How Cloudflare Tunnel eliminates the Hostinger firewall problem and replaces your unstable Caddy single-point-of-failure — for $0/month.
Your VPS has a firewall that can't be reliably controlled, sitting in front of a reverse proxy that takes everything down when it hiccups. Let's fix both.
Hostinger's managed firewall sits upstream of your VPS — before UFW, before iptables, before Docker. Even when you "deactivate" a firewall group in hPanel, the ACL remains applied at Hostinger's network edge.
All 10+ services run through one Caddy container, one config file, one process. When Caddy misbehaves — and it does — everything goes dark simultaneously.
Cloudflare Tunnel creates an outbound-only encrypted connection from your VPS to Cloudflare's global edge. No inbound ports. No firewall rules. No Hostinger dependency.
Each service routes independently. Paperless going down doesn't affect your LMS. Evolution API restarting doesn't touch the Course Builder. Full isolation, per service.
Public-facing marketing site with lead capture form → Telegram routing.
Client-facing learning management system. Currently on port 9082 — blocked by Hostinger.
AI course builder. Dual instance (port 3030 primary, 9088 legacy). Caddy routing currently fragile.
Client-facing chat powered by agent fleet. On port 9086.
Internal AI model access for the agency team. Port 9096 — blocked by Hostinger firewall.
Self-hosted password manager for the team. Port 9099. Needs Cloudflare Zero Trust access gate.
Document management for agency operations. Port 9097 — currently inaccessible externally.
WhatsApp/messaging automation API. Port 9098. Powers agent communication workflows.
Operations dashboard for monitoring agents, health, and KPIs. Port 9080.
Financial document parsing tool. Port 9087. Sensitive — benefits from CF Zero Trust gate.
Here's how Cloudflare Tunnel stacks up against the alternatives we evaluated for your specific situation.
| Criteria | ☁️ Cloudflare Tunnel | Traefik + open ports | Nginx Proxy Manager | Pangolin (self-hosted) | Tailscale Funnel |
|---|---|---|---|---|---|
| Bypasses Hostinger Firewall | ✓ Yes — outbound only | ✗ Still needs open ports | ✗ Still needs open ports | ✓ Yes | ✓ Yes |
| Per-service isolation | ✓ Native per route | ✓ Yes (labels) | ⚡ Partial (shared proxy) | ✓ Yes | ⚡ One endpoint/machine |
| Monthly cost | ✓ $0 (free tier) | ✓ $0 | ✓ $0 | ~$5–10/mo extra VPS | Already paying |
| SSL/TLS automation | ✓ Fully managed by CF | ⚡ Let's Encrypt, manual | ⚡ Let's Encrypt, GUI | ⚡ Let's Encrypt | ✓ Managed |
| DDoS protection | ✓ CF global network | ✗ No | ✗ No | ✗ No | ⚡ Partial |
| Deploy time | ✓ <2 hours | ⚡ 4–8 hours | ⚡ 2–4 hours | 1–2 days + extra VPS | ⚡ 2–4 hours |
| Zero Trust access control | ✓ Built-in (free tier) | ✗ Requires extra setup | ✗ Requires extra setup | ✓ Built-in | ⚡ Tailscale ACLs |
| Global CDN / performance | ✓ 300+ PoPs globally | ✗ VPS-only | ✗ VPS-only | ✗ Your VPS only | ✗ VPS-only |
| Operational complexity | ✓ Low — one daemon | ⚡ Medium | ⚡ Low-Medium | High — extra infra | ⚡ Medium |
| Data control | ⚡ CF sees traffic (TOS applies) | ✓ Full control | ✓ Full control | ✓ Full control | ⚡ Tailscale sees metadata |
⚡ Partial | ✓ Strong | ✗ Weak/Missing — Assessment based on Adventure AI Agency's current infrastructure and requirements.
Traditional proxies wait for inbound connections — which means you need open ports, firewall rules, and all the headaches that come with them. Cloudflare Tunnel inverts the model.
A lightweight daemon on your VPS makes an outbound connection to Cloudflare's edge using WireGuard. Your VPS initiates it — Hostinger's firewall has nothing to block.
Your domain's DNS points to Cloudflare. When a user visits vault.adventureaiagency.com, Cloudflare resolves it and routes the request through the established tunnel.
Each hostname maps to a specific localhost port on your VPS. vault → :9099, lms → :9082, chat → :9086. Each route is independent.
Cloudflare terminates SSL, absorbs DDoS, and caches static assets — all before traffic ever reaches your VPS. Your server only sees clean, authenticated requests.
Cloudflare Tunnel is included in the free plan. For your current use case — routing web services and tools — the free tier covers everything you need today.
Everything you need to replace Caddy and bypass the firewall problem. No trial period, no credit card.
This covers your immediate problem. You don't need paid Cloudflare for what we're solving today.
Only if you need advanced access control for client-facing services or WAF rules.
adventureaiagency.com) + Cloudflare free account + one CLI install = your entire infrastructure routing problem solved for $0/month.
Estimated total deployment time: 2–3 hours. Zero downtime on currently working services.
Create free Cloudflare account, add adventureaiagency.com, update nameservers at your registrar. Cloudflare will import your existing DNS records automatically.
Install the cloudflared daemon on your VPS, authenticate with Cloudflare, and create a named tunnel. This is a single binary — no Docker required.
Write the tunnel config mapping each subdomain to its local service port. Each entry is completely independent — one broken entry doesn't affect others.
Install cloudflared as a systemd service (auto-restarts on crash) and create CNAME DNS records pointing each subdomain to your tunnel. Done.
Beyond just solving the firewall problem, Cloudflare Tunnel adds meaningful security layers to your entire stack.
Your VPS has no open inbound ports. Attackers cannot port scan, probe, or brute-force your services directly. The attack surface is effectively zero.
Cloudflare's network absorbs volumetric attacks before they reach your VPS. You get enterprise-grade DDoS protection on every service, including the free tier.
Lock down internal tools (Vaultwarden, Paperless, Budget Extractor) behind Cloudflare Access — require Google/GitHub SSO login before the service is even reachable.
Every subdomain gets a valid SSL certificate automatically — no Let's Encrypt renewal scripts, no cert expiry alerts, no outages from missed renewals.
Your VPS IP address (31.97.132.157) is never exposed in DNS. All public records point to Cloudflare — your origin is invisible to attackers.
Cloudflare logs every request, by service, with IP, user agent, and response code. Instant visibility into who's hitting what — no server-side log parsing needed.
Quantifying the value of solving infrastructure problems you're actively dealing with.
"We build systems where one failure domain doesn't cascade into a total outage. Cloudflare Tunnel gives us per-service isolation, zero port management, and enterprise-grade routing — at a price point that makes the Caddy problem look embarrassing in retrospect."
Press the button and Q will SSH into your VPS, install cloudflared, create the tunnel, write the full config for all 10 services, and install it as a systemd service — autonomously. You'll get a Telegram update when it's live.
□ Q can do autonomously · ⚠️ Needs your input first
Complete the ⚠️ steps first, then hit Build It — Q handles the rest.