Tutorial

Jellyfin Cloudflare Tunnel Setup Guide (2026): Free Remote Access Without Port Forwarding

3 min read 2668 views
Jellyfin Cloudflare Tunnel Setup Guide (2026): Free Remote Access Without Port Forwarding

Jellyfin Cloudflare Tunnel Setup Guide (2026)

Cloudflare Tunnel is the most popular free method for remote Jellyfin access in 2026. It creates an outbound-only connection from your server to Cloudflare edge network - no open ports, no dynamic DNS, automatic SSL, and free DDoS protection.

How Cloudflare Tunnel Works

User (internet) → Cloudflare Edge → Encrypted Tunnel → Your Server → Jellyfin

The cloudflared daemon on your server establishes an outbound connection to Cloudflare. Your home IP is never exposed.

Advantages over port forwarding

FeaturePort ForwardingCloudflare Tunnel
Open ports requiredYes (443)No
Works behind CGNATNoYes
Free SSL certificateManual (Certbot)Automatic
DDoS protectionNoYes (free tier)
Hides home IPNoYes

Prerequisites

  • A domain name (any registrar)
  • Domain DNS managed by Cloudflare (free plan)
  • Docker installed on your Jellyfin server
  • A Cloudflare account (free)

Step 1: Add Your Domain to Cloudflare

  1. Log in to dash.cloudflare.com
  2. Click Add a Site, enter your domain
  3. Select the Free plan
  4. Update your domain nameservers at your registrar to Cloudflare nameservers
  5. Wait for propagation (usually 5-30 minutes)

Step 2: Create a Cloudflare Tunnel

Via Cloudflare Dashboard (Easiest)

  1. Go to Zero Trust, Networks, Tunnels
  2. Click Create a tunnel
  3. Name it: jellyfin
  4. Choose Cloudflared as the connector
  5. Cloudflare gives you a token - copy it

Via CLI

curl -fsSL https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64 -o /usr/local/bin/cloudflared
chmod +x /usr/local/bin/cloudflared
cloudflared tunnel login
cloudflared tunnel create jellyfin

Step 3: Run cloudflared with Docker

Add to your docker-compose.yml:

services:
  cloudflared:
    image: cloudflare/cloudflared:latest
    command: tunnel --no-autoupdate run --token YOUR_TUNNEL_TOKEN
    restart: unless-stopped
    depends_on:
      - jellyfin

  jellyfin:
    image: jellyfin/jellyfin:latest
    container_name: jellyfin
    volumes:
      - ./config:/config
      - ./cache:/cache
      - /mnt/media:/media:ro
    restart: unless-stopped

Replace YOUR_TUNNEL_TOKEN with the token from Step 2.

docker compose up -d

Step 4: Configure DNS Routing

JellyWatchTry JellyWatch — Your Jellyfin companion, everywhere.
Google Play Web App

In Cloudflare Dashboard, Zero Trust, Tunnels, your tunnel, Public Hostname:

  1. Click Add a public hostname
  2. Subdomain: jellyfin
  3. Domain: yourdomain.com
  4. Service type: HTTP
  5. URL: jellyfin:8096 (Docker service name) or localhost:8096
  6. Save

Your Jellyfin server is now accessible at https://jellyfin.yourdomain.com.

Step 5: Configure Jellyfin for Tunnel Access

Dashboard, Networking, Published server URL: https://jellyfin.yourdomain.com

Add Cloudflare as a trusted proxy

Dashboard, Networking, Known Proxies - add Cloudflare IP ranges:

173.245.48.0/20
103.21.244.0/22
103.22.200.0/22
103.31.4.0/22
141.101.64.0/18
108.162.192.0/18
190.93.240.0/20
188.114.96.0/20
197.234.240.0/22
198.41.128.0/17
162.158.0.0/15
104.16.0.0/13
104.24.0.0/14
172.64.0.0/13
131.0.72.0/22

The Cloudflare ToS Question

Cloudflare ToS Section 2.8 historically prohibited using their free CDN for serving large amounts of non-HTML content. The 2026 reality:

  • Cloudflare Tunnel traffic is not cached by default
  • Many thousands of Jellyfin users run Cloudflare Tunnels without issues
  • Cloudflare has not enforced Section 2.8 against tunnel users streaming personal media

Recommendation: Use Cloudflare Tunnel for remote access. Do not enable CDN caching for video content.

Cloudflare Tunnel vs Tailscale vs WireGuard

FeatureCloudflare TunnelTailscaleWireGuard
Open portsNoneNone1 UDP
Works behind CGNATYesYesNo
Client install requiredNo (browser)Yes (all devices)Yes (all devices)
Free SSLYesN/AN/A
DDoS protectionYesNoNo
Best forBrowser access, sharingPersonal devicesMaximum performance

Troubleshooting

ProblemFix
502 Bad GatewayJellyfin not running or wrong service URL
SSL errorWait for Cloudflare certificate provisioning (up to 15 min)
Slow loadingNormal - tunnel adds 20-50ms latency
Mobile app cannot connectUse the full HTTPS URL including subdomain

Remote access configured? Monitor every session from your phone. Download JellyWatch on Google Play - works over Cloudflare Tunnel to monitor your Jellyfin server in real time.

Related Articles

Best Jellyfin Client for Android TV in 2026: JellyWatch TV vs Official App vs Findroid (Tested)

Best Jellyfin Client for Android TV in 2026: JellyWatch TV vs Official App vs Findroid (Tested)

6 min read
Jellyfin Intro Skipper 2026: Complete Setup, Configuration & Troubleshooting Guide

Jellyfin Intro Skipper 2026: Complete Setup, Configuration & Troubleshooting Guide

8 min read
How to Watch Your Jellyfin Library in VR 2026: Quest, Bigscreen & a Private Cinema

How to Watch Your Jellyfin Library in VR 2026: Quest, Bigscreen & a Private Cinema

7 min read

More in Tutorial

Awesome Jellyfin Plugins 2026: 60+ Best Plugins Worth Installing (Complete Guide)

25030 views

Best Jellyfin Themes and How to Install Them in 2026 (Skin Manager Guide)

18445 views

Best Jellyfin Client for Every Device in 2026: 70+ Apps Ranked (Android, iOS, TV, Desktop)

17315 views

Jellyfin Subtitles Guide 2026: Add, Sync & Automate with Bazarr (Complete)

16081 views

Comments 2

leomtz·

My ISP uses CGNAT so port forwarding was impossible. Cloudflare Tunnel solved it in 10 minutes. Free, no open ports, automatic SSL. Cannot believe this is free.

Zoe P.·

Measured about 30-40ms extra latency through the tunnel compared to direct access. Completely unnoticeable during streaming. 4K remuxes play without any buffering.

Leave a comment

Never displayed publicly.
0 / 2000 · Supports limited Markdown: **bold**, *italic*, `code`, [link](url), lists, > quote.