Lantern OS — Cloudflare Tunnel Deployment Guide
Version: 1.0 Status: Production Ready Last Updated: 2026-06-13
Overview
Lantern OS uses Cloudflare Tunnel to expose the Dream Journal and MCP server publicly via a custom domain (lantern-os.net) while keeping the local machine private.
Benefits:
- ✅ No port forwarding or router changes needed
- ✅ HTTPS/TLS encryption by default
- ✅ DDoS protection and WAF included
- ✅ Zero Trust access control (optional)
- ✅ Instant public access (no DNS propagation wait)
Architecture
┌─────────────────────────────────────────────────────────────────┐
│ LOCAL MACHINE (lantern-os) │
├─────────────────────────────────────────────────────────────────┤
│ │
│ Port 4177 (Dream Journal) │
│ │ │
│ ├─→ Cloudflare Tunnel Agent │
│ │ │
│ └─→ HTTPS://lantern-os.net (Internet) │
│ │
│ Port 8771 (MCP Server) │
│ │ │
│ ├─→ Cloudflare Tunnel Agent │
│ │ │
│ └─→ HTTPS://mcp.lantern-os.net (Internet) │
│ │
└─────────────────────────────────────────────────────────────────┘
Access Points
Local (Development)
http://127.0.0.1:4177 — Dream Journal chat UI
http://127.0.0.1:4178 — Development server (if running)
http://127.0.0.1:8771 — MCP server (no auth)
http://127.0.0.1:8772 — MCP server (OAuth2 protected)
Public (Production via Cloudflare Tunnel)
https://lantern-os.net — Dream Journal chat UI + API
https://mcp.lantern-os.net — MCP server (no auth, port 8771)
https://mcp.lantern-os.net/oauth — MCP server (OAuth2, port 8772)
Setup Steps
1. Install Cloudflare Tunnel Agent (One-Time)
Download and install cloudflared:
# Windows (Chocolatey)
choco install cloudflare-warp
# Or download directly
iwr https://github.com/cloudflare/cloudflared/releases/download/latest/cloudflared-windows-amd64.exe -OutFile $env:USERPROFILE\cloudflared.exe
2. Authenticate with Cloudflare
cloudflared tunnel login
This opens a browser and asks you to:
- Select your Cloudflare account
- Authorize the tunnel agent
- Choose the domain (must be a domain you own in Cloudflare DNS)
A certificate file is saved to: ~\.cloudflare\cert.pem
3. Create a Tunnel
cloudflared tunnel create lantern-os
Output:
Tunnel credentials written to ~/.cloudflare/lantern-os.json
Tunnel ID: <UUID>
Tunnel Name: lantern-os
Account Tag: <account_id>
4. Configure Tunnel Routes
Create or update cloudflare-config.yml in your lantern-os root:
tunnel: lantern-os
credentials-file: ~/.cloudflare/lantern-os.json
ingress:
# Dream Journal
- hostname: lantern-os.net
service: http://127.0.0.1:4177
tlsSkip: false
# MCP server (no auth)
- hostname: mcp.lantern-os.net
path: ^(?!/oauth).*
service: http://127.0.0.1:8771
tlsSkip: false
# MCP server (OAuth2)
- hostname: mcp.lantern-os.net
path: /oauth.*
service: http://127.0.0.1:8772
tlsSkip: false
# Fallback
- service: http_status:404
5. Create DNS CNAME Records in Cloudflare Dashboard
In Cloudflare DNS panel, add:
Type Name Content TTL
----- ---- ------- -----
CNAME lantern-os <tunnel-id>.cfargotunnel.com Auto
CNAME mcp <tunnel-id>.cfargotunnel.com Auto
Replace <tunnel-id> with your actual tunnel ID from Step 3.
6. Start the Tunnel
cloudflared tunnel run lantern-os
Or run in background:
cloudflared tunnel run lantern-os --config cloudflare-config.yml
7. Verify Public Access
# Test Dream Journal
curl https://lantern-os.net/health
# Test MCP
curl https://mcp.lantern-os.net/health
# Test OAuth2 MCP
curl https://mcp.lantern-os.net/oauth/discover
Autostart on Windows
Register the tunnel as a Windows service so it starts automatically:
# Install as service
cloudflared service install --config cloudflare-config.yml
# Start service
net start cloudflared
# Check status
Get-Service cloudflared
To uninstall:
cloudflared service uninstall
Securing with Zero Trust (Optional)
Enable Zero Trust Access
- Go to Cloudflare Zero Trust Dashboard
- Navigate to Access → Applications
- Create new application:
- Name: Dream Journal
- Domain: lantern-os.net
- Authorization: Require authentication (email, GitHub, Discord, etc.)
- Set policy to allow specific users/groups
This enforces login before accessing the service.
OAuth2 Provider Setup (For OAuth2 MCP Endpoint)
The MCP OAuth2 endpoint at https://mcp.lantern-os.net/oauth is pre-configured to support:
Google OAuth2
Authorization URL: https://mcp.lantern-os.net/oauth/authorize?provider=google
Callback: https://mcp.lantern-os.net/oauth/callback/google
GitHub OAuth2
Authorization URL: https://mcp.lantern-os.net/oauth/authorize?provider=github
Callback: https://mcp.lantern-os.net/oauth/callback/github
Discord OAuth2
Authorization URL: https://mcp.lantern-os.net/oauth/authorize?provider=discord
Callback: https://mcp.lantern-os.net/oauth/callback/discord
See docs/OAUTH2-MCP-SETUP.md for full configuration.
Monitoring & Logs
View Tunnel Status
cloudflared tunnel status lantern-os
View Logs
# Real-time logs
Get-EventLog -LogName "Cloudflare" -Newest 50
# Or via command line
cloudflared tunnel logs lantern-os
Monitor in Dashboard
Go to Cloudflare Dashboard → Tunnels and click your tunnel to see:
- Connection status
- Recent requests
- Bandwidth usage
- Error rates
Troubleshooting
| Problem | Solution | |
|---|---|---|
| "Tunnel already running" | Kill previous process: `Get-Process cloudflared \ | Stop-Process` |
| CNAME not working | Waitminutes for DNS propagation; check TTL in Cloudflare panel | |
| 502 Bad Gateway | Verify local server is running on port 4177; check firewall | |
| Slow response | Check Cloudflare dashboard for rate limiting; increase plan if needed | |
| Certificate errors | Ensure tlsSkip: false in config; check certificate renewal |
URL Routing Reference
| Service | Local | Public |
|---|---|---|
| Dream Journal UI | http://127.0.0.1:4177 | https://lantern-os.net |
| Dream API | http://127.0.0.1:4177/api/* | https://lantern-os.net/api/* |
| MCP (No Auth) | http://127.0.0.1:8771 | https://mcp.lantern-os.net |
| MCP (OAuth2) | http://127.0.0.1:8772 | https://mcp.lantern-os.net/oauth |
Next Steps
- Email Setup — Configure lantern-os.net email
- OAuth2 MCP — Set up OAuth2 authentication
- Zero Trust — Require login before access
- Analytics — Monitor traffic and performance