The short answer
Cloudflare Tunnel for persistent service exposure on your own domain — and it's free. ngrok for instant developer tunnels — webhook testing, demos, temporary shares — where its request-inspection tooling and one-command UX shine. Neither if what you actually need is a private network rather than public exposure.
Same job, different temperament
Mechanically, Cloudflare Tunnel and ngrok do the same thing: run a small agent that opens an outbound connection to the provider's edge, so a service behind NAT or a firewall becomes reachable at a public URL — no port-forwarding, no inbound firewall rule.
The difference is temperament. Cloudflare Tunnel is built to be left running: persistent, on your own domain, wired into Cloudflare's DNS, CDN, WAF, and Access. It's infrastructure. ngrok is built for the developer inner loop: ngrok http 3000, a URL in two seconds, a request inspector to replay and debug traffic. It's a tool you reach for and put down.
Either can do the other's job — ngrok has static domains and persistent tunnels on paid plans; Cloudflare Tunnel can serve a quick share — but each is sharpest at its native role.
Side-by-side comparison
| Aspect | Cloudflare Tunnel | ngrok |
|---|---|---|
| Primary use | Persistent production exposure | Instant developer tunnels |
| Cost | Free (part of CF Zero Trust Free) | Free tier + paid from ~$8-10/mo |
| Custom domain | Yes, your own (via Cloudflare DNS) | Free: random URL; paid: static domain |
| Request inspection | No built-in inspector | Yes, purpose-built UI |
| Startup speed | Configure once, then persistent | One command, seconds |
| Auth gating | Cloudflare Access integration | OAuth / basic auth on paid plans |
| Security stack | Cloudflare WAF / DDoS available | ngrok edge features on paid |
| Ecosystem lock-in | Cloudflare (DNS at minimum) | ngrok account |
| Connects networks | No | No |
When to pick which
- Cloudflare Tunnel — a self-hosted app you want permanently reachable on your domain (Nextcloud, a status page, an internal admin panel with Access in front); cost matters; you're already using Cloudflare DNS.
- ngrok — webhook development and testing; demoing a local build to a colleague or client; temporary shares; any workflow where the request inspector and instant startup earn their keep.
When an exposure tool is the wrong tool
Both Cloudflare Tunnel and ngrok make a service public — reachable from the internet, optionally behind auth. That's the right shape when the thing genuinely should be Internet-facing.
It's the wrong shape when the thing should stay internal. Connecting branch offices, letting back-office systems at different sites reach each other, giving your own devices private access to internal resources — none of that should involve a public URL, even an authenticated one. The correct tool is a private network: a VPN or mesh VPN, where internal systems are reachable by your authorised devices and invisible to everyone else.
For SMB multi-branch, that's MeshWG: a managed WireGuard mesh on the router, connecting sites privately, priced per router (₹349 ≈ $4.20/month, 2 free). If you've been reaching for an exposure tool to solve a connectivity problem, the mesh-VPN category is what you actually want — see ZTNA vs VPN and what is WireGuard for the background.
Frequently asked questions
What is the difference between Cloudflare Tunnel and ngrok?
Both expose a service behind NAT or a firewall to the public internet without port-forwarding, by running a small agent that makes an outbound connection to the provider's edge. The difference is positioning. Cloudflare Tunnel is built for persistent production exposure on your own domain, integrated with Cloudflare's DNS / CDN / WAF / Access — and it's free. ngrok is built for instant developer tunnels: one command, a URL in seconds, ideal for testing webhooks, demoing work, or sharing a local dev server temporarily. Cloudflare Tunnel is the 'leave it running' tool; ngrok is the 'spin it up for an hour' tool — though both can do either job.
Is Cloudflare Tunnel or ngrok cheaper?
Cloudflare Tunnel is free, with no usage caps that matter for typical use — it's part of Cloudflare's free Zero Trust tier. ngrok has a free tier (with a random URL that changes each session and a request-rate limit) and paid plans starting around $8-10/month for a static domain and higher limits. For persistent, cost-sensitive exposure Cloudflare Tunnel wins clearly. For developers who value ngrok's instant-tunnel UX and request inspection tooling, the paid plan is modest.
Is ngrok or Cloudflare Tunnel better for webhooks?
ngrok is the more popular webhook-testing tool — its request inspection UI (replay requests, view payloads) is purpose-built for exactly that workflow, and the one-command startup suits the iterate-quickly nature of webhook development. Cloudflare Tunnel can also receive webhooks and is fine for a persistent webhook endpoint, but it lacks ngrok's built-in request inspector. For active webhook development: ngrok. For a permanent production webhook receiver: either, with Cloudflare Tunnel free.
Can Cloudflare Tunnel or ngrok connect two networks?
No — and this is the key limitation both share. Both are service-exposure tools: they make one service reachable at a public URL. Neither connects networks to each other, neither gives you a private mesh, neither does site-to-site. If your actual need is 'my branch office network should reach my head-office network,' or 'my devices should reach each other privately,' an exposure tool is the wrong category entirely. You want a VPN or mesh VPN.
When should I use a private network instead of Cloudflare Tunnel or ngrok?
Whenever the thing you're connecting shouldn't be public at all. Exposure tools put a service on the internet (optionally gated by auth). If you're connecting internal systems — branch offices, back-office servers, devices that should only be reachable by your own people — putting them behind a public URL is the wrong shape even with authentication in front. A private network (mesh VPN) keeps internal things internal: reachable by your authorised devices, invisible to everyone else. For SMB multi-branch, that's MeshWG's job, not an exposure tool's.
Cloudflare Tunnel vs ngrok for a small business?
If the small business genuinely needs to expose a service publicly — a customer-facing web app, a public webhook endpoint — Cloudflare Tunnel is the better default: free, persistent, on your own domain, with Cloudflare's security stack available. ngrok suits the developer-workflow slice (testing, demos, temporary shares). But if the small-business need is actually 'connect our offices and internal systems' — which it usually is — neither tool fits. A managed mesh VPN (MeshWG, per-router pricing) connects the sites privately without ever making anything public.
Next steps
If your need is connectivity (not public exposure), a mesh VPN is the right category — MeshWG's free tier covers 2 routers.