Cloudflare Tunnel Alternative: When You Need TCP, UDP, or No Domain
Cloudflare Tunnel is genuinely excellent for what it does: exposing HTTP and HTTPS services to the internet for free, with DDoS protection and no port forwarding required. Millions of self-hosters use it. But it has a specific set of hard limitations that regularly send users looking for alternatives: there is no public UDP support, file uploads are capped at 100MB, a custom domain is required for persistent URLs, and the Terms of Service create real ambiguity for high-bandwidth use cases like Jellyfin video streaming and Nextcloud file sharing. This guide is written for people who are already using Cloudflare Tunnel and have hit one of these walls. It explains exactly what each limitation is, why it exists, which services are most affected, and what alternatives solve the problem without sacrificing what makes Cloudflare Tunnel attractive in the first place.
What Cloudflare Tunnel Does Well
Before covering the limitations, it is worth being direct about where Cloudflare Tunnel excels. It is completely free. There are no bandwidth costs, no per-tunnel fees, and no hidden charges for the core HTTP/HTTPS tunneling functionality. It routes traffic through Cloudflare's global network, which means every tunneled service automatically gets DDoS mitigation, hides your home IP address from visitors, and benefits from Cloudflare's CDN caching for static assets.
The setup is straightforward: install the cloudflared daemon, connect it to your Cloudflare account, and create a public hostname mapping. For developers exposing a web app or API during testing, or for home server operators running a single HTTP service with a domain already on Cloudflare, it covers the requirements completely.
The limitations only surface when your requirements go beyond HTTP, when you need a persistent URL without owning a domain, when you want to expose services like WireGuard or game servers that use UDP, or when file sizes routinely exceed 100MB. Those are the scenarios this guide addresses.
The Five Limitations That Send Users Looking for Alternatives
1. No Public UDP Support
Cloudflare Tunnel's public hostname feature only proxies HTTP and HTTPS traffic. UDP is not available for public-facing services. This is confirmed by Cloudflare's own community staff and documented in the cloudflared GitHub repository, where a feature request for public UDP support (issue #964) has been open since 2022 with no resolution.
The nuance here matters: Cloudflare does support UDP in its Zero Trust private network mode, but only when every connecting client also has the Cloudflare WARP client installed and logged into your Zero Trust organization. For any service where you want anonymous public users to connect (a WireGuard server, a game server, a TURN server), this is not feasible. You cannot ask users to install WARP just to connect to your Minecraft server.
Cloudflare Spectrum does support arbitrary TCP and UDP proxying and is sometimes suggested as a workaround for the UDP limitation. However, Spectrum is only available on Pro plans and above, and UDP support within Spectrum requires an Enterprise contract. It is not part of the free Cloudflare Tunnel product. For home server operators on the free tier, UDP support from Cloudflare is not available.
Services that require public UDP and therefore cannot use Cloudflare Tunnel's public hostnames:
| Service | Protocol | Why UDP is required |
|---|---|---|
| WireGuard VPN | UDP 51820 | WireGuard exclusively uses UDP by design. It cannot run over TCP. |
| Minecraft Bedrock | UDP 19132 | Bedrock edition uses UDP for game traffic. Java edition uses TCP and works with CF Tunnel. |
| CS2 / Rust / Valheim game servers | UDP (various ports) | Game server query and game traffic use UDP. |
| Mumble (VoIP) | UDP 64738 | Low-latency audio requires UDP. TCP fallback exists but audio quality degrades severely. |
| RTSP video streams | UDP | Real-time video streaming protocols use UDP for low latency. |
| SIP / VoIP | UDP 5060 | Session Initiation Protocol is UDP-based. |
2. The 100MB Upload Limit
Cloudflare's free and Pro plans enforce a 100MB maximum request body size. This limit applies to all traffic proxied through Cloudflare's network, including Cloudflare Tunnel. When a user attempts to upload a file larger than 100MB through a tunneled service, Cloudflare returns an HTTP 413 (Request Entity Too Large) error before the file reaches your server.
This is not a bug or a misconfiguration. It is an intentional infrastructure limit documented in Cloudflare's connection limits reference, and it reflects the fact that Cloudflare's network was built primarily for web page delivery, not large file transfers.
The 100MB limit creates real problems for several popular self-hosted services:
The local DNS workaround and why it is not always practical
The most commonly cited workaround for the 100MB limit is to use local DNS: configure a DNS entry on your router or Pi-hole that resolves your service's domain directly to the local IP instead of Cloudflare's servers, so that uploads from inside your home network bypass the tunnel entirely. This works for local uploads but does nothing for uploads from outside your home network. If you are backing up your phone to Nextcloud while connected to mobile data, the traffic still routes through Cloudflare and hits the 100MB limit. The tunnel is still required for external access.
3. A Custom Domain Is Required for Persistent URLs
Cloudflare Tunnel requires a domain registered with Cloudflare DNS to create a persistent public hostname. Without a custom domain, the only option is Cloudflare's Try Cloudflare (Quick Tunnels), which generates a random subdomain on trycloudflare.com that changes on every restart and is explicitly documented as not suitable for production use.
This creates a real barrier for users who want to expose a home service without spending money on a domain or without going through the DNS configuration process. It also creates a dependency: if you let your domain registration lapse, your tunnels stop working immediately.
| Requirement | Cloudflare Tunnel | Localtonet |
|---|---|---|
| Persistent public URL | Requires a domain on Cloudflare DNS | Included: subdomain on localto.net provided free, custom domain optional |
| HTTPS certificate | Managed by Cloudflare (requires domain) | Provided automatically for HTTP tunnels |
| URL stability on restart | Stable (with domain configured) | Stable (custom subdomain persists) |
| Works without any domain purchase | Only with random trycloudflare.com URLs that change on restart | Yes, permanently stable subdomain included |
4. Terms of Service Grey Area for High-Bandwidth Use Cases
Cloudflare's CDN Terms of Service have historically restricted using its network for serving video and large file content that is not hosted on Cloudflare's own storage products (R2, Stream, Images). The ToS were updated in late 2025 to remove the old HTML vs non-HTML restriction from the general agreement, but the CDN-specific terms still restrict serving video and large files hosted outside of Cloudflare unless you use Cloudflare's paid storage products.
In practice, Cloudflare Tunnel routes all public HTTP traffic through Cloudflare's CDN layer. This creates a grey area for several common self-hosting use cases:
Jellyfin and Plex video streaming through CF Tunnel
Streaming your personal video library through a Cloudflare Tunnel is technically possible and works initially. The ToS question is whether this counts as "serving video content" through Cloudflare's CDN. Cloudflare community staff give inconsistent answers on this point: some say private streaming to personal devices is fine, others cite the CDN terms as prohibitive. Multiple community threads from 2025 show users receiving account warnings after heavy video streaming traffic through tunnels.
The practical reality is that Cloudflare is unlikely to terminate personal accounts for occasional private Jellyfin or Plex streaming. But "unlikely to act" is different from "permitted." For a media server that is a core part of your home infrastructure, building on a ToS grey area introduces risk that does not exist with a dedicated tunnel service that explicitly supports this use case.
Nextcloud and file sharing through CF Tunnel
File sharing (as opposed to file syncing to your own devices) falls under the CDN ToS restriction on file distribution. Sharing a Nextcloud link with a friend so they can download a 2GB file would technically violate the terms. Again, enforcement is inconsistent and personal-scale use rarely triggers action, but it is a legitimate consideration for anyone building a reliable self-hosted infrastructure.
5. Single Point of Failure on Cloudflare Infrastructure
All Cloudflare Tunnel traffic routes through Cloudflare's global network. When Cloudflare experiences an outage, every service behind every Cloudflare Tunnel goes down simultaneously. Cloudflare has had several notable outages: in June 2022 a routing configuration error took down 19 of its data centers, affecting a significant portion of internet traffic globally. In August 2023, a Cloudflare Access outage disrupted tunnels using Zero Trust authentication. In November 2023, a BGP hijacking incident briefly disrupted Cloudflare's network.
For home server operators running personal tools, a temporary Cloudflare outage is an inconvenience. For anyone whose self-hosted services support a small business, clients, or family members depending on reliable access, the single-point-of-failure nature of any single cloud tunnel provider is a legitimate architectural concern.
When Cloudflare Tunnel Is Still the Right Choice
Despite the limitations, Cloudflare Tunnel remains the best option for a specific set of use cases. If your situation matches the following, you do not need an alternative:
Cloudflare Tunnel is ideal when you:
- Only expose HTTP/HTTPS web services (no UDP, no raw TCP)
- Already have a domain registered with Cloudflare
- Never upload files larger than 100MB through the tunnel
- Primarily use the tunnel for web app access rather than media streaming
- Want built-in DDoS protection without any additional configuration
- Need Zero Trust access control (Cloudflare Access) for team access
- Have a zero budget and the free tier restrictions are acceptable
You need an alternative when you:
- Need to expose WireGuard, a game server, or any UDP-based service publicly
- Upload files larger than 100MB through the tunnel (Nextcloud, Immich, backups)
- Do not own a domain and need a persistent public URL
- Stream video from Jellyfin or Plex to external devices regularly
- Need raw TCP tunnels for non-HTTP protocols (database access, custom protocols)
- Want a tunnel for services that mix HTTP and UDP (e.g., a game server with a web admin panel)
What to Look for in a Cloudflare Tunnel Alternative
The right alternative depends entirely on which Cloudflare Tunnel limitation you are hitting. There is no universal "best" replacement because different limitations call for different solutions. Here are the criteria that matter:
| Your Limitation | What You Need | What to Verify Before Choosing |
|---|---|---|
| No public UDP support | A tunnel service with native public UDP tunnels | Confirm UDP is available for public endpoints (not just private networks requiring a client). Check whether UDP is available on the free tier or only on paid plans. |
| 100MB upload limit | A tunnel with no request body size limit | Confirm there is no upload size cap in the tunnel service's documentation or terms. Test with a large file before committing to it as your primary solution. |
| Domain requirement | A service that provides a stable subdomain without a custom domain | Verify that the provided subdomain is persistent (does not change on restart) and that HTTPS is included automatically. |
| ToS concerns for video/files | A service that explicitly permits media streaming and file transfer | Read the terms of service. Look for explicit permission or the absence of content-type restrictions. Dedicated tunnel services built for self-hosting are typically unrestricted. |
| Single point of failure | Multi-region or distributed infrastructure | Check whether the service has multiple server regions and what happens to tunnels during a single data center outage. |
How Localtonet Addresses Each Cloudflare Tunnel Limitation
Localtonet is a hosted tunnel service built specifically for self-hosting use cases. It was designed to cover the protocol gaps and use case restrictions that Cloudflare Tunnel cannot address. Here is how it maps to each of the five limitations:
UDP support: Native public UDP tunnels
Localtonet supports native UDP tunnels for public endpoints with no client software required on the connecting device. A WireGuard server behind CGNAT gets a public address:port endpoint that any standard WireGuard client can connect to. A Minecraft Bedrock server, a CS2 server, or a Valheim server each gets a public UDP endpoint. The connection works identically to a server with a real public IP, from the client's perspective.
# Create a UDP tunnel for WireGuard (port 51820):
# In the Localtonet dashboard: Tunnel > UDP/TCP
# Protocol: UDP, IP: 127.0.0.1, Port: 51820
# Result: public endpoint at tunnel.localto.net:XXXXX
# Use this endpoint in WireGuard client configs instead of home IPNo upload size limit
Localtonet HTTP tunnels impose no request body size limit. Uploading a 10GB file to Nextcloud through a Localtonet tunnel works without modification. The only limits are your connection speed and your server's disk space. This is the most common reason Nextcloud and Immich users switch from Cloudflare Tunnel.
No domain required
Every Localtonet HTTP tunnel gets a stable subdomain on localto.net (e.g. https://myservice.localto.net) that persists across restarts without any domain purchase. HTTPS is provided automatically. If you want a custom domain, you can configure one, but it is not required for a permanent public URL.
No content-type ToS restrictions
Localtonet's terms of service do not restrict content types. Streaming video from Jellyfin or Plex, sharing large files through Nextcloud, or running any other legitimate self-hosted service is explicitly permitted. There is no CDN layer with content restrictions, because Localtonet is a dedicated tunnel service rather than a CDN repurposed for tunneling.
Multi-region infrastructure
Localtonet operates 16+ server locations globally. Tunnels can be connected through different regions, reducing the risk of a single infrastructure outage taking down all your services simultaneously.
Migrating from Cloudflare Tunnel to Localtonet
If you are running services behind Cloudflare Tunnel today and want to switch some or all of them to Localtonet, the process is straightforward. You do not need to take down existing Cloudflare Tunnel connections during testing: run both in parallel, verify the Localtonet tunnel works for each service, then update your DNS or share the new URL.
Install Localtonet on your server
# Linux (Ubuntu, Debian, Raspberry Pi OS):
curl -fsSL https://localtonet.com/install.sh | sh
# Verify:
localtonet --versionAuthenticate
Register at localtonet.com, go to Dashboard → My Tokens, and authenticate:
localtonet --authtoken YOUR_TOKEN_HERECreate tunnels to match your existing CF Tunnel services
For each service you want to migrate, create a corresponding Localtonet tunnel. The mapping is direct:
| CF Tunnel type | Localtonet equivalent | Dashboard path |
|---|---|---|
| HTTP/HTTPS public hostname | HTTP tunnel | localtonet.com/tunnel/http |
| TCP application | TCP tunnel | localtonet.com/tunnel/udptcp |
| (Not available publicly in CF) | UDP tunnel | localtonet.com/tunnel/udptcp |
Test each service through the Localtonet URL
Before updating any DNS records or sharing new URLs, verify each service works correctly through the Localtonet tunnel. For Nextcloud, test uploading a file larger than 100MB. For WireGuard, test connecting a client using the new endpoint.
Update DNS or share new URLs
If you use a custom domain: update the DNS record to point to the Localtonet endpoint. If you share direct URLs: distribute the new https://yourservice.localto.net URL to users. CF Tunnel can remain running during this transition so no downtime occurs.
Run Localtonet as a system service
sudo localtonet --install-service --authtoken YOUR_TOKEN_HERE
sudo localtonet --start-service --authtoken YOUR_TOKEN_HEREThe tunnel starts automatically on every reboot.
Cloudflare Tunnel vs Localtonet: Side-by-Side
| Feature | Cloudflare Tunnel | Localtonet |
|---|---|---|
| HTTP/HTTPS tunnels | Yes | Yes |
| Raw TCP tunnels | Limited (via private network with WARP client on connecting device) | Yes, public (no client required on connecting device) |
| Public UDP tunnels | No (only via private WARP network, requires client installation) | Yes, fully public |
| Upload size limit | 100MB maximum (enforced by Cloudflare proxy layer) | No limit |
| Domain requirement for persistent URL | Yes (domain on Cloudflare DNS required) | No (localto.net subdomain provided) |
| HTTPS automatic | Yes (requires domain) | Yes (included with HTTP tunnels) |
| DDoS protection | Yes (Cloudflare network) | Infrastructure-level protection |
| Hides home IP | Yes | Yes |
| Works behind CGNAT | Yes | Yes |
| WireGuard VPN server exposure | Not possible (no public UDP) | Yes (UDP tunnel) |
| Minecraft Bedrock / game servers | Not possible publicly (requires WARP on every client) | Yes (UDP tunnel) |
| Jellyfin / Plex streaming | Technically works, ToS grey area for high bandwidth use | Yes, explicitly permitted |
| Nextcloud large file upload | Fails for files over 100MB | Works without limits |
| Price | Free (HTTP/HTTPS only) | Free tier + $2/tunnel/month (paid tunnels) |
| Infrastructure redundancy | Single provider (Cloudflare), global outages affect all tunnels | 16+ server locations |
Service-Specific: Common Migrations
Nextcloud: Removing the 100MB upload limit
If you run Nextcloud behind Cloudflare Tunnel, the 100MB limit blocks any file upload larger than 100MB with an HTTP 413 error, regardless of what you have configured in Nextcloud's php.ini settings. Creating a Localtonet HTTP tunnel pointing to your Nextcloud port removes this restriction entirely. Update the trusted_domains and overwriteprotocol settings in Nextcloud's config.php to use the new Localtonet URL:
docker exec --user www-data nextcloud-app php occ config:system:set trusted_domains 1 --value="mycloud.localto.net"
docker exec --user www-data nextcloud-app php occ config:system:set overwritehost --value="mycloud.localto.net"
docker exec --user www-data nextcloud-app php occ config:system:set overwriteprotocol --value="https"WireGuard: Getting a public UDP endpoint
WireGuard uses UDP exclusively and Cloudflare Tunnel cannot expose it publicly. Create a Localtonet UDP tunnel pointing to your WireGuard port (default UDP 51820). The Localtonet dashboard shows the public endpoint address and port. Update the Endpoint line in every WireGuard client configuration file to use the Localtonet address:
# In each WireGuard client config, change:
# Endpoint = home.ip.address:51820
# To:
Endpoint = tunnel.localto.net:ASSIGNED_PORTRegenerate QR codes for mobile clients after this change. The tunnel carries WireGuard's encrypted UDP packets transparently.
Jellyfin: Streaming without ToS concerns
Jellyfin is an HTTP-based service that works with Cloudflare Tunnel technically, but heavy streaming use falls into the ToS grey area. A Localtonet HTTP tunnel to your Jellyfin port (default 8096) provides the same HTTPS access with no content restrictions. Set the Jellyfin public URL in Dashboard → Networking → External domain to your Localtonet URL so that clients generate correct streaming links.
Frequently Asked Questions
Can I use Cloudflare Tunnel for WireGuard?
No, not in a way that works with standard WireGuard clients. Cloudflare Tunnel does not support public UDP endpoints. WireGuard exclusively uses UDP and cannot run over TCP. The only Cloudflare path to reach a WireGuard-like connection is through Cloudflare WARP (which itself uses a WireGuard-based protocol internally), but that requires every client to install the WARP application and authenticate with your Zero Trust organization. Standard WireGuard clients cannot connect through a Cloudflare Tunnel. For exposing a WireGuard server publicly without port forwarding, a UDP tunnel service like Localtonet is required.
Is there a way to increase the Cloudflare Tunnel upload limit beyond 100MB?
Yes, on paid Cloudflare plans. The 100MB limit applies to the free plan. The Pro plan increases it to 100MB (same), Business to 200MB, and Enterprise to 500MB. There is also an option to increase the limit further on Enterprise via a custom configuration. For the free plan, there is no way to exceed 100MB through the Cloudflare proxy layer. The local DNS workaround (routing internal traffic directly to the server's local IP, bypassing the tunnel) only helps for uploads from inside your home network, not from external devices.
Does Cloudflare Tunnel work without a domain?
Only with Quick Tunnels (trycloudflare.com). Running cloudflared tunnel --url http://localhost:3000 gives you a random subdomain on trycloudflare.com, but this URL changes every time you restart the tunnel. It is explicitly documented by Cloudflare as intended only for temporary testing and development, not production use. For a persistent public URL, a domain registered with Cloudflare DNS is required. Localtonet provides a stable persistent subdomain on localto.net without requiring a custom domain purchase.
Can I use both Cloudflare Tunnel and Localtonet at the same time?
Yes. They are independent and do not conflict. A common setup is to keep Cloudflare Tunnel for HTTP services where its DDoS protection and CDN features are valuable (for example, a web app or API), while using Localtonet for services that require UDP (WireGuard), have no upload size limits (Nextcloud), or do not have a domain (a quick local service you want to share). Both daemons run simultaneously on the same machine without interference.
Is Jellyfin streaming through Cloudflare Tunnel against the Terms of Service?
This is genuinely contested territory, and Cloudflare community staff have given conflicting answers. The CDN Service-Specific Terms restrict using the CDN to serve video and large files hosted outside Cloudflare's own storage products (R2, Stream, Images). Since Cloudflare Tunnel routes public traffic through the CDN layer, high-bandwidth video streaming technically falls under this restriction. Cloudflare rarely enforces this against small personal deployments, but enforcement is at their discretion. Users who want certainty should use a tunnel service whose terms explicitly permit media streaming, such as Localtonet.
Need UDP, No Upload Limits, or No Domain?
Localtonet covers the use cases where Cloudflare Tunnel stops: public UDP for WireGuard and game servers, no 100MB upload cap for Nextcloud and Immich, and a stable HTTPS URL without buying a domain. Works behind CGNAT. Free to start.
Try Localtonet Free →
