How to Use a Cloudflare Tunnel with a Minecraft Server
How to Use a Cloudflare Tunnel with a Minecraft Server
A Cloudflare Tunnel lets you route traffic to your Minecraft server through Cloudflare's network without exposing your server's real IP address. This guide walks through what a cloudflare tunnel minecraft server setup looks like and when it makes sense to use one.
What Is a Cloudflare Tunnel?
Cloudflare Tunnel (formerly Argo Tunnel) creates an outbound-only connection from your server to Cloudflare's edge. Incoming traffic from players is routed through Cloudflare before it reaches your server — your actual IP is never published.
The two main reasons players set this up:
- Custom domain — Connect via
play.yourdomain.cominstead of a raw IP and port - IP masking — Hide your server's real IP, useful if you're self-hosting on a home network
Do 3LifeHosting.com Servers Need a Tunnel?
Not for DDoS protection. All 3LifeHosting.com game servers include enterprise-grade DDoS mitigation built in, so attacks against your server IP are absorbed at the network level before they reach your game.
A Cloudflare Tunnel is still useful if you want to:
- Point a custom domain at your server without publishing the IP
- Consolidate multiple services under one Cloudflare-managed domain
If you just want a clean address for your players, a DNS SRV record on your own domain works without a tunnel — see the section below.
Prerequisites
- A domain name with its DNS managed by Cloudflare (free plan is fine)
- A Cloudflare account
- SSH or terminal access to your server — on 3LifeHosting.com plans, use the Console tab in the control panel
Note: Cloudflare Tunnel for TCP (which Minecraft Java uses) requires the Cloudflare WARP client on each player's device, OR you can use a workaround with
cloudflaredand spectator-only access. For most Minecraft servers, a DNS SRV record is simpler. Read on for both approaches.
Option 1: DNS SRV Record (Recommended for Most Servers)
This is the easiest way to get a custom domain working. It doesn't mask your IP, but it lets players connect via play.yourdomain.com while your server runs on a non-standard port.
- Log in to your Cloudflare dashboard and select your domain
- Go to DNS → Records → Add record
- Add a SRV record with these values:
| Field | Value |
|---|---|
| Type | SRV |
| Name | _minecraft._tcp.play |
| Priority | 0 |
| Weight | 5 |
| Port | Your server port (e.g. 25565) |
| Target | Your server IP |
| TTL | Auto |
- Save the record. Players can now connect via
play.yourdomain.com— no port required in the address bar.
Set the record to DNS only (grey cloud), not proxied. Cloudflare cannot proxy raw TCP traffic on its free plan.
Option 2: Cloudflare Tunnel for IP Masking
If hiding your IP is the priority — for example, you're running a server from home — a tunnel is the right tool. This setup requires cloudflared installed on the machine running the server.
Step 1: Install cloudflared
On Debian/Ubuntu:
wget https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb
sudo dpkg -i cloudflared-linux-amd64.deb
On Alpine (used in some container environments):
wget https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64
chmod +x cloudflared-linux-amd64
sudo mv cloudflared-linux-amd64 /usr/local/bin/cloudflared
Step 2: Authenticate cloudflared
cloudflared tunnel login
This opens a browser window — log in to your Cloudflare account and authorise the domain you want to use.
Step 3: Create a tunnel
cloudflared tunnel create minecraft-server
Note the tunnel ID printed in the output — you'll need it in the next step.
Step 4: Create the config file
Create /etc/cloudflared/config.yml:
tunnel: <your-tunnel-id>
credentials-file: /root/.cloudflared/<your-tunnel-id>.json
ingress:
- hostname: play.yourdomain.com
service: tcp://localhost:25565
- service: http_status:404
Replace play.yourdomain.com with your actual domain and 25565 with your server's port.
Step 5: Route DNS through the tunnel
cloudflared tunnel route dns minecraft-server play.yourdomain.com
This creates a CNAME record in your Cloudflare DNS pointing play.yourdomain.com at your tunnel.
Step 6: Start the tunnel
cloudflared tunnel run minecraft-server
To run it as a system service so it starts automatically:
sudo cloudflared service install
sudo systemctl start cloudflared
sudo systemctl enable cloudflared
Connecting as a Player
Because Minecraft Java uses raw TCP, players connecting through a Cloudflare Tunnel need the Cloudflare WARP app installed and running on their device. This is the main limitation of this approach — it adds a step for every player.
If that friction is acceptable, players connect to play.yourdomain.com with WARP active. The tunnel handles the rest.
Troubleshooting
Players cannot connect
- Confirm the tunnel is running:
sudo systemctl status cloudflared - Check the ingress hostname matches exactly what players are typing
- Make sure the port in
config.ymlmatches your actual Minecraft server port
SRV record not resolving
- DNS propagation can take a few minutes
- Confirm the record is set to DNS only, not proxied
- Use
dig _minecraft._tcp.play.yourdomain.com SRVto verify the record is live
Tunnel disconnects
- Check
cloudflaredlogs:journalctl -u cloudflared -n 50 - Ensure your credentials file exists and the tunnel ID is correct
Summary
| Approach | Hides IP | Custom Domain | Player Setup Required |
|---|---|---|---|
| DNS SRV record | No | Yes | None |
| Cloudflare Tunnel | Yes | Yes | WARP app on each device |
For most hosted servers — including those on 3LifeHosting.com — a DNS SRV record gives you a clean custom domain with no extra steps for players. A full Cloudflare Tunnel is worth it if you're self-hosting and need your home IP kept private.
If you need help finding your server's IP and port on a 3LifeHosting.com plan, see Connecting to Your Server.