I heard from a CF MVP that only http/s ports are allowed but then he asked me to ask this question in a separate thread !
But I should be able to use all the ports listed in Zero Trust GUI for Public Hostnames ( https/s, RDP, ssh, etc)?
Or I won’t be able to use some port types above in Proxy mode, but in DNS mode only?
I really wish Cloudflare had better doc, at least for new users…
When using a tunnel, you can proxy any port. If you are using HTTP(S) then users don’t need to have cloudflared installed on their local machine. For any other port (RDP, SSH, etc), each user needs to have cloudflared on their local machine.
Hi and thanks!
Your doc says you need to run cloudflared.
Btw, the other MVP said that only http/s ports could be proxied, and only html traffic was allowed.
Can you kindly explain?
They seems to be a big confusion re: GUI install vs CLI install.
If I use GUI ( like I did) are SSL origin cets needed for SSL auto installed on origin server PC?
I registered a domain ( mobitv-server com) with CF. In Zero Trust GUI, it says download for com TLD and the *.TLD wildcard subdomains.
But I only see .pem not the private key file…
Alternatively, will the usual Let’s Encrypt SSL cert work on origin server?
You can make tunnels without using cloudflared.
This is correct. If you are trying to tunnel anything else, then the client also needs cloudflared on it.
If you are using a tunnel, then you don’t need cert’s on your server. Cloudflare handles the encryption in the tunnel, so you can just have HTTP on your origin.
Where are you seeing this
Yes, you can use any valid cert on your origin.
For 
DNS records you can use any of the ports listed here:Network ports · Cloudflare Fundamentals docs:
For 
you can use any port as your traffic is not going through Cloudflare.
Great info…
A. How do I establish tunnels without cloudflared on my origin server?
B. Please check Zero Trust GUI re: my .pem oy issue ( no private key visible) with download link.
I got my mobitv-server com domain from CF Registrar…maybe that makes the difference?
You don’t. The main purpose of Cloudflared is tunnel creation and connection.
Where are you checking for a private key and what do you need the key for?
Thanks again …
This is surprising to me !
So I assume this was a mistake…you do need cloudflared to build tunnel to origin server ( behind NAT, in my case.)
There were numerous online questions with the same issue.
Anyway, my SSL/TLS setting shows Flexible status, with browser to CF encrypted. )
A. So if tunnel is already encrypted, I guess I can make https requests from my browser to origin ? Or only http?
B. Will above http v https situation change with DNS v. Proxy setting ?
I ask because I might want to access my Plex:32400 server GUI panel ( but not as streaming user !)
Mostly I plan to use CF tunnels for accessing management panels for servers behind NAT ( I believe this is the intention for CF tunnels anyway !)
A. Is it possible to use just one TLD registered with CF as usual, to build tunnels to multiple devices in multiple locations? Each origin server tunnel being pointed to by a TLD subdomain?
My impression is that CF is based on Boring Tunnels ( Wireguard VPN GUI) and that a CF tunnel UUID actually represents a set of tunnels ( i.e., UUID is a VPN Server) whereas the Connector IDs for each origin represents the actual tunnel to an individual device or CIDR private network.
B. Thus it should also be possible to use a registered TLD subdomain as the parent for sub.subdomains, each sub.sub pointing to an origin tunnel aka Connector ID.
If yes, does the TLD need an A or CNAME record itself?
(The TLD subdomain as parent will point to UUID tunnel in CNAME.)
Cheers 
Yes. There is no other way to establish a tunnel.
Change away from Flexible
Yes, the full path of the request will be browser ↔ Cloudflare ↔ (tunnel) ↔ origin server. Cloudflare will connect to your server via the protocol that is configured for the tunnel. If you configure the tunnel for a HTTP public hostname you can still make an HTTPS request to Cloudflare.
I’m guessing so, but can’t say either way 100%.
I doubt Cloudflare will let you registrar a TLD. Are you referring to a domain like example.com? A TLD would just be .com.
Confused on what you are looking for. You can a tunnel for subdomain like tunnel1.example.com and tunnel2.example.com with both tunnels pointing at different servers. If you have connectors, i.e. servers, both running tunnel1.example.com config then the traffic with be split between them.
From my understanding, WireGuard is how the communication happens between cloudflared running locally and Cloudflare’s data centers. A Tunnel ID is a UUID that is used to store the config of tunnels and a connector is a running cloudflared instance.
Great answers…my CF knowledge has grown !
So what connection mode beyond Flexible can I use if I use a tunnel but there is no need for a origin cert as you suggested?
My bad! I did mean domain as in example com not TLD as .com…
So same question:
A. Can mobitv-server com handle multiple origins in different locations ( aka LANs) in a single tunnel UUID ( via CNAME for mobitv-server com) and using n. mobitv-server com ( where n = 1 to …many) subdomains each pointing in Zero Trust Public Hostnames GUI tab to a specific origin server PC ?
B. Can a sub.mobitv-server com pointing to UUID and using its sub(n).sub.mobitv-server com pointing in GUI to each origin device also manage multiple devices in multiple locations ( each location connecting internally to a different public IP?
If yes, will we need to assign a A record to mobitv-server com in this case?
C. Does this mean a single tunnel to a specific origin is actually the Connector ID within a tunnel UUID (carrying multiple connectors to devices in different locations)?
A. What is the definition of “network locations” ? Same as LANs ( different locations)?
B. What is “users”? Total number of origin servers allowed?
This is correct. Cloudflare will handle the encryption from the browser all the way to your connector.
I want to say this related to the web gateway.
User accounts that authenticated with your access applications or logged in with WARP.
I have yet to use Cloudflared to do networks, so not 100% certain about the following. Here are docs that might be helpful.
You don’t make DNS records for private networks tunnels. Uses will connect automatically with WARP.
You don’t get to control the IP addresses used
Possibly. But that might be better asked on the cloudflared repo
Thanks much for your answers 
I was successfully able to connect to an origin server PC without CF proxy via my domain.