dynamoip

Max Mode — Public Internet

Expose your local services to the entire internet with Cloudflare Tunnel. No port forwarding, no firewall rules, no inbound ports.

Max mode uses Cloudflare Tunnel to make your local services reachable from anywhere on the internet — not just your LAN. One config key is all it takes.

{
  "baseDomain": "yourdomain.com",
  "tunnel": true,
  "domains": {
    "app": 3000,
    "api": 4000
  }
}

How it works

cloudflared — Cloudflare's tunnel daemon — makes an outbound encrypted connection to Cloudflare's edge. All traffic flows through that connection in reverse. Your machine never opens a listening port to the internet.

Browser (anywhere) → Cloudflare edge → encrypted tunnel → cloudflared → dynamoip proxy → localhost:3000

No port forwarding. No firewall rules. No inbound ports. The tunnel is outbound-only.

DNS uses CNAME records pointing each subdomain to the Cloudflare Tunnel hostname — not an A record to your LAN IP like Pro mode.

Max vs Pro at a glance

Pro modeMax mode
Reachable fromLAN onlyPublic internet
DNS record typeA record → your LAN IPCNAME → Cloudflare Tunnel
Port forwarding neededNoNo
sudo requiredYesYes
TLS certificateLet's Encrypt wildcardCloudflare manages
cloudflared neededNoYes (auto-installed)
CLI output label[LAN][PUBLIC]

Prerequisites

  • A domain managed by Cloudflare (same as Pro mode)
  • A Cloudflare API token with two permissions:
    • Zone:DNS:Edit — to set CNAME records
    • Account:Cloudflare Tunnel:Edit — to create and manage the tunnel

Pro mode only needs Zone:DNS:Edit. Max mode needs both.

Creating the token:

  1. Go to Cloudflare Dashboard → My Profile → API Tokens → Create Token
  2. Start from the Edit zone DNS template
  3. Add the additional permission: Account → Cloudflare Tunnel → Edit
  4. Scope the zone permission to your domain
  5. Copy the token

Setup

1. Install dynamoip

npm install --save-dev dynamoip

2. Create config with "tunnel": true

{
  "baseDomain": "yourdomain.com",
  "tunnel": true,
  "domains": {
    "app": 3000
  }
}

3. Add credentials to .env

CF_API_TOKEN=your_cloudflare_api_token_here

Note: CF_EMAIL is not needed for Max mode — Cloudflare manages the certificate automatically.

4. Add npm script

{
  "scripts": {
    "dev:proxy": "dynamoip --config dynamoip.config.json"
  }
}

5. Run

sudo npm run dev:proxy

First run

On first run, dynamoip:

  1. Checks for cloudflared — if missing, installs it automatically (Homebrew on macOS, binary download on Linux)
  2. Creates a named Cloudflare Tunnel via the API
  3. Writes tunnel credentials to ~/.localmap/tunnels/
  4. Sets CNAME DNS records for each subdomain
  5. Starts cloudflared with auto-restart

Startup takes 20–30 seconds. You'll see:

✓ cloudflared installed
✓ tunnel created: dynamoip-yourdomain-com
✓ app.yourdomain.com  [PUBLIC]  → localhost:3000

Subsequent runs: instant. Tunnel credentials and DNS records are reused.

CLI output

Max mode labels every domain [PUBLIC] so the exposure level is always visible:

Mode: Max — Cloudflare Tunnel

  app.yourdomain.com  [PUBLIC]  → localhost:3000
  api.yourdomain.com  [PUBLIC]  → localhost:4000

Compare with Pro mode ([LAN]) or Quick mode (no label, LAN only).

Stopping

Press Ctrl+C. dynamoip stops cloudflared and cleans up gracefully. The tunnel and credentials are preserved for the next run.

Security

Your services are on the public internet. Anyone with the URL can reach them.

Before exposing a service with Max mode, ensure it has authentication. This includes dev servers — if they don't have auth, add an auth proxy or use a network policy.

The tunnel itself is encrypted end-to-end by Cloudflare. The concern is application-level access, not transport security.

Troubleshooting

cloudflared install fails

On macOS, Homebrew must be installed. On Linux, the binary is downloaded from the Cloudflare GitHub releases page — ensure the machine has internet access during first run.

Account:Cloudflare Tunnel:Edit permission error

The API token is missing the tunnel permission. Generate a new token with both Zone:DNS:Edit and Account:Cloudflare Tunnel:Edit.

Services accessible from LAN but not internet

Check that the Cloudflare Tunnel is active in Cloudflare Dashboard → Zero Trust → Networks → Tunnels. If it shows as inactive, cloudflared may have stopped — restart npm run dev:proxy.

Want LAN-only access instead?

Remove "tunnel": true from the config. dynamoip falls back to Pro mode (Cloudflare DNS A record, Let's Encrypt cert, LAN only). Same domain, different exposure.

On this page