Deploy a Free VPN on Cloudflare: Pages, KV, and Custom Domain Setup
A practical walkthrough for Cloudflare Pages, Workers KV, custom domains, and the EdgeTunnel panel, with notes on free-plan limits and compliance risks.
This article is the written companion to the video tutorial. It organizes the Cloudflare Pages, Workers KV, custom domain, and EdgeTunnel panel deployment flow into a copy-friendly guide.
Important note: Cloudflare’s self-serve terms and platform rules may restrict using its services primarily as a VPN, open proxy, or similar traffic relay. Treat this guide as a personal learning and temporary lab reference only. Before using it, read the Cloudflare Self-Serve Subscription Agreement and your local rules. Do not deploy this for shared access, commercial distribution, long-running traffic relay, or bypassing network management.
Before You Start
Prepare these items first:
- A Cloudflare account
- A domain already managed by Cloudflare
- The EdgeTunnel source code or release archive: cmliu/edgetunnel
- A proxy client that can import subscription URLs or node links
- A random admin path, for example
my-admin-20260428
If you only want to test the workflow, you can start with the default pages.dev domain that Cloudflare Pages gives you. For a cleaner setup, bind your own subdomain, such as vpn.example.com.
Risks First
This setup may look free, but free does not mean unlimited.
- Terms risk: Cloudflare may restrict or suspend obvious VPN, proxy, or relay traffic use cases.
- Account risk: Abnormal traffic, abuse reports, or publicly shared nodes may cause project suspension or account restrictions.
- Quota risk: Cloudflare Workers and Pages Functions have request, CPU, subrequest, and runtime limits. Check the current Workers Limits page before relying on the setup.
- Code risk: EdgeTunnel is a third-party project. Read its source, issues, and README before deployment so you understand what endpoints, configs, and subscription data it creates.
- Domain risk: Do not run experiments on your main root domain. Use a separate subdomain so you can take it offline quickly.
If your real goal is private access, remote administration, or team zero trust connectivity, start with Cloudflare’s official Cloudflare One Connectivity Options, such as Cloudflare Tunnel, WARP Client, or Zero Trust access patterns.
1. Add Your Domain to Cloudflare
If your domain is not managed by Cloudflare yet, add the site in the Cloudflare dashboard and update the nameservers at your domain registrar.
After DNS is active, prepare a subdomain for the Pages project, for example:
vpn.example.comYou do not need to create the final CNAME immediately. Cloudflare can guide you through the DNS record when you bind the custom domain in Pages.
2. Create a Workers KV Namespace
The EdgeTunnel panel needs storage for node configuration and subscription data. In the Cloudflare dashboard, open:
Workers & Pages -> KV -> Create namespaceUse a simple, recognizable namespace name:
edge_tunnelYou do not need to write records manually. Later, bind this namespace to the Pages project. Cloudflare documents the binding flow here: Pages Functions Bindings.
3. Upload EdgeTunnel to Pages
Open the Cloudflare dashboard:
Workers & Pages -> Pages -> Create a project -> Upload assetsUpload the EdgeTunnel source or packaged archive. Project structure can change between versions, so read the repository README before uploading and confirm you are using the build intended for Pages deployment.
You can keep the default project settings at first. After deployment, Cloudflare gives you a temporary domain:
https://your-project.pages.devOpen it once and confirm the page responds. If it fails, check the deployment logs before binding a custom domain.
4. Set the ADMIN Environment Variable
Set a private admin path so the panel is not exposed at an obvious URL. In the Pages project, open:
Settings -> Environment variables -> Add variableAdd this variable:
ADMIN=my-admin-20260428The value becomes your admin path. Avoid easy guesses such as admin, panel, or login, and do not post the path publicly.
After saving the environment variable, redeploy the project so the new deployment can read it.
5. Bind KV to the Pages Project
In the Pages project settings, open:
Settings -> Functions -> KV namespace bindings -> Add bindingThe binding name must match what the project expects. In the video workflow and common EdgeTunnel Pages deployments, the binding name is usually:
KVSelect the edge_tunnel namespace you created earlier.
Save the binding and redeploy again. Without a redeploy, the page may still be unable to read KV, and the panel may fail to save configuration.
6. Open the Admin Panel
After deployment finishes, visit:
https://your-project.pages.dev/my-admin-20260428If you have already bound a custom domain, use:
https://vpn.example.com/my-admin-20260428Inside the panel, follow the page prompts to generate a subscription URL or node configuration. Import flows differ by client, but the relevant entry is usually called “Subscription”, “Import from URL”, or “Add node manually”.
Do not publish the subscription URL. It often acts like an access credential. Anyone who has it may consume your free quota and trigger abuse controls.
7. Bind a Custom Domain
In the Pages project, open:
Custom domains -> Set up a custom domainEnter the prepared subdomain:
vpn.example.comIf the domain is already managed by Cloudflare, the dashboard usually creates or prompts you to create the matching DNS record. For details, see Pages Custom Domains.
Wait until the custom domain status becomes Active, then use it for the admin panel and subscription URL.
Client Import
Open your proxy client, find the subscription or node import entry, and paste the subscription URL generated by the panel. Start with a short connectivity test:
- Can the client update the subscription?
- Can it connect to the node?
- Does it time out frequently?
- Does it show a Cloudflare error page?
- Is the free-plan quota being consumed unexpectedly?
If this is only a learning lab, disable the project or remove the subscription after testing instead of leaving it running indefinitely.
Common Issues
| Issue | What to Check |
|---|---|
1101 | Pages Functions runtime error. Check deployment and function logs first. |
1027 | Workers free-plan or routing-related restriction. Check account plan, request volume, and project settings. |
522 | Origin connection timeout. Check custom domain DNS, proxy status, and whether the project is deployed correctly. |
| Admin panel will not open | Confirm the ADMIN value and redeploy after saving environment variables. |
| Configuration will not save | Confirm the KV binding name and namespace selection. |
| Custom domain inactive | Confirm the Pages custom domain status is Active and DNS records do not conflict. |
| Client cannot import | Confirm the full subscription URL was copied and the client supports the generated protocol format. |
Safer Alternatives
If your goal is not to study a third-party proxy project but to solve a real access problem, consider these official or more controllable options first:
- Cloudflare Tunnel: Good for placing internal web services, admin panels, or SSH access behind Zero Trust.
- Cloudflare One / WARP Client: Good for managed devices, identity-based access, and policy control.
- Self-hosted VPS plus standard VPN: Good when you need full control over egress, logs, bandwidth, and compliance boundaries.
- Tailscale / Headscale / NetBird: Good for personal device mesh networking and private network connectivity.
Use the Cloudflare free plan as a learning lab, not as a long-term, stable, unlimited proxy infrastructure.