Problem
Home ISPs often use CGNAT, which blocks inbound connections. Traditional port forwarding doesn’t work, so hosting a web app directly from home becomes difficult.
Solution
I used Cloudflare Tunnel (cloudflared) to create an outbound connection from the machine running the app to Cloudflare. Cloudflare then proxies HTTPS traffic to the app through the tunnel.
Architecture
- User → Cloudflare (DNS + TLS)
- Cloudflare → Tunnel
- Tunnel → Next.js (localhost:3000)
Key decisions
- No port forwarding (safer and works with CGNAT)
- HTTPS handled at Cloudflare edge
- Ingress rules with a 404 fallback to avoid accidental exposure
What I learned
- CGNAT vs inbound/outbound connectivity
- DNS records for tunnels (CNAME to cfargotunnel)
- Operational reliability concerns (sleep/restarts on laptops)