It’s a bit hard to use Cloudflare’s Argo Tunnel with Docker when you don’t have any configuration in place already, I’m trying to break down the steps here.

create a volume:

First start by creating a docker volume to hold the configuration data:

docker volume create cloudflared

now the annoying thing comes to play, fix the permissions for the volume. I guess and hope there’s a better way but I just don’t know of any other. Get the path of the docker volume, you can use docker volume inspect cloudflared for this to get the path, usually it’s in /var/lib/docker/volumes

sudo chown -R 65532:65532 /var/lib/docker/volumes/cloudflared/_data

login and fetch the certificate:

let’s use a temporary container with the created volume to login to Cloudflare for authorization.

Note: I use the docker image with the 2021.3.2 tag, this will probably be outdated in a couple of days, so make sure to check the docker hub.

docker run -it --rm -v cloudflared:/home/nonroot/.cloudflared/ cloudflare/cloudflared:2021.3.2 tunnel login

create the tunnel:

docker run -it --rm -v cloudflared:/home/nonroot/.cloudflared/ cloudflare/cloudflared:2021.3.2 tunnel create my-tunnel

It’ll give you some .json file path where the credentials are stored in and the UUID of the tunnel, it’s also part of the JSON filename.

create config file:

I guess the best place to on how to create the right configuration file would be the cloudflare documentation page, I’ll include some example here.

Create a file config.yml:

tunnel: 9eef6f07-0e12-4cc3-8fb0-6e768ea1c51f
credentials-file: /home/nonroot/.cloudflared/9eef6f07-0e12-4cc3-8fb0-6e768ea1c51f.json
  - hostname:
    service: http://localhost:4567
  - service: http://localhost:404

this will route traffic destined for to localhost:4567. A fallback is always required, in this case it’s localhost:404 to return a not found page by cloudflared.

please save the config file to the docker volume as well, for example into:


maybe you have to update the permissions again like described above.

route traffic / create DNS entry:

you can create the CNAME DNS entry manually but also via cloudflared automatically, just like this:

docker run -v cloudflared:/home/nonroot/.cloudflared cloudflare/cloudflared:2021.3.2 tunnel route dns my-tunnel

first, specify the tunnel name (my-tunnel), then the hostname.

(optional) delete cert.pem file:

for a bit more safety and security you can also delete the generated cert.pem file, this will prevent you from creating more cloudflare resources but your tunnel will keep working with the .json file. You can still create new DNS entries for example but they would need to be done through the dashboard then.

sudo rm /var/lib/docker/volumes/cloudflared/_data/cert.pem