📅 Updated: May 2025
🛡️ Security Level: High
⚙️ Method: Native Binary (no Docker needed)
🌍 Access: From anywhere, securely over HTTPS!
Setting up a Cloudflare Tunnel on an OpenMediaVault (OMV) NAS is one of the safest and most modern ways to enable secure access to your dashboard and services — without the risks of port forwarding 🔐. With this method, your NAS remains invisible to the public internet, yet fully accessible to you via HTTPS!
Setup Cloudflare for Your Domain
Get a Cloudflare Account
- Go to Cloudflare.
- Sign up or log in.
- Add your domain name.
- Change your domain’s nameservers to Cloudflare’s (Cloudflare will provide these).
🚀 Step 1: Install Cloudflare Tunnel on NAS
SSH into your OMV NAS from your PC using PuTTY or terminal:
ssh root@your-nas-ipDownload and install the Cloudflare Tunnel binary:
# Add Cloudflare's GPG key
sudo mkdir -p /etc/apt/keyrings
curl -fsSL https://pkg.cloudflare.com/cloudflare-main.gpg | sudo tee /etc/apt/keyrings/cloudflare-main.gpg >/dev/null
# Add the repo
echo 'deb [signed-by=/etc/apt/keyrings/cloudflare-main.gpg] https://pkg.cloudflare.com/cloudflared bookworm main' | sudo tee /etc/apt/sources.list.d/cloudflared.list
# Update and install
sudo apt update
sudo apt install cloudflared
🔐 Step 2: Authenticate the Tunnel
cloudflared tunnel loginThis will give you a link. Open it, log in to Cloudflare, and approve. It will generate a certificate token for your domain and save it locally.
📦 Step 3: Create and Configure the Tunnel
cloudflared tunnel create nas-tunnelSave the Tunnel ID it gives you.
Now create a configuration directory and file:
mkdir -p /etc/cloudflared
nano /etc/cloudflared/config.ymlPaste and modify the following:
tunnel: your_nas-tunnel_ID
credentials-file: /root/.cloudflared/your_nas-tunnel_ID.json
ingress:
- hostname: nas.yourdomain.com
service: http://192.168.X.X:80
- service: http_status:404Replace your_nas-tunnel_ID and IP accordingly. Save and exit.
🔧 Step 4: Create systemd Service File
This ensures your tunnel starts automatically at boot:
sudo nano /etc/systemd/system/cloudflared.servicePaste this:
[Unit]
Description=Cloudflare Tunnel
After=network-online.target
Wants=network-online.target
[Service]
ExecStartPre=/usr/bin/bash -c 'while ! ping -c1 1.1.1.1 > /dev/null; do sleep 2; done'
ExecStart=/usr/bin/cloudflared tunnel --config /etc/cloudflared/config.yml run
Restart=always
RestartSec=10
User=root
Group=root
Environment=CF_TUNNEL_LOG=/var/log/cloudflared.log
[Install]
WantedBy=multi-user.target▶️ Step 5: Start and Enable the Tunnel
sudo systemctl daemon-reexec
sudo systemctl enable --now cloudflared✅ Your tunnel will now auto-start every time your NAS boots. No need to manually restart it!
🌐 Step 6: Configure Subdomain in Cloudflare Zero Trust (No DNS Editing Needed!)
Now let’s bind your tunnel to a subdomain using Cloudflare Zero Trust interface:
- Go to Cloudflare Dashboard → Select your domain.
- Click on the Zero Trust option from the left sidebar.
- Navigate to Access → Tunnels.
- Find your tunnel
nas-tunneland click the three dots (⋮) next to it. - Select Configure.
- Scroll to the section Public Hostname and click Add a Public Hostname.
Fill the form like this:
- Subdomain:
nas - Domain: your registered domain (e.g.
saurabthakur.com) - Service Type:
HTTP - URL:
http://192.168.X.X:80(replace with your NAS local IP)
Click Save ✅
Cloudflare will automatically generate the necessary DNS records and SSL cert behind the scenes! No manual DNS editing needed 🎉
✅ Final Step: Access Your NAS Securely!
You can now access your NAS through a secure, Cloudflare-protected tunnel:
https://nas.yourdomain.com- ✅ Fully secured with HTTPS (via Cloudflare SSL)
- ✅ No port forwarding required
- ✅ Keeps working even if your public IP changes (no need for DDNS)
🧠 Pro Tip:
Want to add more services like Nextcloud, Jellyfin, or Immich? Just repeat the Public Hostname steps and point each subdomain to its respective internal port (e.g., http://192.168.X.X:9000)!
FAQ
Why should I use Cloudflare to access my NAS instead of port forwarding?
Cloudflare provides a secure way to access your NAS without exposing your public IP or opening ports on your router. Port forwarding can make your NAS vulnerable to attacks like brute force attempts and DDoS attacks. With Cloudflare Tunnel, your NAS remains behind Cloudflare’s security layer, making it much harder for attackers to reach it.
What happens if my ISP changes my public IP address?
If your ISP changes your public IP, your NAS’s domain could stop working unless you update the Cloudflare DNS records manually. To automate this, we use a Dynamic DNS (DDNS) script that periodically checks your IP and updates Cloudflare automatically. This ensures your NAS remains accessible even if your IP changes.
What is Cloudflare Tunnel, and why is it recommended?
Cloudflare Tunnel (previously Argo Tunnel) is a secure way to expose your NAS to the internet without opening ports on your router. Instead of allowing inbound connections directly to your NAS, Cloudflare Tunnel creates an outbound connection to Cloudflare’s network. This eliminates the need for port forwarding and enhances security.
What is the difference between "DNS Only" and "Proxied" in Cloudflare DNS settings?
DNS Only: This simply resolves your domain to your public IP without routing traffic through Cloudflare. It’s useful for initial DDNS setup. Proxied: This routes traffic through Cloudflare’s servers, providing DDoS protection, caching, and SSL encryption. Once the Cloudflare Tunnel is set up, ensure your NAS subdomain is Proxied (orange cloud icon).
Can I access my NAS locally using the domain instead of its IP address?
Yes! To access your NAS using the domain inside your home network, you need to add a local DNS entry in your router or set up Split DNS:
nas.yourdomain.com to your NAS's local IP
(192.168.x.x).
nas.yourdomain.com pointing to the NAS’s local IP.
Is this setup free, or do I need to pay for Cloudflare services?
Most of the features used in this guide are completely free with Cloudflare’s Free Plan, including:
However, Cloudflare offers paid plans with advanced security and performance features, but they are not required for securing your NAS with this method.
