Port Forwarding or Tunneling a Service

This guide will step you through Port Forwarding or Tunneling a service

Required Knowledge

External Access to Systems

Monitoring and Alerting

Authentication, Access and Accounts


There are 2 solutions for making a service accessible externally - a CF Tunnel or Port Forwarding.

Cloudflare Tunnel

Creating a 'public host'

  1. On the left, select Access > Tunnels

  2. Select the relevant tunnel and click on 'Configure'

  3. Click on the Public Hostname tab

  4. Click on 'Add Public Hostname' and input the relevant data, eg

  5. Click on Save hostname

  6. Naigate to the url and confirm it is working

Note: If the internal service is on HTTPS you may need to disable TLS verify,

Adding Authentication

Authentication is applied as an 'Application' and allows you to limit services to specific users, IP address, countries etc.

  1. On the left, select Access > Applications

  2. Click on 'Add an application' and select Self Hosted

  3. Configure the Application

    • Application Configuration block Input the name and URLs you wish to configure

    • Application Appearance block Select custom logo and provide a URL to an image, such as the logo of the app

    • Tags Apply any relevant tags, such as 'test', 'xfgn' etc

  4. Click on OK / Save / Next

  5. Under the settings tab, tick 'Enable automatic cloudflared authentication'

  6. Click on OK / Save / Next

Port Forward

Enable Firewall

As port forwarding opens the server to direct access via the internet, we require the firewall to be enabled.


  1. SSH into server and input the below commands

    ufw allow ssh
    ufw enable
  2. Run the below command to get a list of active ports on the server and take note of anything that may need to be allowed through. Take note of anything with 'docker', as these will be containers running on the host (you can compare this data against Portainer)

    lsof -i -P -n | grep LISTEN
  3. Use the below command to allow ports through the firewall

    ufw allow PORT
  4. Ensure that the Crowdsec Firewall bouncer is enabled and configured

Generic "allow list", applicable to all our servers

ufw allow 8080 #crowdsec
ufw allow ssh #allow SSH

Port Forward in UniFi

  1. Navigate to the UniFi site manager and select Rigatoni

  2. Click on the settings cog in the bottom left

  3. Select Security > Port Forwarding

  4. Click on Create Entry

Please ensure the port forward rule is named using the below scheme

Where possible, limit the 'From' IP to the relevant client (eg VPS), though this isn't possible for most use cases (eg Plex, Pterodactyl game ports)

Last updated