> For the complete documentation index, see [llms.txt](https://docs.devolutions.net/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.devolutions.net/gateway/knowledge-base/how-to-articles/reverse-proxying/cloudflare-with-devolutions-gateway.md).

# Cloudflare with Devolutions Gateway

Devolutions Gateway can operate behind a Cloudflare Tunnel to add an additional layer of protection to an internal Devolutions Gateway installation or to allow an outbound tunnel when changing a firewall configuration is unavailable. Using Devolutions Gateway behind Cloudflare Tunnel is available for both Devolutions Server and Devolutions Cloud.

### Configure Cloudflare tunnel

1. Log into the Cloudflare dashboard.

   <div data-gb-custom-block data-tag="hint" data-style="info" class="hint hint-info"><p>A Cloudflare free plan can be used to install and run Cloudflare tunnels.</p></div>
2. Go to the ***Zero Trust*** section which is under ***Cloudflare Dashboard***.
3. Go to ***Networks*** – ***Tunnels*** and click ***Create a tunnel***.

   ![](https://cdnweb.devolutions.net/docs/DGW0004_2024_3.png)
4. Select ***Cloudflared*** and click ***Next***.

   ![](https://cdnweb.devolutions.net/docs/DGW0005_2024_3.png)
5. Input a name and click ***Save tunnel***.

   ![](https://cdnweb.devolutions.net/docs/DGW0006_2024_3.png)
6. Choose the appropriate operating system and architecture.
7. Download the installer via the given link.

   ![](https://cdnweb.devolutions.net/docs/DGW0007_2024_3.png)
8. ***Copy*** the configuration string.

   ![](https://cdnweb.devolutions.net/docs/DGW0008_2024_3.png)
9. Run the Cloudflare installer.
10. In the ***Install and run a connector*** section of the Cloudflare installation window copy the command.
11. Open the server with the installed Cloudflare tunnel daemon and open ***Command Prompt*** as an administrator.
12. Paste the copied configuration string from step 8 and press enter.

    <div data-gb-custom-block data-tag="hint" data-style="success" class="hint hint-success"><p>It is advised to verify that the <em><strong>Status</strong></em> is showing as <em><strong>Connected</strong></em>.</p></div>

    ![](https://cdnweb.devolutions.net/docs/DGW0019_2024_3.png)
13. Click ***Next***.

    ![](https://cdnweb.devolutions.net/docs/DGW0009_2024_3.png)
14. Input a unique subdomain.
15. Choose ***HTTPS*** as ***Type***. When using a self-signed certificate for a gateway, enable the ***No TLS Verify*** option under ***Additional application settings*** – ***TLS*** when using a self-signed certificate for a gateway.

    <div data-gb-custom-block data-tag="hint" data-style="info" class="hint hint-info"><p>Use localhost:7171 as the URL if the default gateway configuration was used.</p></div>
16. Click ***Save tunnel***.

    ![](https://cdnweb.devolutions.net/docs/DGW0010_2024_3.png)
17. Click on the newly created ***Tunnel name***.
18. Click ***Edit***.

    ![](https://cdnweb.devolutions.net/docs/DGW0011_2024_3.png)
19. Go to the ***Public Hostname*** tab and click ***Add a public hostname***.

    ![](https://cdnweb.devolutions.net/docs/DGW0012_2024_3.png)
20. Input a unique subdomain (different from step 14).
21. Choose ***TCP*** as ***Type***.

    <div data-gb-custom-block data-tag="hint" data-style="info" class="hint hint-info"><p>Use localhost:8181 as the URL if the default gateway configuration was used.</p></div>
22. Click ***Save hostname***.

    ![](https://cdnweb.devolutions.net/docs/DGW0013_2024_3.png)

When done there should be two public hostnames.

![](https://cdnweb.devolutions.net/docs/DGW0014_2024_3.png)

### Retrieve the provisioning key

1. Log into the Devolutions Server or Devolutions Cloud instance as a user with access to the Devolutions Gateway configuration.
2. Go to ***Administration*** — ***Devolutions Gateway***.
3. Click the ***More*** button and select ***Download public key***.

{% hint style="success" %}
This file needs to be accessible to the server hosting Devolutions Gateway behind the Cloudflare tunnel.
{% endhint %}

### Install Devolutions Gateway with Cloudflare

1. Open a connection to the server hosting Devolutions Gateway and download the [installer](https://devolutions.net/gateway/).
2. Run the installer.
3. Click ***Next***.

   ![](https://cdnweb.devolutions.net/docs/DGW0020_2024_3.png)
4. Once the desired installation path is selected, click the ***Next*** button.

   ![](https://cdnweb.devolutions.net/docs/DGW0021_2024_3.png)
5. Click ***Next***.

   ![](https://cdnweb.devolutions.net/docs/DGW0023_2024_3.png)
6. Click ***Next*** in the ***Listeners*** window.

   <div data-gb-custom-block data-tag="hint" data-style="success" class="hint hint-success"><p>It is advised to leave the default listeners as they will likely correspond to the Cloudflare tunnel configuration.</p></div>

   ![](https://cdnweb.devolutions.net/docs/DGW0024_2024_3.png)
7. Enter the external URI by which the gateway will be reachable.
8. Click ***Next***.

   ![](https://cdnweb.devolutions.net/docs/DGW0025_2024_3.png)
9. Specify the path to the TLS certificates or to the system certificate store location.
10. Click ***Next***.

    ![](https://cdnweb.devolutions.net/docs/DGW0026_2024_3.png)
11. Specify the path to the previously retrieved public key from Devolutions Server or Devolutions Cloud.

    <div data-gb-custom-block data-tag="hint" data-style="success" class="hint hint-success"><p>This key file must be accessible to the <strong>NetworkService</strong> account, which Devolutions Gateway runs as.</p></div>
12. Click ***Next***.

    ![](https://cdnweb.devolutions.net/docs/DGW0022_2024_3.png)
13. Click ***Install***.

### Launch the Cloudflared client on the Remote Desktop Manager host

The Cloudflared client needs to be [downloaded](https://github.com/cloudflare/cloudflared/releases) and launched to properly tunnel the connection. This client will create an outbound Cloudflare tunnel connection from the local Remote Desktop Manager client to the Cloudflare tunnel connecting to Devolutions Gateway.

The following code needs to be run in a terminal window as long the tunnel needs to be open and each time a gateway will be accessed behind a Cloudflare tunnel:

```
cloudflared-windows-amd64.exe access tcp --hostname gateway-client-tcp.mydomain.com --url localhost:8181
```

To avoid running the code every time, create a service:

1. Launch an elevated PowerShell session.
2. Input this code to create a new PowerShell service:

   ```powershell
   New-Service -Name "Cloudflared Egress" -BinaryPath "C:\Tools\cloudflared-windows-amd64.exe access tcp --hostname gateway-client-tcp.mydomain.com --url localhost:8181"

   Start-Service -Name 'Cloudflared Egress'
   ```
3. Start the service.

The tunnel is now running permanently client-side.

### Configure Devolutions Server

1. Log into a Devolutions Server instance as a user with access to the Devolutions Gateway configuration.
2. Go to ***Administration*** — ***Devolutions Gateway***.
3. Click the ***Add*** (***+***) button and choose ***Gateway***.

   ![](https://cdnweb.devolutions.net/docs/DGW0002_2024_3.png)
4. Enter the previously retrieved details from Cloudflare used to configure Devolutions Gateway.

   <div data-gb-custom-block data-tag="hint" data-style="info" class="hint hint-info"><p>It may be needed to preface the Cloudflare tunnel domain with <code>https://</code>. <em><strong>Auto-detect</strong></em> will only work if the hostname was configured to be the same as the TCP hostname in Cloudflare. <em><strong>Test connection</strong></em> if the tunnel domain is accessible.</p></div>
5. Click ***Save***.

   ![](https://cdnweb.devolutions.net/docs/DGW0015_2024_3.png)
6. Click the ellipsis (***More***) button next to the newly configured gateway and select ***Publish revocation list***.

   1. If the ***Publish Gateway configuration*** option is available, it should be done before ***Publish revocation list***.

   ![](https://cdnweb.devolutions.net/docs/DGW0016_2024_3.png)

### Configure Devolutions Cloud

1. Log into a Devolutions Cloud instance as a user with access to the Devolutions Gateway configuration.
2. Go to ***Administration*** — ***Devolutions Gateway***.
3. Click the ***Add*** (***+***) button.
4. Enter the previously retrieved details from Cloudflare used to configure Devolutions Gateway.

   <div data-gb-custom-block data-tag="hint" data-style="info" class="hint hint-info"><p>It may be needed to preface the Cloudflare tunnel domain with https://. <em><strong>Auto-Detect</strong></em> will only work if the hostname was configured to be the same as the TCP hostname in Cloudflare. <em><strong>Test connection</strong></em> if the tunnel domain is accessible.</p></div>

   ![](https://cdnweb.devolutions.net/docs/DGW0017_2024_3.png)
5. Go through any combination of ***Vaults***, ***Groups*** or ***Users*** tabs to decide how the licenses will be distributed.
6. Click ***Add***.
7. Click the ellipsis (***More***) button next to the newly configured gateway and select ***Publish Gateway configuration***.

   ![](https://cdnweb.devolutions.net/docs/DGW0018_2024_3.png)


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.devolutions.net/gateway/knowledge-base/how-to-articles/reverse-proxying/cloudflare-with-devolutions-gateway.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.