#Unable to Connect to Minecraft Server via Cloudflare Tunnel (Other Services Working Fine)

Context: I'm getting into selfhosting and want to host a game server(Minecraft should take the port 25565 and need tcp traffic) through a cloudflared tunnel through my own domain.
A connection from the outside does not appear possible, although I don't know its reason, in the following I will go through the steps I took, I would be very grateful for any tips or ideas.

My steps so far (based on https://developers.cloudflare.com/cloudflare-one/applications/non-http/cloudflared-authentication/arbitrary-tcp/):
1.Bought a domain (gameserver.kyoto)
2.Created a cloudflare account and replaced the nameservers with the nameservers from Cloudflare
3.Downloaded the latest version of cloudflared on the host server (ubuntu 22.04)
4.Logged in, downloaded the credentials from cloudflare
5.Created a new tunnel "minecraft"
6.Created a config file like this

tunnel: 7c7af860-xxxx-xxxx-xxxx-7d235e1a5b4e
credentials-file: /etc/cloudflared/7c7af860-xxxx-xxxx-xxxx-7d235e1a5b4e.json
ingress:

• hostname: ssh.gameserver.kyoto
  service: ssh://localhost:22

• hostname: minecraft.gameserver.kyoto
  service: tcp://localhost:25565

• hostname: grafana.gameserver.kyoto
  service: http://localhost:3000

• service: http_status:404

Started the tunnel -> I dont see any mention of "configuration updated" or smt like that, furthermore when I run "cloudflared tunnel info mc-tunnel" It does not say that it has a configuration.

9.Testing from within the local network but a different PC

PS C:\Users\php> Test-NetConnection -ComputerName minecraft.gameserver.kyoto-Port 25565

ComputerName : minecraft.gameserver.kyoto
RemoteAddress : 172.67.211.11
RemotePort : 25565
InterfaceAlias : ethernet
SourceAddress : 192.168.0.60
PingSucceeded : True
PingReplyDetails (RTT) : 3 ms
TcpTestSucceeded : False

10.I have launched a temporary game server but no incoming traffic can be detected.

By connecting to the tunnel, I am able to use SSH and access the Grafana dashboard.
However, only Minecraft returns an error: "Connection refused: no further information."
I would be grateful for any help, Thank you.

Doesn't sound like you followed the connect from client machine step?
https://developers.cloudflare.com/cloudflare-one/applications/non-http/cloudflared-authentication/arbitrary-tcp/#connect-from-a-client-machine

Thank you for your reply.
I'm sorry for the lack of explanation.
Between steps 8 and 9, I performed the following actions on the client machine:

On the client machine, I started the tunnel:

PS C:\Users\php> cloudflared access tcp --hostname minecraft.gameserver.kyoto --url localhost:25555
2025-05-02T19:50:34Z INF Start Websocket listener host=localhost:25555

Step 9: Testing from within the local network on a different PC

PS C:\Users\php> Test-NetConnection -ComputerName minecraft.gameserver.kyoto -Port 25565

ComputerName : minecraft.gameserver.kyoto
RemoteAddress : 172.67.211.11
RemotePort : 25565
InterfaceAlias : ethernet
SourceAddress : 192.168.0.60
PingSucceeded : True
PingReplyDetails (RTT) : 3 ms
TcpTestSucceeded : False

PS C:\Users\php> Test-NetConnection -ComputerName localhost -Port 25555
WARNING: TCP connect to (::1 : 25555) failed

ComputerName : localhost
RemoteAddress : 127.0.0.1
RemotePort : 25555
InterfaceAlias : Loopback Pseudo-Interface 1
SourceAddress : 127.0.0.1
TcpTestSucceeded : True

Step 10: I launched Minecraft Java Edition on the client machine and attempted to connect to localhost:25555,
but I received the error: Connection refused: no further information.

Assuming minecraft.gameserver.kyoto is the real hostname, you'll have to make a dns record to route to the tunnel
via the cli, you can use
cloudflared tunnel route dns <UUID or NAME> minecraft.gameserver.kyoto
Or just adding a CNAME on minecraft to <UUID>.cfargotunnel.com

I can confirm from the dashboard that the settings are configured as shown below.
Is there any additional configuration required beyond this?

just to be clear, gameserver.kyoto is meant to be a fake/stand in domain? It's not registered

Yes, it's a dummy.
This is my first time posting to this open community, so I'm using a fake domain.
If the real domain is needed, I can provide it by DM.

Shouldn't be needed, was just making sure I understood. After you attempt to connect within minecraft, there should be more logs output by the access tcp command

Understood.
I’ll provide the output from the command as-is, with only the domain changed.

Should the access tcp command be run on the server machine or the client machine?
If there’s any documentation for this process, I’d appreciate it if you could share it so I can follow along.

client machine. Docs are just the same as linked above in regards to getting arbitrary tcp setup

Thank you.
After running the access tcp command on the client machine, I tried connecting from Minecraft to localhost:25555 multiple times, but no logs were output.

PS C:\Users\php> cloudflared access tcp --hostname minecraft.gameserver.kyoto--url localhost:25555
2025-05-02T19:50:34Z INF Start Websocket listener host=localhost:25555

By the way, running the Test-NetConnection command from the client machine also does not produce any logs.

Interesting, sounds like it might think it's establishing connection to a degree. You can tag on --log-level debug at the end and see if we can't get anymore out of it.
There is a few issues that can result from the way your domain is setup in Cloudflare, if you don't have Websockets on under Network -> Websockets, or if you have aggressive firewall like Bot Fight mode on, but should be something in logs from that

Logs were only recorded when running Test-NetConnection -ComputerName localhost -Port 25555.

PS C:\Users\php> cloudflared access tcp --hostname minecraft.gameserver.kyoto --url localhost:25555 --log-level debug
2025-05-03T04:52:26Z INF Start Websocket listener host=localhost:25555
2025-05-03T04:52:45Z DBG Websocket request: GET / HTTP/1.1
Host: minecraft.gameserver.kyoto
User-Agent: cloudflared/2025.4.0

2025-05-03T04:52:47Z DBG Access Websocket request: GET / HTTP/1.1
Host: minecraft.gameserver.kyoto
Cf-Access-Token: xxx
User-Agent: cloudflared/2025.4.0

2025-05-03T04:52:47Z DBG Websocket response: "HTTP/1.1 101 Switching Protocols\r\nAlt-Svc: h3=":443"; ma=86400\r\nCf-Cache-Status: DYNAMIC\r\nCf-Ray: 939d26a51c8d7379-NRT\r\nConnection: upgrade\r\nDate: Sat, 03 May 2025 04:52:47 GMT\r\nNel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}\r\nReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XroVVHeeWBZKa%2FsHDtuf7Lk78WZQQ85y%2FxWh5h8ZSuVwFOQo%2Fm%2Bt4%2Fs4KXBFHH7KqiGoGC1s2heXuI%2Fn0aU%2FNleTzasUzfqq8gHmJJAUMeLzedIlHyx%2BOhp%2BznDOQycXJFRsEQTeX%2Fluujn4oQ%3D%3D"}],"group":"cf-nel","max_age":604800}\r\nSec-Websocket-Accept: +LjxgHHNH8hpe2MH2pWIi7uvf/k=\r\nServer: cloudflare\r\nServer-Timing: cfL4;desc="?proto=TCP&rtt=2644&min_rtt=2640&rtt_var=999&sent=5&recv=6&lost=0&retrans=0&sent_bytes=3109&recv_bytes=1469&delivery_rate=1634938&cwnd=252&unsent_bytes=0&cid=bea82eddf03a812f&ts=50&x=0"\r\nUpgrade: websocket\r\n\r\n"
2025-05-03T04:52:47Z DBG downstream->upstream copy: read tcp 192.168.0.60:59357->104.21.53.89:443: use of closed network connection

There are no logs recorded for the connection from Minecraft or the command Test-NetConnection -ComputerName minecraft.gameserver.tokyo -Port 25565.

Test-NetConnection -ComputerName minecraft.gameserver.tokyo -Port 25565
This (going directly against the domain) will never work, as the tunnel hostname just uses Cloudflare's normal shared proxy setup. This is why it requires you to run cloudflared on the client and then create a virtual setup locally

cf-access-token is sensitive there if you logged in
anyway the websocket is establishing successfully, anything interesting on tunnel host side?
If you're on linux and have installed the tunnel as a service, you can check logs via journalctl -u cloudflared -f --lines=100
Otherwise, if you're running it from console and such, can just look at normal logs

Should the cf-access-token be masked?

yes

This is journalctl -u cloudflared -f --lines=100 command result.

When you install the tunnel as a service, it copies your current config to /etc/cloudflared/config.yml and uses that. Are you editing that config/does that config have all the minecraft stuff configured? If you were running it as a user before, some people get tripped up in editing the config under their user directory

Yes, I’m editing /etc/cloudflared/config.yml.

root@minecraft-server:~# cat /etc/cloudflared/config.yml
tunnel: 7c7af860-xxxx-xxxx-xxxx-7d235e1a5b4e
credentials-file: /etc/cloudflared/7c7af860-xxxx-xxxx-xxxx-7d235e1a5b4e.json
ingress:
  - hostname: ssh.gameserver.kyoto
    service: ssh://localhost:22

  - hostname: minecraft.gameserver.kyoto
    service: tcp://localhost:25565

  - hostname: grafana.gameserver.kyoto
    service: http://localhost:3000

  - service: http_status:404

then I'd say it's time to check the more silly things as I've done this same setup before without issue

Your screenshot above showed multiple tunnels, they're all on separate machines and not conflicting?
Can you connect to the minecraft server not through the tunnel?
Restarted tunnel since last config change (it doesn't auto refresh when using local tunnels)
You can use cloudflared tunnel ingress rule https://minecraft.gameserver.kyoto to validate it's being routed right locally (at least on latest update config)
I would change all the localhost references to 127.0.0.1 out of paranoria, at least the tunnel config for minecraft. IPv6 usually isn't setup and isn't supported for Minecraft
You can use 25565 locally too in the access url command, unless you're using that port locally for some reason?

Your screenshot above showed multiple tunnels, they're all on separate machines and not conflicting?
I have a question about this part. I'm hosting two Ubuntu servers: one for the Minecraft server and one as a playground server. As shown in the screenshot, I've created two separate Cloudflare tunnels—one for Minecraft and one for the playground. (Is this an acceptable setup?)

Also, to access the Minecraft server, I run the following command from PowerShell on my Windows PC:
cloudflared access tcp --hostname minecraft.gameserver.kyoto--url localhost:25555 --log-level debug
Additionally, to SSH into the Minecraft server, I use tunneling via Ubuntu on WSL:

~/.ssh/config

Host minecraft
    HostName  ssh.gameserver.kyoto
    ProxyCommand  /usr/local/bin/cloudflared access ssh --hostname %h
    User      php

Can you connect to the Minecraft server not through the tunnel?
You mean accessing it directly via the private IP, without using the tunnel?
Yes, I can connect—SSH, Grafana (HTTP), and Minecraft all work fine.

Restarted tunnel since last config change (it doesn't auto refresh when using local tunnels)
I noticed a message in the logs indicating that cloudflared was outdated, so I upgraded it. The tunnel was restarted during that process. However, I still can’t connect.

You can use cloudflared tunnel ingress rule https://minecraft.gameserver.kyoto to validate it's being routed right locally (at least on latest update config)
I ran this on the server:

cloudflared tunnel ingress rule https://minecraft.gameserver.kyoto
Using rules from /home/php/.cloudflared/config.yml
Matched rule #1
        hostname: minecraft.gameserver.kyoto
        service: tcp://localhost:25565

This indicates that it's using /home/php/.cloudflared/config.yml, not /etc/cloudflared/config.yml.
Why is that?

By the way, here is the content of /home/php/.cloudflared/config.yml:

tunnel: 7c7af860-xxxx-xxxx-xxxx-7d235e1a5b4e 
credentials-file: /etc/cloudflared/7c7af860-xxxx-xxxx-xxxx-7d235e1a5b4e.json
ingress:
  - hostname: ssh.gameserver.kyoto
    service: ssh://localhost:22

  - hostname: minecraft.gameserver.kyoto
    service: tcp://localhost:25565

  - hostname: grafana.gameserver.kyoto
    service: http://localhost:3000

  - service: http_status:404

I would change all the localhost references to 127.0.0.1 out of paranoia, at least the tunnel config for Minecraft. IPv6 usually isn't setup and isn't supported for Minecraft
You can use 25565 locally too in the access URL command, unless you're using that port locally for some reason?
I will apply these changes now.

t, I've created two separate Cloudflare tunnels—one for Minecraft and one for the playground. (Is this an acceptable setup?)
Yea, one per vm works best.

This indicates that it's using /home/php/.cloudflared/config.yml, not /etc/cloudflared/config.yml.
Why is that?
When running as your user, it prefers the one in your home directory. When running as a service, it uses the one under /etc/cloudflared.
It's a bit confusing. If you delete the one under your home directory (or rename to something else), that command should run against, or you can also specify in the command like cloudflared tunnel --config /etc/cloudflared/config.yml ingress rule https://minecraft.gameserver.kyoto

OMNG

I can connect

I was able to connect after changing from localhost to 127.0.0.1.

@barren obsidian
Thank you so much!

interesting, I'd guess your minecraft server wasn't bound on ipv6 (I don't think mc really supports it)

well we took the long way but at least it was a simple fix lol

at least for the future, localhost resolves to 127.0.0.1 and ::1 and is worth being careful around (most of the time, explicitly specifying 127.0.0.1), if you're not sure the service is on both