Cloudflare Zero Trust Applications and Tunnels provide a powerful, secure way to expose internal services without opening ports or relying on traditional VPNs. By routing traffic through encrypted outbound tunnels, you eliminate attack surfaces and gain fine-grained access control using identity-based policies. This setup simplifies remote access, integrates seamlessly with identity providers, and protects apps from unauthorized users, bots, and DDoS attacks. Whether you’re self-hosting dashboards, automation tools like n8n, or admin panels, Cloudflare Zero Trust ensures secure, scalable access with minimal configuration and maximum peace of mind

Step 1 - Create the Application#

  1. Login to your Cloudflare account.
  2. Click on Zero Trust in the side menu.
  3. Expand the Access section of the side menu and select Applications.
  4. Click on the “Add an application” button.
  5. Click the Select button under “Self-hosted”
  6. Give your application a name.
  7. Click the “Add public hostname” button.
  8. Enter a subdomain. This is optional but you’ll probably want this rather than pointing the entire domain at your tunnel.
  9. Enter a domain you own that is managed by the Cloudflare nameservers.

Step 2 - Create the access policies#

  1. Click the “Create new policy” button in “Access policies section”. This will open a new “Add policy” page in your browser. Access policies are managed independently of applications so, once defined they can be used in multiple applications. If you already defined some that you want to use, you can click on the “Select existing policies” button.
  2. Enter a descriptive policy name.
  3. In the Add rules section choose the data to validate. You’ll likely want to use email addresses to identify your users so select “Emails” here.
  4. Enter the emails of the users you want to add. To add more than one just type a comma after each email address as you enter them.
  5. You can add other parts to the rule by clicking the “Add include”, “Add require”, and “Add exclude” links.
  6. Click the Save button.
  7. Go back to the tab in your browser where we were defining the application. Make sure the new policy is added to the list. If it isn’t, click on the “Select existing polices” button and select it.

Step 3 - Create the login methods#

  1. By default, Cloudflare provides a “One-time PIN” login method. When users attempt to access your application, they will be presented with a page that prompts for an email address. Once entered, Cloudflare will send an email with the one-time PIN. Once users enter the PIN they will be granted access if they are on the list of emails you defined in the access policy above.
  2. In the Login methods, you can specify that all available identity providers are available on the login screen(default) or you can select specify methods. If you want to add additional methods, click the “Manage login methods”. To add new methods in the future, click on “Settings” in the side menu, then click the Authentication box on the Settings page. Detailed instructions are provided when you click on a identity provider such as Google or GitHub.

Step 4 - Save the application#

The next two pages in the process contain some optional configuration options. Leave them as the defaults unless you have a specific reason not to. After clicking Next a couple times, click the Save button to save the application. This will also create your subdomain DNS record.

Step 5 - Create the tunnel#

  1. Expand the Networks section of the side menu.
  2. Click on Tunnels.
  3. Click the “Create a tunnel” button.
  4. Click the “Select Cloudflared” button
  5. Give your tunnel a name and click the “Save Tunnel” button.
  6. The next screen gives you information on how to install the Cloudflared application. We want to run this in Docker so click that button in the “Choose your environment” section. This will give you a “docker run” command that includes your tunnel token.
  7. Use the “docker run” command to start Cloudflared or better yet, use the tunnel token in a Docker compose file and create the container that way. ([[n8n Local Hosting with Cloudflare Tunnels - Long Version#Step 6 - Create the Cloudflared Docker Compose File]]) .
  8. After you confirm the connection is good in the Connectors section, click the “Next” button to add your application route.
  9. Enter a subdomain and domain. Use the same values you used in Step 1 of this guide. This will automatically link the login polices you defined there to this tunnel.
  10. Enter the route to the application. This is the address of the service you want to access on your home network. You can use IP address “http://192.168.1.128:5678”. If you started both the service and Cloudflared using “docker compose” and a shared docker network, use the name of the service in the route, “http://n8n:5678” .
  11. Turn on “Enforce Access JSON Web Token (JWT) validation” under “Additional application settings” -> “Access”. In the dropdown, select the application created in Step 1 of this guide. This verifies that traffic coming through the tunnel comes from Cloudflare and not a malicious third party.
  12. Click “Complete setup”