When the standard “open ports 80 and 443, run Let’s Encrypt” path doesn’t work for you, OrOrbit supports three fallbacks: a Cloudflare Tunnel, ngrok for quick public sharing, or a reverse proxy / custom cert workflow you maintain yourself.
🤔 When do I need this?
CGNAT — your ISP shares your public IP with other customers, so port forwarding can’t open ports for you. The admin panel detects this and surfaces a CGNAT warning under Network Diagnostics.
ISP blocks port 80 — some residential plans block inbound 80 outright as anti-server policy. Without port 80, Let’s Encrypt’s HTTP-01 challenge can’t reach your server.
Behind an enterprise firewall where opening inbound ports is non-negotiable.
Quick public sharing — you just want a URL friends can hit for an evening, no DNS work.
What You’ll Need
A running OrOrbit server with the admin panel open
One of:
Cloudflare Tunnel: a free Cloudflare account (and cloudflared for named tunnels)
ngrok: a free ngrok account
Reverse proxy: a machine to terminate TLS upstream (Caddy, nginx, traefik), or DNS-01 issuance via your DNS provider’s API
Pick a Method
A Cloudflare Tunnel connects your server to Cloudflare’s network, so friends can reach it without you opening any ports on your router. OrOrbit has a built-in Quick Tunnel that works with one click, plus a Named Tunnel path for a permanent URL on your own domain.
🤔 What is a Cloudflare Tunnel?
Normally, for someone to reach your server, you need to open a port on your router (port forwarding). A tunnel flips this: your server connects out to Cloudflare, and Cloudflare handles incoming traffic. No router config needed, works behind strict firewalls and CGNAT.
Option A: Quick Tunnel (random URL, one click)
The fastest way — one click, zero setup. The URL is random (like elderly-salmon-fishing.trycloudflare.com) and changes on restart.
1
Start the Tunnel
In the setup wizard, select Quick Tunnel (Cloudflare). Click Start Tunnel.
OrOrbit finds or downloads the cloudflared binary, starts a tunnel, and shows your public URL within 10–30 seconds.
Select Quick Tunnel in the setup wizard
2
Share the URL
Copy the URL and send it to friends. Done.
⚠️ Warning
Quick tunnel URLs change every restart. For a permanent address use a Pulsar subdomain or a Named Tunnel (below).
Option B: Named Tunnel (permanent URL on your domain)
A named tunnel gives you a permanent URL with your own domain. Requires a free Cloudflare account and a few terminal commands.
ngrok will print a public URL like https://abc123.ngrok-free.app — share it with friends.
⚠️ Warning
The free ngrok URL changes every time you restart. For a permanent address, use a Cloudflare Named Tunnel or upgrade ngrok.
Run a reverse proxy in front of OrOrbit. The proxy handles TLS termination and certificate issuance; OrOrbit reads PEM files the proxy provides via TLS_MODE=custom, or the proxy hands plain HTTP to OrOrbit on the LAN with TLS off.
💡 When this fits
You already run Caddy, nginx, or traefik for other services on the same box; you have a static cert from a private CA; or you want to use Let’s Encrypt’s DNS-01 challenge (no port 80 required) via your DNS provider’s API.
If you’d rather have OrOrbit serve TLS directly (e.g. you got a cert from a private CA, or you’re issuing via DNS-01 with acme.sh / lego and want OrOrbit to read the resulting PEMs):
OrOrbit reads the files at boot and serves them. You handle issuance and renewal in whatever workflow you already use. Restart the server (or trigger a config reload) after rotating the files.
💡 DNS-01 = no port 80 required
Tools like acme.sh and lego solve the LE challenge over your DNS provider’s API instead of HTTP. Drop the resulting PEM files into the paths above and you’re done — no inbound 80, no router configuration.
Comparison
Quick Tunnel
Named Tunnel
ngrok (free)
Reverse Proxy
Setup time
30 seconds
15–20 min
5 min
30–60 min
Permanent URL
No
Yes
No
Yes
Custom domain
No
Yes
Paid only
Yes
Port forwarding
Not needed
Not needed
Not needed
Depends on issuance method
Hides your IP
Yes
Yes
Yes
Depends
Traffic routes through
Cloudflare
Cloudflare
ngrok
Direct
Works behind CGNAT
Yes
Yes
Yes
Only with DNS-01
Cost
Free
Free
Free / paid
Domain + (optional) cert costs
Troubleshooting
cloudflared not found — OrOrbit looks for the binary in: (1) CLOUDFLARED_PATH env var, (2) bundled with desktop app, (3) system PATH. Download it from Cloudflare’s downloads page .
Tunnel failed to start — check internet, ensure nothing else is using the port, your firewall may block outbound. For named tunnels: confirm cloudflared tunnel list shows yours.
URL not reachable — quick-tunnel URL expired (restart for a new one); named tunnel not running; DNS not set (run cloudflared tunnel route dns).
Reverse-proxy: certificate validation issues — if OrOrbit reads your custom PEM but browsers complain, the chain is likely incomplete. Use the fullchain.pem (cert + intermediates), not just the leaf.
TLS_MODE=custom reads but admin panel says self-signed — OrOrbit fell back to a self-signed cert at boot because one of the file paths was unreadable. Check the server log for Failed to read TLS_CERT_PATH / TLS_KEY_PATH. File permissions and absolute paths matter.
ngrok works but voice doesn’t — ngrok’s free tier proxies HTTPS, not UDP. WebRTC voice traffic uses UDP and can’t tunnel through. Use a Cloudflare Tunnel or a Pulsar subdomain for voice support.
Privacy
All traffic passes through a third party when using a tunnel (Cloudflare or ngrok). The connection from users to that party is encrypted (HTTPS). Their privacy policy governs handling of metadata. OrOrbit’s end-to-end encrypted features (identity keys) work regardless — the tunnel doesn’t affect application-level encryption.
For direct connections where no third party handles traffic, use a Pulsar subdomain or a custom domain with port forwarding.
