Securely Access Your Private AI With Cloudflare Tunnels

by

Exposing Your Private AI to the World (Securely): Using Cloudflare Tunnels with Open WebUI

Category: How-To & Tutorial Guides

Introduction: The Homelab Conundrum

You’ve set up a powerful, private AI instance like Open WebUI on your homelab server. It’s fast, it’s customized, and it’s all yours. There’s just one problem: it’s stuck on your local network. How do you access your private AI chat, or any other self-hosted service, when you’re on the go? The traditional answer involves opening ports on your router (port forwarding), which can be a significant security risk, exposing your home network to the public internet.

This tutorial provides a modern, secure, and surprisingly simple solution. We will walk you through setting up a Cloudflare Tunnel to create a secure link between your local Open WebUI instance and the rest of the world. No open ports, no complex firewall rules, and the core service is completely free.

Prerequisites

Before we begin, make sure you have the following:

  • A running instance of a local web service. We’ll use Open WebUI as the example, which typically runs on port 8080.
  • A Cloudflare account. If you don’t have one, you can sign up for free.
  • A domain name that you own and have added to your Cloudflare account.

Step 1: Install the Cloudflare Tunnel Daemon (cloudflared)

The first step is to install the `cloudflared` daemon on the same machine where your Open WebUI instance is running. This lightweight client is what establishes the secure, outbound-only connection to Cloudflare’s network.

For Debian-based Linux systems (like Ubuntu), you can use the following commands:


# Add Cloudflare's package repository GPG key
curl -fsSL https://pkg.cloudflare.com/cloudflare-main.gpg | sudo gpg --yes --dearmor --output /usr/share/keyrings/cloudflare-main.gpg

# Add the repository to your apt sources
echo 'deb [signed-by=/usr/share/keyrings/cloudflare-main.gpg] https://pkg.cloudflare.com/cloudflared jammy main' | sudo tee /etc/apt/sources.list.d/cloudflared.list

# Update your package lists and install cloudflared
sudo apt-get update
sudo apt-get install cloudflared

For other operating systems, please refer to the official Cloudflare documentation.

Step 2: Authenticate `cloudflared`

Next, you need to link the `cloudflared` agent with your Cloudflare account. Run the following command:


cloudflared tunnel login

This command will open a browser window, asking you to log in to your Cloudflare account and select the domain you wish to use for the tunnel. Once you authorize it, Cloudflare will download a certificate file (`cert.pem`) to the default `~/.cloudflared/` directory, allowing your daemon to authenticate with your account.

Step 3: Create Your Tunnel

Now it’s time to create a persistent tunnel. This registers the tunnel with Cloudflare’s network and gives it a permanent name and ID.

Choose a name for your tunnel (e.g., `open-webui`) and run:


cloudflared tunnel create open-webui

Cloudflare will generate a unique UUID for your tunnel and create a credentials file (e.g., `[TUNNEL-UUID].json`) in your `~/.cloudflared/` directory. This file is crucial as it acts as a token for your tunnel. Keep this file safe!

Step 4: Configure the Tunnel

You need to tell your tunnel where to send incoming traffic. This is done with a configuration file. Create a file named `config.yml` inside the `~/.cloudflared/` directory.


tunnel: open-webui
credentials-file: /root/.cloudflared/<YOUR-TUNNEL-UUID>.json
ingress:
  - hostname: ai.yourdomain.com
    service: http://localhost:8080
  - service: http_status:404

Configuration Breakdown:

  • tunnel: The name you chose in the previous step.
  • credentials-file: The full path to the JSON credentials file generated in Step 3. Make sure you replace `<YOUR-TUNNEL-UUID>` with the actual file name.
  • ingress: This is the core routing rule.
    • hostname: The public URL you want to use. Replace `ai.yourdomain.com` with your desired subdomain and domain.
    • service: The local address of the service you are exposing. For Open WebUI, this is typically `http://localhost:8080`.
    • The final `service: http_status:404` is a mandatory catch-all rule to terminate any traffic that doesn’t match a defined hostname.

Step 5: Route Traffic to Your Tunnel

Now, you must create a DNS record in Cloudflare to point your chosen public hostname to your tunnel.

Run the following command, replacing the name and hostname with your own:


cloudflared tunnel route dns open-webui ai.yourdomain.com

This will automatically create a CNAME record in your Cloudflare DNS settings, directing traffic for `ai.yourdomain.com` into the tunnel entrance.

Step 6: Run the Tunnel!

You’re ready for the final step: running the tunnel. Execute the following command:


cloudflared tunnel --config ~/.cloudflared/config.yml run

If everything is configured correctly, you will see a series of lines indicating that the `cloudflared` daemon has established connections to the Cloudflare network. You can now open a browser on any device, anywhere in the world, and navigate to https://ai.yourdomain.com to access your Open WebUI instance securely.

Conclusion

Congratulations! You have successfully and securely exposed your private AI service to the internet. By using a Cloudflare Tunnel, you have avoided the security risks of opening ports on your router and have gained the power of Cloudflare’s global network to protect and accelerate your service. This same method can be used for nearly any other self-hosted application, from media servers to code repositories, giving you secure access to your homelab from anywhere.

Leave a Comment