Ak si čítal môj článok o Cloudflare Tunnel, vieš prečo je to elegantnejšie riešenie ako port forward. Tu je kompletný postup — od domény cez Docker sieť až po funkčné routes pre každú tvoju aplikáciu.

Čo potrebuješ

1. Prenesenie domény do Cloudflare

Cloudflare Tunnel vyžaduje aby tvoja doména používala Cloudflare nameservery. Ak si doménu ešte len kupuješ, môžeš ju kúpiť priamo v Cloudflare (dash.cloudflare.com → Domain Registration) a tento krok preskočiť. Ak máš doménu inde, postupuj takto:

Krok 1 — Prihlás sa na dash.cloudflare.com → Add a domain → zadaj svoju doménu → Continue.

Krok 2 — Vyber plán Free → Continue.

Krok 3 — Cloudflare naskenuje existujúce DNS záznamy. Skontroluj ich a klikni Continue.

Krok 4 — Cloudflare ti zobrazí dva nameservery, napr. aria.ns.cloudflare.com a ben.ns.cloudflare.com. Skopíruj si ich.

Krok 5 — Prihlás sa k svojmu registrátorovi (Websupport, Namecheap...) a v nastaveniach domény zmeň nameservery na tie od Cloudflare. Každý registrátor to má na inom mieste — zvyčajne v sekcii DNS / Nameservery.

2. Aktivácia Zero Trust

Cloudflare Tunnel beží pod Zero Trust platformou. Aktivácia je bezplatná.

Choď na one.dash.cloudflare.com → prihlás sa → vyber svoju doménu → prejdi onboarding (vyber Free plan → potvrď).

Ocitneš sa v Zero Trust dashboarde — odtiaľto budeš všetko spravovať.

3. Docker sieť pre tunnel

Toto je krok ktorý sa v návodoch často preskakuje — a potom tunnel nevidí tvoje kontajnery.

Vytvor sieť cez SSH alebo Portainer terminal:

docker network create tunnel-net

Existujúce bežiace kontajnery pripoj do novej siete bez reštartu:

docker network connect tunnel-net vaultwarden
docker network connect tunnel-net AdGuard
docker network connect tunnel-net PlexHW

Prípadne cez Portainer: Networks → tunnel-net → Connected containers → Join.

# Na konci každého service bloku:
    networks:
      - tunnel-net

# Na konci compose súboru:
networks:
  tunnel-net:
    external: true

4. Vytvorenie tunela a konektora

V Zero Trust dashboarde: Networks → Tunnels → Add a tunnel → vyber Cloudflared → Next.

Pomenuj tunel (napr. homelab) → Save tunnel.

Cloudflare zobrazí token — dlhý reťazec začínajúci eyJ.... Skopíruj ho — použiješ ho v nasledujúcom kroku.

5. Docker Compose stack pre cloudflared

V Portainer: Stacks → Add stack → Web editor:

services:
  cloudflared:
    image: cloudflare/cloudflared:latest
    container_name: cloudflared
    command: tunnel --no-autoupdate run
    environment:
      TUNNEL_TOKEN: SEM_VLOZ_TUNNEL_TOKEN_Z_KROKU_4
    networks:
      - tunnel-net
    restart: unless-stopped

networks:
  tunnel-net:
    external: true

services:
  cloudflared:
    image: cloudflare/cloudflared:latest
    container_name: cloudflared
    command: tunnel --no-autoupdate run
    environment:
      TUNNEL_TOKEN: SEM_VLOZ_TUNNEL_TOKEN_Z_KROKU_4
    networks:
      - tunnel-net
    restart: unless-stopped

networks:
  tunnel-net:
    external: true

services:
  cloudflared:
    image: cloudflare/cloudflared:latest
    container_name: cloudflared
    command: tunnel --no-autoupdate run
    environment:
      TUNNEL_TOKEN: SEM_VLOZ_TUNNEL_TOKEN_Z_KROKU_4
    networks:
      - tunnel-net
    restart: unless-stopped

networks:
  tunnel-net:
    external: true

Nahraď TUNNEL_TOKEN hodnotou z kroku 4. Klikni Deploy the stack.

6. Public Hostname Routes

Toto je srdce celého tunela — každé pravidlo hovorí: "keď príde request na túto doménu, prepošli ho na tento kontajner".

Zero Trust → Networks → Tunnels → klikni na tvoj tunel → Configure → Public Hostname → Add a public hostname.

Príklady routes pre bežné aplikácie

Pre každú aplikáciu klikni Add a public hostname znovu a pridaj ďalší záznam. Jeden tunel zvládne neobmedzene veľa hostname routes.

Additional settings pre niektoré aplikácie

Pri niektorých aplikáciách treba v Additional application settings zaškrtnúť:

• No TLS Verify — ak aplikácia používa self-signed certifikát (napr. Portainer na HTTPS)
• HTTP2 Connection — pre lepší výkon pri streamovaní
• WebSocket — pre aplikácie ktoré používajú WebSocket (Vaultwarden, Plex)

7. Zabezpečenie citlivých aplikácií (Zero Trust Access)

Portainer, admin panely alebo iné citlivé aplikácie nechceš mať verejne dostupné len s heslom aplikácie. Zero Trust Access pridáva extra vrstvu pred samotnú aplikáciu.

Zero Trust → Access → Applications → Add an application → Self-hosted:

• Application name: napr. Portainer
• Application domain: portainer.tvojadomena.sk
• Add a policy → Policy name → Action: Allow → Include: Emails → zadaj svoju emailovú adresu

Od teraz sa pred Portainerom zobrazí Cloudflare prihlasovacia obrazovka — zadáš email, Cloudflare ti pošle jednorazový kód, a až potom sa dostaneš k aplikácii.

8. Pridanie aplikácií do tunnel-net v existujúcich stackoch

Ak máš existujúce stacky a chceš ich pridať do tunela bez mazania a prebudovania, stačí upraviť compose súbor:

# Do každého service bloku pridaj:
    networks:
      - tunnel-net
      - default    # ak potrebuje aj lokálnu komunikáciu

# Na konci compose súboru:
networks:
  tunnel-net:
    external: true
  default:
    driver: bridge

Potom v Portaineri klikni Update the stack — kontajner sa reštartuje a automaticky sa pripojí do tunnel-net.

Troubleshooting

Wenn du meinen Cloudflare Tunnel Artikel gelesen hast, weißt du warum das eleganter ist als Port Forwarding. Hier ist die vollständige Schritt-für-Schritt-Anleitung — von der Domain über das Docker-Netzwerk bis zu funktionierenden Routes für jede deiner Anwendungen.

Was du brauchst

1. Domain zu Cloudflare übertragen

Cloudflare Tunnel erfordert Cloudflare Nameserver für deine Domain. Wenn du die Domain noch kaufst, kannst du sie direkt bei Cloudflare kaufen (dash.cloudflare.com → Domain Registration) und diesen Schritt überspringen.

Schritt 1 — dash.cloudflare.com → Add a domain → Domain eingeben → Continue.

Schritt 2 — Plan Free wählen → Continue.

Schritt 3 — Cloudflare scannt bestehende DNS-Einträge. Prüfen und Continue.

Schritt 4 — Cloudflare zeigt zwei Nameserver, z.B. aria.ns.cloudflare.com und ben.ns.cloudflare.com. Kopieren.

Schritt 5 — Beim Registrar anmelden, in den Domain-Einstellungen die Nameserver auf die Cloudflare-Werte ändern. Meist unter DNS / Nameserver.

2. Zero Trust aktivieren

one.dash.cloudflare.com → anmelden → Domain auswählen → Onboarding durchlaufen (Free plan wählen → bestätigen).

Du befindest dich im Zero Trust Dashboard — von hier aus wird alles verwaltet.

3. Docker-Netzwerk für den Tunnel

Netzwerk über SSH oder Portainer Terminal erstellen:

docker network create tunnel-net

Laufende Container ohne Neustart hinzufügen:

docker network connect tunnel-net vaultwarden
docker network connect tunnel-net AdGuard
docker network connect tunnel-net PlexHW

Oder in Portainer: Networks → tunnel-net → Connected containers → Join.

# In jeden service Block:
    networks:
      - tunnel-net

# Am Ende des Compose-Files:
networks:
  tunnel-net:
    external: true

4. Tunnel erstellen und Connector-Token holen

Zero Trust → Networks → Tunnels → Add a tunnel → Cloudflared → Next.

Tunnel benennen (z.B. homelab) → Save tunnel.

Cloudflare zeigt den Token — langer String beginnend mit eyJ.... Kopieren — wird im nächsten Schritt benötigt.

5. Docker Compose Stack für cloudflared

In Portainer: Stacks → Add stack → Web editor:

services:
  cloudflared:
    image: cloudflare/cloudflared:latest
    container_name: cloudflared
    command: tunnel --no-autoupdate run
    environment:
      TUNNEL_TOKEN: HIER_TUNNEL_TOKEN_AUS_SCHRITT_4
    networks:
      - tunnel-net
    restart: unless-stopped

networks:
  tunnel-net:
    external: true

services:
  cloudflared:
    image: cloudflare/cloudflared:latest
    container_name: cloudflared
    command: tunnel --no-autoupdate run
    environment:
      TUNNEL_TOKEN: HIER_TUNNEL_TOKEN_AUS_SCHRITT_4
    networks:
      - tunnel-net
    restart: unless-stopped

networks:
  tunnel-net:
    external: true

services:
  cloudflared:
    image: cloudflare/cloudflared:latest
    container_name: cloudflared
    command: tunnel --no-autoupdate run
    environment:
      TUNNEL_TOKEN: HIER_TUNNEL_TOKEN_AUS_SCHRITT_4
    networks:
      - tunnel-net
    restart: unless-stopped

networks:
  tunnel-net:
    external: true

TUNNEL_TOKEN durch den Wert aus Schritt 4 ersetzen. Deploy the stack klicken.

6. Public Hostname Routes

Zero Trust → Networks → Tunnels → Tunnel anklicken → Configure → Public Hostname → Add a public hostname.

Beispiel-Routes für gängige Anwendungen

Additional settings für bestimmte Anwendungen

• No TLS Verify — wenn die Anwendung ein selbstsigniertes Zertifikat verwendet (z.B. Portainer auf HTTPS)
• HTTP2 Connection — für bessere Performance beim Streaming
• WebSocket — für Anwendungen die WebSocket verwenden (Vaultwarden, Plex)

7. Sensible Anwendungen absichern (Zero Trust Access)

Zero Trust → Access → Applications → Add an application → Self-hosted:

• Application name: z.B. Portainer
• Application domain: portainer.deinedomain.de
• Add a policy → Policy name → Action: Allow → Include: Emails → eigene E-Mail-Adresse eintragen

Ab jetzt erscheint vor Portainer ein Cloudflare Login-Screen — E-Mail eingeben, einmaligen Code per E-Mail erhalten, dann erst Zugriff auf die Anwendung.

8. Bestehende Stacks in tunnel-net aufnehmen

# In jeden service Block hinzufügen:
    networks:
      - tunnel-net
      - default

# Am Ende des Compose-Files:
networks:
  tunnel-net:
    external: true
  default:
    driver: bridge

Dann in Portainer Update the stack — Container startet neu und verbindet sich automatisch mit tunnel-net.

Fehlerbehebung

If you read my Cloudflare Tunnel article, you know why it is more elegant than port forwarding. Here is the complete step-by-step — from domain to Docker network to working routes for every application you run.

What you need

1. Transfer domain to Cloudflare

Cloudflare Tunnel requires Cloudflare nameservers for your domain. If you are buying a domain now, you can buy it directly at Cloudflare (dash.cloudflare.com → Domain Registration) and skip this step.

Step 1 — dash.cloudflare.com → Add a domain → enter domain → Continue.

Step 2 — Select Free plan → Continue.

Step 3 — Cloudflare scans existing DNS records. Review and click Continue.

Step 4 — Cloudflare shows two nameservers, e.g. aria.ns.cloudflare.com and ben.ns.cloudflare.com. Copy them.

Step 5 — Log into your registrar and change the domain nameservers to the Cloudflare values. Usually found under DNS / Nameservers.

2. Activate Zero Trust

one.dash.cloudflare.com → sign in → select your domain → complete onboarding (select Free plan → confirm).

You land in the Zero Trust dashboard — everything is managed from here.

3. Docker network for the tunnel

Create the network via SSH or Portainer terminal:

docker network create tunnel-net

Connect running containers without restarting them:

docker network connect tunnel-net vaultwarden
docker network connect tunnel-net AdGuard
docker network connect tunnel-net PlexHW

Or in Portainer: Networks → tunnel-net → Connected containers → Join.

# In each service block:
    networks:
      - tunnel-net

# At the end of the compose file:
networks:
  tunnel-net:
    external: true

4. Create tunnel and get connector token

Zero Trust → Networks → Tunnels → Add a tunnel → Cloudflared → Next.

Name the tunnel (e.g. homelab) → Save tunnel.

Cloudflare shows the token — a long string starting with eyJ.... Copy it — you will need it in the next step.

5. Docker Compose stack for cloudflared

In Portainer: Stacks → Add stack → Web editor:

services:
  cloudflared:
    image: cloudflare/cloudflared:latest
    container_name: cloudflared
    command: tunnel --no-autoupdate run
    environment:
      TUNNEL_TOKEN: PASTE_YOUR_TUNNEL_TOKEN_FROM_STEP_4
    networks:
      - tunnel-net
    restart: unless-stopped

networks:
  tunnel-net:
    external: true

services:
  cloudflared:
    image: cloudflare/cloudflared:latest
    container_name: cloudflared
    command: tunnel --no-autoupdate run
    environment:
      TUNNEL_TOKEN: PASTE_YOUR_TUNNEL_TOKEN_FROM_STEP_4
    networks:
      - tunnel-net
    restart: unless-stopped

networks:
  tunnel-net:
    external: true

services:
  cloudflared:
    image: cloudflare/cloudflared:latest
    container_name: cloudflared
    command: tunnel --no-autoupdate run
    environment:
      TUNNEL_TOKEN: PASTE_YOUR_TUNNEL_TOKEN_FROM_STEP_4
    networks:
      - tunnel-net
    restart: unless-stopped

networks:
  tunnel-net:
    external: true

Replace TUNNEL_TOKEN with the value from step 4. Click Deploy the stack.

6. Public Hostname Routes

Zero Trust → Networks → Tunnels → click your tunnel → Configure → Public Hostname → Add a public hostname.

Example routes for common applications

Additional settings for some applications

• No TLS Verify — if the application uses a self-signed certificate (e.g. Portainer on HTTPS)
• HTTP2 Connection — for better streaming performance
• WebSocket — for applications using WebSocket (Vaultwarden, Plex)

7. Securing sensitive applications (Zero Trust Access)

Zero Trust → Access → Applications → Add an application → Self-hosted:

• Application name: e.g. Portainer
• Application domain: portainer.yourdomain.com
• Add a policy → Policy name → Action: Allow → Include: Emails → enter your email

From now on a Cloudflare login screen appears before Portainer — enter your email, receive a one-time code, then get access to the application.

8. Adding existing stacks to tunnel-net

# Add to each service block:
    networks:
      - tunnel-net
      - default

# At the end of the compose file:
networks:
  tunnel-net:
    external: true
  default:
    driver: bridge

Then click Update the stack in Portainer — container restarts and automatically joins tunnel-net.

Troubleshooting