If you’re self-hosting n8n on your home network and accessing it through a Cloudflare Tunnel, you might run into an issue where Telegram or webhook triggers stop working. This typically occurs when you create a Zero Trust application for the tunnel’s subdomain and attach a login access policy to it. While that policy is great for restricting access to your n8n instance, it also blocks external services—like Telegram—from reaching your webhook endpoints and triggering workflows.

To resolve this, you’ll need to allow Telegram traffic into the application based on its IP ranges. This bypasses the login screen for Telegram requests, so be sure you’re comfortable with that tradeoff. Here’s how to do it:

Step 1 - Add a new policy for Telegram#

  1. Refer to the Telegram documentation on webhooks to find the IP ranges used by Telegram bots. https://core.telegram.org/bots/webhooks#the-short-version
  2. Log into your Cloudflare account.
  3. Click on Zero Trust in the side menu.
  4. Click on Policies in the side menu under Access.
  5. Click the “Add a policy” button.
  6. Enter a name for your policy. I used “Telegram” to make it easier to find later.
  7. Select the “Service Auth” action. This is different from “Allow” because it allows access without using the login page.
  8. Under “Add rules” select “IP ranges”.
  9. Enter the IP ranges from the Telegram documentation. Cut and paste each one for accuracy.
  10. Click the “Save” button.

Step 2 - Add the policy to your application#

  1. Click on Applications under the Access section of the side menu.
  2. Click on your application.
  3. Click on the Configure button on the right side of the page.
  4. Click on the Policies tab at the top.
  5. Click the “Select existing policies” button.
  6. Select the Telegram policy you created.
  7. Click the “Save application” button.

Telegram should now be able to hit your self-hosted n8n instance!