The traditional approach to connecting a server: assign a public IP, open ports 22, 80, and 443 in the firewall, configure SSL certificates, and point a DNS A record at the IP. That works for cloud VMs with dedicated IPs. It does not work for servers behind NAT, corporate firewalls, or on-premise infrastructure where inbound traffic is blocked by policy.
Cloudflare Tunnel flips the model. Instead of your server listening for inbound connections, a lightweight daemon (cloudflared) on your server reaches out to Cloudflare's edge. OEC.sh routes all management traffic — deployments, backups, monitoring, SSH — through that tunnel. Your server never needs to be directly reachable from the internet.
How traffic flows
Traditional (Direct SSH):
User/OEC.sh → Public IP:443 → Firewall (ports open) → Server
Cloudflare Tunnel:
User/OEC.sh → Cloudflare Edge → Encrypted Tunnel → Server (localhost)
No public IP. No open ports. Server initiates the connection outward.
When You Need This
Cloudflare Tunnel solves a specific set of problems. If your server has a public IP and you can open ports freely, the standard Cloudflare CDN setup is simpler and has lower SSH latency. Use Cloudflare Tunnel when:
Servers behind NAT
Your server is on a home network, a shared hosting environment, or a cloud instance behind a NAT gateway with no dedicated public IP. Cloudflare Tunnel lets OEC.sh reach it without port forwarding.
Corporate firewalls
Enterprise IT policies prohibit opening inbound ports. Cloudflare Tunnel uses outbound HTTPS only — the same traffic pattern as a web browser — so it passes through most corporate firewalls without exceptions.
On-premise data centers
You need Odoo running on local infrastructure for compliance, data sovereignty, or proximity to internal systems — but you also need OEC.sh to manage deployments, backups, and monitoring remotely.
Zero-trust security posture
You want to eliminate the attack surface entirely. With Cloudflare Tunnel, your server has no public IP and no open ports. The only path in is through Cloudflare’s authenticated edge network.
Direct SSH vs. Cloudflare Tunnel
OEC.sh supports both connection methods. Choose based on your infrastructure constraints:
| Factor | Direct SSH | Cloudflare Tunnel |
|---|---|---|
| Public IP | Required | Not required |
| Open inbound ports | 22, 80, 443 | None |
| SSH latency | 50–100ms | 200–400ms |
| DNS record type | A record → server IP | CNAME → Cloudflare |
| SSL certificates | Let’s Encrypt (you manage) | Cloudflare edge (automatic) |
| Server IP visibility | Exposed in DNS | Never exposed |
| DDoS protection | Cloudflare CDN (if enabled) | Built-in via Cloudflare network |
| Corporate firewall compatible | Requires inbound rules | Works with outbound-only |
| Setup complexity | IP + firewall + SSL + DNS | One install script |
| Zero-trust ready | Requires additional config | Native Cloudflare Access policies |
Both methods give you the same OEC.sh features: git-based deployments, automated backups, monitoring, and database management. The tunnel method simply removes the requirement for a public IP and open ports.
Prerequisites
- OEC.sh Pro plan or higher
Cloudflare Tunnel is available on the Pro plan ($39/month) which includes unlimited servers and projects.
- Cloudflare account (free tier is sufficient)
You need your Account ID and an API Token with ‘Cloudflare Tunnel: Edit’ permission.
- Linux server (Ubuntu 20.04+ or Debian 11+)
The server must use systemd as its init system. Both x86_64 and arm64 architectures are supported.
- Outbound HTTPS connectivity
The server must be able to make outbound connections on port 443. No inbound ports need to be open.
- Root or sudo access
The install script installs cloudflared and registers a systemd service, which requires root privileges.
Setup in 4 Steps
The entire setup takes about 5 minutes. No DNS configuration, no SSL certificates, no firewall rules.
Link your Cloudflare account
In the OEC.sh dashboard, go to Settings → Cloud Accounts and add your Cloudflare credentials. You need your Account ID (found in the Cloudflare dashboard under any zone’s overview page) and an API Token with ‘Cloudflare Tunnel: Edit’ permission.
This is a one-time setup. All servers you add with Cloudflare Tunnel will use the same linked account.
Add your server with Tunnel connection
When creating a new server in OEC.sh, select "Cloudflare Tunnel" as the connection method. You don’t need to enter an IP address — the IP field disappears because it’s not needed.
You can also convert an existing Direct SSH server to Cloudflare Tunnel later.
Run the install script on your server
OEC.sh generates a one-line bash command. Copy it and run it as root on your server. The script detects your server’s architecture, installs cloudflared, registers it as a systemd service, and connects it to your OEC.sh account.
curl -fsSL https://oec.sh/api/tunnel/install/SERVER_ID | sudo bashThe script auto-detects x86_64 and arm64 architectures. Takes about 30 seconds.
Verify the connection
Go back to the OEC.sh dashboard and refresh the server page. The tunnel status should show "Connected" with a green indicator. OEC.sh can now reach your server through the encrypted tunnel.
If the status shows ‘Pending’, the cloudflared service may still be starting. Wait 30 seconds and refresh.
What Happens Under the Hood
When you run the install script, here is what actually happens on your server:
- Detects your server architecture (x86_64 or arm64)
- Downloads the cloudflared binary from Cloudflare’s official releases
- Creates a Cloudflare Tunnel linked to your OEC.sh account
- Generates a 4096-bit RSA SSH keypair — the private key is encrypted and stored in OEC.sh, the public key is added to your server’s authorized_keys
- Registers cloudflared as a systemd service that starts on boot
- Creates a CNAME record (t-{server-id}.oec.sh) pointing to the tunnel for SSH access
- Establishes the outbound connection to Cloudflare’s edge network
After this, OEC.sh communicates with your server through the t-{server-id}.oec.sh hostname. SSH, deployment commands, backup operations, and monitoring all route through the encrypted tunnel. Your server never needs a public IP and never opens an inbound port.
DNS and Custom Domains
With Cloudflare Tunnel, DNS works differently than the standard setup:
OEC.sh environment URLs
Automatic CNAME records are created for each environment. No manual DNS configuration needed.
Custom domains
Point your custom domain to Cloudflare via a CNAME record. Cloudflare handles TLS termination at the edge — no Let's Encrypt needed on your server.
SSL/TLS
Cloudflare terminates TLS at its edge. Traffic between Cloudflare and your server is encrypted through the tunnel. You do not need to install or renew SSL certificates on the origin server.
Tunnel Status Indicators
The OEC.sh dashboard shows real-time tunnel status for each connected server:
Tunnel is active. OEC.sh can deploy, monitor, and manage your server.
Tunnel is created but cloudflared is not running. Run the install script or restart the service.
The cloudflared service has stopped. Check if the server is powered on and the service is running.
Configuration problem. Check the Cloudflare API token permissions and account ID.
Security Model
Cloudflare Tunnel fundamentally changes your server's security posture. Instead of hardening a publicly accessible server, you eliminate public access entirely:
- No inbound ports exposed — your server has zero attack surface from the public internet
- Server IP never publicly visible — attackers cannot target your origin server directly
- All traffic encrypted in transit through the tunnel and Cloudflare’s edge network
- DDoS protection via Cloudflare’s global network (200+ Tbps capacity)
- Zero-trust ready — combine with Cloudflare Access policies to require authentication before reaching your server
- 4096-bit RSA SSH keys auto-generated per server — private keys encrypted at rest in OEC.sh
Odoo-Specific Configuration
When running Odoo behind Cloudflare Tunnel, there are a few Odoo settings you should verify. OEC.sh handles most of these automatically, but if you are debugging issues:
odoo.conf settings
proxy_mode = True web.base.url = https://your-domain.com web.base.url.freeze = True
proxy_mode = True tells Odoo to trust the X-Forwarded headers from Cloudflare. web.base.url.freeze prevents Odoo from auto-detecting the wrong URL when accessed through the tunnel.
Cloudflare dashboard settings
- •SSL/TLS → ‘Full’ mode (not Flexible, not Strict)
- •SSL/TLS → Edge Certificates → Enable ‘Automatic HTTPS Rewrites’
- •Speed → Optimization → Enable Brotli compression
- •Caching → Cache static assets (/web/static/*, /web/image/*) but bypass dynamic paths (/web/session/*, /websocket, /longpolling/*)
For the full Cloudflare CDN/caching configuration, see How to Set Up Cloudflare with Odoo.
Limitations
Cloudflare Tunnel is not the right choice for every deployment. Be aware of these trade-offs:
- SSH latency is higher (200–400ms vs 50–100ms with direct SSH). OEC.sh operations handle this automatically, but interactive SSH sessions feel slower.
- Requires outbound internet connectivity. If your server is completely air-gapped with no outbound access, Cloudflare Tunnel cannot work.
- Available on OEC.sh Pro plan ($39/month) and above. The Free and Starter plans use Direct SSH only.
- BYOS (Bring Your Own Server) only. This feature connects your existing server — it does not provision cloud instances.
- Requires systemd. Older init systems (SysV, Upstart) are not supported by the cloudflared service installer.
Troubleshooting
Status shows ‘Pending’ after running the install script
sudo systemctl status cloudflared sudo journalctl -u cloudflared --tail=50
Check if the service is running. If it failed to start, the journal logs will show the error. Common causes: incorrect API token permissions, network blocking outbound HTTPS, or an older systemd version that does not support the service file format.
Tunnel was connected but went to ‘Disconnected’
sudo systemctl restart cloudflared cloudflared --version
Restart the service. If it disconnects repeatedly, check for network interruptions, server resource exhaustion (OOM), or cloudflared version issues. Update cloudflared if an older version is installed.
SSH connections are slow (high latency)
This is expected. Cloudflare Tunnel adds 200–400ms to SSH operations because traffic routes through Cloudflare’s edge network. For regular server management through OEC.sh, this latency is handled automatically. For interactive SSH sessions, consider keeping a direct SSH connection available on a secondary interface if your network allows it.
Mixed content errors in Odoo website editor
Set proxy_mode = True in your odoo.conf and ensure web.base.url is set to your HTTPS domain. In the Cloudflare dashboard, enable ‘Automatic HTTPS Rewrites’ under SSL/TLS → Edge Certificates. This resolves mixed content issues caused by Odoo generating HTTP URLs internally while Cloudflare serves HTTPS.
Why This Matters for Odoo Teams
Cloudflare Tunnel removes the biggest barrier to managed Odoo hosting for teams with restricted infrastructure. Before this feature, connecting to OEC.sh required a server with a public IP and open ports — which excluded on-premise deployments, servers behind corporate firewalls, and home lab setups.
Now you can run Odoo on any server that has outbound internet access and get the full OEC.sh experience:
- Git-based deployments from GitHub, GitLab, or Bitbucket
- Automated daily backups to S3, R2, MinIO, or FTP
- Database cloning with PII sanitization for staging
- Real-time monitoring and alerts
- One-click Odoo version upgrades
- SSL certificates managed automatically by Cloudflare
- Custom domain configuration via CNAME
Deploy Odoo from anywhere
Connect your server to OEC.sh through Cloudflare Tunnel. No public IP, no open ports, no SSL management. Works on any server with outbound internet access.
Related guides
How to Set Up Cloudflare with Odoo
Standard Cloudflare CDN setup: DNS, SSL, caching rules, DDoS protection for servers with public IPs.
Deploy Odoo: Complete Guide
End-to-end guide to deploying Odoo on any cloud provider with OEC.sh.
SSL & Custom Domains
Configure custom domains and SSL certificates for your Odoo environments.
Odoo Backup & Recovery
Automated backup strategies for Odoo databases and filestore.
Frequently Asked Questions
Can I use Cloudflare Tunnel with Odoo without a public IP address?
Yes. That is the primary use case. Cloudflare Tunnel creates an outbound-only connection from your server to Cloudflare’s global network. Your server initiates the connection, so it does not need a public IP address or any inbound firewall ports open. Traffic from users reaches Cloudflare’s edge, which routes it through the tunnel to your server.
Does Cloudflare Tunnel add latency to Odoo?
For SSH operations, Cloudflare Tunnel adds approximately 200–400ms of latency compared to a direct connection. For end-user HTTP traffic (web browser access to Odoo), the latency impact is negligible because Cloudflare’s edge caches static assets and terminates TLS close to the user. Most users will not notice any difference in Odoo page load times.
Is Cloudflare Tunnel free?
Cloudflare Tunnel itself is free and included in Cloudflare’s free plan. On the OEC.sh side, Cloudflare Tunnel connectivity requires the Pro plan ($39/month) or higher. You need a Cloudflare account with an API token that has ‘Cloudflare Tunnel: Edit’ permission.
What is the difference between Cloudflare CDN and Cloudflare Tunnel for Odoo?
Cloudflare CDN (standard setup) sits in front of a server that has a public IP. It proxies traffic, caches assets, and provides DDoS protection — but your server still needs open ports and a public IP. Cloudflare Tunnel eliminates the need for a public IP entirely. The cloudflared daemon creates an outbound encrypted tunnel to Cloudflare’s edge. No inbound ports are open, no IP is exposed, and the server is invisible to the public internet.
Can I use Cloudflare Tunnel for Odoo behind a corporate firewall?
Yes. As long as your server can make outbound HTTPS connections, Cloudflare Tunnel works. The cloudflared daemon initiates all connections outward, so corporate firewalls that block inbound traffic do not interfere. This makes it ideal for on-premise Odoo deployments in enterprise environments with strict network security policies.
Do I still need Let’s Encrypt SSL with Cloudflare Tunnel?
No. Cloudflare terminates TLS at its edge network and traffic to your server travels through the encrypted tunnel. You do not need to install or manage SSL certificates on your origin server.