cloudflared/<TUNNEL-UUID>.json

ingress:
  - hostname: rpi5whoiam.hlab.au
    service: http://localhost:2002
  - service: http_status:404  # catch-all

Validate your config before running it as a service:

cloudflared tunnel ingress validate

Run as a systemd service (auto‑start on boot)

If your config file is not in the default location, pass it explicitly during install:

sudo cloudflared --config ./config.yml service install
sudo systemctl start cloudflared
sudo systemctl status cloudflared

Restart to apply changes in config.yml:

sudo systemctl restart cloudflared

To remove the service later:

sudo cloudflared service uninstall

One‑off / ephemeral runs

Useful for quick testing without changing your service or config:

# Map a public hostname to a local URL for this session only
cloudflared tunnel --hostname rpi5whoiam.hlab.au --url http://localhost:2002 run

# Quick Tunnel (random *.trycloudflare.com subdomain)
cloudflared tunnel --url http://localhost:2002

Manage, troubleshoot, and clean up

sudo systemctl status cloudflared
journalctl -u cloudflared -e    # tail logs

cloudflared tunnel delete rpi5-whoiam   # add -f to force

# Only if your config is at this path and you intend to delete it
sudo rm /etc/cloudflared/config.yml

Command‑by‑command breakdown

Sources

• Cloudflare Tunnel overview
• DNS records for tunnels
• Configuration file & ingress rules
• Run as a service on Linux
• Useful tunnel CLI commands
• Quick Tunnels (TryCloudflare)
• Latest ARM64 .deb (cloudflared)
• Using Cloudflare R2 as an APT/YUM repository

All steps verified against the official Cloudflare Zero Trust documentation.