Cloudflare Tunnels are brilliant, and we've covered them at great length here on XDA. Without doing too much, you'll have a secure connection to your self-hosted services and more without opening a single firewall port, managing a static IP address, or dealing with complex virtual private network (VPN) setups. That said, while they are fantastic at opening up your home lab services safely, they shouldn't be used for media streaming due to how Cloudflare tunneling works.

How do Cloudflare Tunnels work?

Secure, open, and easy

Tunnels are essentially network links locally configured to create outbound-only connections from a server to Cloudflare. This offers a secure connection to the outside world while keeping the origin server hidden. Even the public IP address is never exposed, and Cloudflare's global protection layer is at hand to sit in front of all your services to handle any unwanted traffic. We've recommended Cloudflare Tunnels for dashboards, APIs, and lightweight apps, but not media streaming. How come?

While these are great for creating secure links, Cloudflare Tunnels shouldn't be considered as general-purpose replacements for direct connections. Media streaming isn't the same workload as general browsing, and these tunnels are designed for it. I'm not suggesting it won't work, but due to how Cloudflare configures this handy service, you could end up inadvertently causing problems for the company. This is largely due to bandwidth amplification.

When attempting to connect to your services, you're routed through Cloudflare's network. This is fine for standard workloads, but media streaming is an entirely different beast with sustained, high-throughput data transfers over longer periods. Even when accessing larger files via tunnels, this is limited to a short duration compared to media streaming. Bandwidth amplification involves data traveling from the origin server to Cloudflare and then onto the recipient device.

When directly connecting to your server remotely, data is transferred from the server to the client. This places unnecessary load on Cloudflare's network, especially when dealing with larger files, effectively doubling bandwidth usage. This goes against why you'd even consider using Cloudflare. The platform is heavily optimized for caching and short-lived HTTP request bursts. Media streaming, on the other hand, is the opposite, with lengthy bandwidth consumption.

Then there's latency

Media streaming's achilles heels

There's nothing worse than attempting to enjoy your favorite movie or show only to be hit with connectivity issues. Media streaming relies on consistent delivery of data, and each interruption or "hop" affects the experience. Using Cloudflare Tunnels introduces an extra layer for routing and processing. This won't cause any problems with loading a dashboard, static pages, or using specific services, but streaming heavier files could induce buffering and delayed seeks.

Because Cloudflare didn't design its tunneling system to be used for persistent connections, connections may be reset, throughput throttled, or unexpected behavior displayed when media streams are attempted to be established. But even if you manage to use Cloudflare's infrastructure to enjoy all your self-hosted media while away from home, there's no telling when you'd be pulled up with policy enforcement.

Tunneling can also mask other issues that may be present. If you're experiencing playback trouble, it can prove difficult to diagnose whether there's a bottleneck with Cloudflare, your house connection, the LAN, or the server. Instead of relying on Cloudflare Tunnels, a properly configured content delivery network (CDN) would provide a vastly superior experience for enjoying your media from afar.

There's always a better way

It's also not what Cloudflare encourages with tunneling. Instead of making private services accessible without exposing the underlying infrastructure, media streaming is a public-facing workload and is usually exposed for access. Treating it as an internal service mixes up intent and implementation on all fronts. We've got Cloudflare Tunnels being used for something they weren't designed for, and media streaming platforms being treated as something they're not.

Instead of using Cloudflare Tunnels, I'd recommend reverse proxies with caching support, a remotely-hosted VM with Tailscale, or even Cloudflare Stream. The former is how I've configured my network for remote access. Everything is handled within OPNsense, too. With a static IP from the ISP, I'm able to point a domain directly to my network and have Nginx handle all the reverse proxies and secure connections. Throw in ACME for managing Let's Encrypt certificates, and we've got a secure way for all the family to enjoy our self-hosted content.

This is without all the headaches of potential security vulnerabilities and issues with using the wrong platform for the job. Cloudflare tunnels are great, so long as you use them for what they're designed for. It's vital to consider the best tool for the job, especially when dealing with specific workloads such as media streaming. Tunnels are built for security, simplicity, and controlled access to lighter private instances, such as a dashboard or even Nextcloud.

Can you use Cloudflare Tunnels for media streaming? Absolutely, but I strongly advise looking elsewhere for the right solution.