# Service Tunneling

### Create Service Mode using Tunneling

To enable third-party connectivity for Keeper Commander's service mode, integrate the service with Ngrok and Cloudflare. This allows direct connections via dedicated domain names. Follow the steps below to configure service mode with the tunneling service.

### Ngrok

To use Commander Service Mode with Ngrok, sign up on [ngrok.com](https://ngrok.com/) and generate an Auth token from <https://dashboard.ngrok.com/authtokens>

If you are using a custom domain, set this up under: <https://dashboard.ngrok.com/domains> and specify the custom subdomain when starting the Commander service mode.

Using Ngrok has security implications. Follow this guidance:

* Ensure that the Keeper service account is running with minimal permissions and access. We recommend limiting the scope of the service account to only the least amount of privilege.
* Protect access to the service through Ngrok's IP policies
* Limit the scope of supported commands. For example, if you only need to add records through the API, then only allow the `record-add` command. See the [Command List](#command-list) section.

***

### Cloudflare <a href="#commander-service-with-cloudflare-tunnel" id="commander-service-with-cloudflare-tunnel"></a>

This guide walks you through the steps to configure your **Commander Service** to work with a **Cloudflare Tunnel**, allowing secure access to your service over the internet.

### Prerequisites <a href="#prerequisites" id="prerequisites"></a>

Before starting, ensure you have the following:

* **Cloudflare Account**: [Sign up at dash.cloudflare.com](https://dash.cloudflare.com/)
* **Registered Domain**: Your domain must be added to Cloudflare.
* **Tunnel Token**: You'll generate this via the Cloudflare Zero Trust dashboard.

### Step 1: Add Your Domain to Cloudflare <a href="#step-1-add-your-domain-to-cloudflare" id="step-1-add-your-domain-to-cloudflare"></a>

1. **Log In** to the [Cloudflare Dashboard](https://dash.cloudflare.com/)
2. **Onboard a Domain**:
   * Click **"Onboard a Domain"**
   * Enter your domain (e.g., `example.com`)
   * Select a Cloudflare plan (Free or Paid)
3. **Review & Configure DNS Records**:
   * Cloudflare will attempt to auto-detect existing DNS records.
   * Review and update as needed.
4. **Update Nameservers**:
   * Cloudflare provides 2 nameservers.
   * Update these at your domain registrar.
   * **Wait for DNS propagation** (can take up to 24 hours)
5. **Enable SSL/TLS**:
   * In the Cloudflare dashboard, go to **SSL/TLS**
   * Set SSL mode to **Full** or **Full (strict)** for secure connections

### Step 2: Create a Cloudflare Tunnel <a href="#step-2-create-a-cloudflare-tunnel" id="step-2-create-a-cloudflare-tunnel"></a>

1. **Access Zero Trust Dashboard**:
   * Go to [Cloudflare Zero Trust](https://one.dash.cloudflare.com/)
   * Navigate to **Networks > Connectors**
2. **Create a Tunnel**:
   * Click **"Create a tunnel"**
   * Choose **"Cloudflared"** as the connector type
   * Name your tunnel (e.g., `commander-service-tunnel`)
   * Save the tunnel token for the service configuration in Commander
3. **Create Public Hostname**:
   * During the tunnel setup, define the public hostname (e.g., `commander.yourdomain.com`) and path should be blank
   * Set the Type of HTTP or HTTPS, depending on your Commander Service Mode configuration. In the basic examples, HTTP is used with localhost and local port.
     * **Type**: HTTP
     * **URL**: `localhost:<PORT>`  or whatever your Commander configuration uses