Max Mode — Public Internet
Expose your local services to the entire internet with Cloudflare Tunnel. No port forwarding, no firewall rules, no inbound ports.
Max mode uses Cloudflare Tunnel to make your local services reachable from anywhere on the internet — not just your LAN. One config key is all it takes.
{
"baseDomain": "yourdomain.com",
"tunnel": true,
"domains": {
"app": 3000,
"api": 4000
}
}How it works
cloudflared — Cloudflare's tunnel daemon — makes an outbound encrypted connection to Cloudflare's edge. All traffic flows through that connection in reverse. Your machine never opens a listening port to the internet.
Browser (anywhere) → Cloudflare edge → encrypted tunnel → cloudflared → dynamoip proxy → localhost:3000No port forwarding. No firewall rules. No inbound ports. The tunnel is outbound-only.
DNS uses CNAME records pointing each subdomain to the Cloudflare Tunnel hostname — not an A record to your LAN IP like Pro mode.
Max vs Pro at a glance
| Pro mode | Max mode | |
|---|---|---|
| Reachable from | LAN only | Public internet |
| DNS record type | A record → your LAN IP | CNAME → Cloudflare Tunnel |
| Port forwarding needed | No | No |
sudo required | Yes | Yes |
| TLS certificate | Let's Encrypt wildcard | Cloudflare manages |
cloudflared needed | No | Yes (auto-installed) |
| CLI output label | [LAN] | [PUBLIC] |
Prerequisites
- A domain managed by Cloudflare (same as Pro mode)
- A Cloudflare API token with two permissions:
Zone:DNS:Edit— to set CNAME recordsAccount:Cloudflare Tunnel:Edit— to create and manage the tunnel
Pro mode only needs Zone:DNS:Edit. Max mode needs both.
Creating the token:
- Go to Cloudflare Dashboard → My Profile → API Tokens → Create Token
- Start from the Edit zone DNS template
- Add the additional permission: Account → Cloudflare Tunnel → Edit
- Scope the zone permission to your domain
- Copy the token
Setup
1. Install dynamoip
npm install --save-dev dynamoip2. Create config with "tunnel": true
{
"baseDomain": "yourdomain.com",
"tunnel": true,
"domains": {
"app": 3000
}
}3. Add credentials to .env
CF_API_TOKEN=your_cloudflare_api_token_hereNote: CF_EMAIL is not needed for Max mode — Cloudflare manages the certificate automatically.
4. Add npm script
{
"scripts": {
"dev:proxy": "dynamoip --config dynamoip.config.json"
}
}5. Run
sudo npm run dev:proxyFirst run
On first run, dynamoip:
- Checks for
cloudflared— if missing, installs it automatically (Homebrew on macOS, binary download on Linux) - Creates a named Cloudflare Tunnel via the API
- Writes tunnel credentials to
~/.localmap/tunnels/ - Sets CNAME DNS records for each subdomain
- Starts
cloudflaredwith auto-restart
Startup takes 20–30 seconds. You'll see:
✓ cloudflared installed
✓ tunnel created: dynamoip-yourdomain-com
✓ app.yourdomain.com [PUBLIC] → localhost:3000Subsequent runs: instant. Tunnel credentials and DNS records are reused.
CLI output
Max mode labels every domain [PUBLIC] so the exposure level is always visible:
Mode: Max — Cloudflare Tunnel
app.yourdomain.com [PUBLIC] → localhost:3000
api.yourdomain.com [PUBLIC] → localhost:4000Compare with Pro mode ([LAN]) or Quick mode (no label, LAN only).
Stopping
Press Ctrl+C. dynamoip stops cloudflared and cleans up gracefully. The tunnel and credentials are preserved for the next run.
Security
Your services are on the public internet. Anyone with the URL can reach them.
Before exposing a service with Max mode, ensure it has authentication. This includes dev servers — if they don't have auth, add an auth proxy or use a network policy.
The tunnel itself is encrypted end-to-end by Cloudflare. The concern is application-level access, not transport security.
Troubleshooting
cloudflared install fails
On macOS, Homebrew must be installed. On Linux, the binary is downloaded from the Cloudflare GitHub releases page — ensure the machine has internet access during first run.
Account:Cloudflare Tunnel:Edit permission error
The API token is missing the tunnel permission. Generate a new token with both Zone:DNS:Edit and Account:Cloudflare Tunnel:Edit.
Services accessible from LAN but not internet
Check that the Cloudflare Tunnel is active in Cloudflare Dashboard → Zero Trust → Networks → Tunnels. If it shows as inactive, cloudflared may have stopped — restart npm run dev:proxy.
Want LAN-only access instead?
Remove "tunnel": true from the config. dynamoip falls back to Pro mode (Cloudflare DNS A record, Let's Encrypt cert, LAN only). Same domain, different exposure.