Introduction

When you self-host PM Engine, your team can access it within your local network. But what if team members work remotely or you want to collaborate with external stakeholders? Secure tunneling solutions let you expose your PM Engine instance to the public internet without complex firewall configurations or static IP requirements.

This guide covers two approaches: ngrok and Cloudflare Tunnels. Each has different characteristics that make it suitable for different scenarios.

When to use tunneling solutions

Tunneling solutions work well when: - Your team works remotely and needs access from different locations - You're testing PM Engine before committing to a permanent hosting setup - You want to avoid dealing with firewall rules and port forwarding - You need to share your instance with external stakeholders or consultants - You prefer not to expose your server directly to the internet

Option 1: Using ngrok

ngrok provides a straightforward way to make PM Engine publicly accessible. It creates a secure tunnel from a public URL to your local server.

Before you get started

Sign up for a free account at ngrok.com. In the ngrok dashboard, navigate to Your Authtoken and copy the authentication token displayed.

Install and configure ngrok

Install the ngrok agent on the server where PM Engine is running. After installation, open a terminal and configure ngrok with your authtoken (you only need to do this once):

ngrok config add-authtoken 39AiQm9...

Launch the tunnel

Start ngrok and point it to the port where PM Engine is running. If PM Engine is accessible at http://localhost:3000, run:

ngrok http 3000

ngrok will display a public URL that forwards to your local PM Engine instance:

ngrok
(Ctrl+C to quit)
Session Status                online
Account                       example@gmail.com (Plan: Free)
Version                       3.24.0
Region                        United States (us)
Web Interface                 http://127.0.0.1:4040
Forwarding                    https://a1b2c3d4.ngrok.app -> http://localhost:3000

Share the forwarding URL (e.g., https://a1b2c3d4.ngrok.app) with your team. They can access PM Engine through their browser without any additional setup.

Option 2: Using Cloudflare Tunnels

Cloudflare Tunnels route traffic through Cloudflare's global network. This approach requires a domain and provides access through a custom hostname.

Before you get started

You'll need a domain and a Cloudflare account. If this is your first time using Cloudflare, sign up and follow the onboarding instructions. If you already have an account, navigate to Domains > Onboard a website in the Cloudflare dashboard.

Route traffic through Cloudflare

Update your domain's nameservers at your registrar to point to Cloudflare. The exact steps vary by registrar, but generally you'll:

1. Log in to your domain registrar (e.g., GoDaddy, Namecheap)
2. Navigate to DNS or nameserver settings
3. Replace existing nameservers with those provided by Cloudflare

For example, with GoDaddy: go to DNS > Nameservers > Change Nameservers, then enter your Cloudflare nameservers.

Create a Cloudflare Tunnel

In the Cloudflare dashboard, navigate to Zero Trust or Cloudflare One. From there:

1. Go to Networks > Connectors > Cloudflare Tunnels > Create a tunnel
2. Select Cloudflared as the connector type
3. Name your tunnel (e.g., "pm-engine-production")
4. Click Save tunnel

Cloudflare will provide installation instructions for the cloudflared connector.

Install cloudflared on your server

Download and install cloudflared on the server running PM Engine. After installation, run the command provided by Cloudflare during tunnel setup. It will look similar to this:

cloudflared service install eyJhIjoiYTJ... 2026-02-11T10:30:15Z INF Installing cloudflared service 2026-02-11T10:30:15Z INF cloudflared service installed successfully

Configure the tunnel

Cloudflare will prompt you to configure your public hostname and service:

1. Set Public hostname to your desired subdomain (e.g., pm.example.com)
2. Set Service type to HTTP
3. Set URL to where PM Engine is running (e.g., http://localhost:3000)
4. Click Save tunnel

If you see an error like An A, AAAA, or CNAME record with that host already exists, you'll need to remove conflicting DNS records before proceeding.

Access PM Engine

Your team can now access PM Engine at your custom domain (e.g., https://pm.example.com). The connection is automatically secured with Cloudflare's SSL certificate.

Cloudflare Tunnels characteristics

Once your tunnel is active, you can access: - Access policies: Restrict who can access PM Engine based on email, IP, or other criteria - Audit logs: Track who accessed your instance and when - Performance optimization: Cloudflare's CDN can cache static assets for faster loading - DDoS protection: Built-in protection against attacks

Comparing the two approaches

ngrok characteristics:

• No domain required
• Setup takes minutes
• Free plan includes random URLs that change on restart
• Free plan tunnels have no time limits
• Web interface for request inspection
• Paid plans available for persistent domains

Cloudflare Tunnels characteristics:

• Requires domain and Cloudflare account
• Initial setup involves domain configuration
• No session time limits
• Custom domain with SSL certificate included
• Access policies, audit logs, and DDoS protection available
• Cloudflare CDN can cache static assets

Both solutions establish outbound connections from your server, eliminating the need to configure firewall rules or expose ports directly to the internet.

Security considerations

While both solutions provide secure access, follow these best practices:

• Always use HTTPS connections (both solutions provide this by default)
• Enable PM Engine's authentication and user management features
• Regularly review access logs to detect unusual activity
• Keep ngrok or cloudflared updated to the latest version
• Consider implementing Cloudflare Access policies for additional authentication layers
• Use strong passwords and enable two-factor authentication where available