Secure Tunneling Server

  • Sits in between the user from the public network and Secure Tunneling Client. A Level-7 Reverse Proxy (反向代理)
  • The secure tunneling server ensures
    1. Connection between the user from the public network and itself is encrypted
    2. Connection between the Secure Tunneling Client and itself is encrypted
  • So in order for it to know where to forward the data to, it needs to decrypt and de-encapsulate the encrypted data it receives. It forwards to user if the encrypted data is from secure tunneling client, vice versa.

Protected Data Transmission

The traffic in transit from users in the public network to the service running on local machine is fully encrypted

Secure Tunneling Client

Firewall Bypass

Enable service running on local machine to be exposed to the public network without opening any ports on the local machine or the firewall of the local network


Make sure the endpoint of the secure tunneling server isn’t blocked by the firewall

Secure Tunneling Architecture

  • The above diagram is showing Cloudflare Tunnel, but the architecture is the pretty much the same for other Secure Tunnel implementations

  • Secure Tunneling Server: Cloudflare Edge Server running inside the Cloudflare’s Network (the yellow box shown above)

  • Secure Tunneling Client Cloudflared running along side the service that runs inside your local machine (the blue box shown above)

Cloudflare Tunnel

brew install cloudflared

Create a remotely-managed tunnel

Client-side Setup

There are 2 ways to perform the Secure Tunneling Client (Cloudflare Tunnel Connector) Installation via System Service or Docker

System Service

  • Use sudo cloudflared service install <TOKEN> to register the connector as a service managed by Init System. You can only have one Cloudflare Tunnel Service on one machine at any time!


  • Run the connector as a docker container without the need to grant root access but we have to manually manage the lifecycle of the connector

Connector Installation Issue with Docker

For some reasons, when I close the terminal, the connector container will auto exit. Even thought I used both -d and --restart unless-stopped. I am running Docker on my Raspberry Pi. If you know why, please comment down below to tell me why. Thanks :)


  • Ngrok’s Secure Tunneling offering

  • Installation

brew install ngrok/ngrok/ngrok
  • Secure Tunneling of a local port
ngrok http <PORT_NUMBER>
  • Secure Tunneling of a local port with Google OAuth
ngrok http --oauth=google --oauth-allow-email=<GOOGLE_EMAIL> <PORT_NUMBER>

  • Refer to Ngrok Docsfor more configuration details