It’s a bit hard to use Cloudflare’s Argo Tunnel with Docker when you don’t have any configuration in place already, I’m trying to break down the steps here.

create a volume:

First start by creating a docker volume to hold the configuration data:

docker volume create cloudflared

now the annoying thing comes to play, fix the permissions for the volume. I guess and hope there’s a better way but I just don’t know of any other. Get the path of the docker volume, you can use docker volume inspect cloudflared for this to get the path, usually it’s in /var/lib/docker/volumes

sudo chown -R 65532:65532 /var/lib/docker/volumes/cloudflared/_data

login and fetch the certificate:

let’s use a temporary container with the created volume to login to Cloudflare for authorization.

Note: I use the docker image with the 2021.3.2 tag, this will probably be outdated in a couple of days, so make sure to check the docker hub.

docker run -it --rm -v cloudflared:/home/nonroot/.cloudflared/ cloudflare/cloudflared:2021.3.2 tunnel login

create the tunnel:

docker run -it --rm -v cloudflared:/home/nonroot/.cloudflared/ cloudflare/cloudflared:2021.3.2 tunnel create my-tunnel

It’ll give you some .json file path where the credentials are stored in and the UUID of the tunnel, it’s also part of the JSON filename.

create config file:

I guess the best place to on how to create the right configuration file would be the cloudflare documentation page, I’ll include some example here.

Create a file config.yml:

tunnel: 9eef6f07-0e12-4cc3-8fb0-6e768ea1c51f
credentials-file: /home/nonroot/.cloudflared/9eef6f07-0e12-4cc3-8fb0-6e768ea1c51f.json
  - hostname:
    service: http://localhost:4567
  - service: http://localhost:404

this will route traffic destined for to localhost:4567. A fallback is always required, in this case it’s localhost:404 to return a not found page by cloudflared.

please save the config file to the docker volume as well, for example into:


maybe you have to update the permissions again like described above.

route traffic / create DNS entry:

you can create the CNAME DNS entry manually but also via cloudflared automatically, just like this:

docker run -v cloudflared:/home/nonroot/.cloudflared cloudflare/cloudflared:2021.3.2 tunnel route dns my-tunnel

first, specify the tunnel name (my-tunnel), then the hostname.