Cloudflare Tunnel (cloudflared) with PicoClaw

Cloudflare Tunnel publishes a hostname on Cloudflare that forwards to a service on your LAN—handy when your ISP uses CGNAT or you do not want inbound 443 on your router. Run PicoClaw locally and point the tunnel at its HTTP port.

1. How it fits together

PicoClaw listens on localhost (gateway or HTTP API).
cloudflared maintains an outbound connection to Cloudflare.
Cloudflare routes https://assistant.example.com to that origin.

2. Security

Enable Cloudflare Access or WAF rules so the whole world cannot hit your webhook. Combine with strong random paths or signed payloads. Read Security for PicoClaw-specific settings.

3. Alternatives

With a public VPS, nginx + TLS is often simpler. For mesh VPN access only, see Tailscale.

4. Next steps

n8n webhooks and Home Assistant as callers
Self-hosted assistant architecture