diff --git a/infra/modules/vpn/ansible/roles/cloudflared/tasks/main.yml b/infra/modules/vpn/ansible/roles/cloudflared/tasks/main.yml
index ed806dc7..a4d1006a 100644
--- a/infra/modules/vpn/ansible/roles/cloudflared/tasks/main.yml
+++ b/infra/modules/vpn/ansible/roles/cloudflared/tasks/main.yml
@@ -1,3 +1,25 @@
 - name: Install cloudflared
   apt:
     deb: "{{ cloudflared_package_url }}"
+
+- name: Create tunnel configuration file
+  template:
+    src: config.yml.j2
+    dest: /etc/cloudflared/config.yml
+
+# TODO (feature) Get cloudflare tunnel credentials automatically
+# - name: Create tunnel credentials file
+#   template:
+#     src: credentials.json.j2
+#     dest: /etc/cloudflared/credentials.json
+
+- name: Install cloudfared system service
+  command: cloudflared service install
+  args:
+    creates: /etc/systemd/system/cloudflared.service
+
+- name: Enable cloudflared service
+  service:
+    name: cloudflared
+    state: started
+    enabled: yes
diff --git a/infra/modules/vpn/ansible/roles/cloudflared/templates/config.yml.j2 b/infra/modules/vpn/ansible/roles/cloudflared/templates/config.yml.j2
new file mode 100644
index 00000000..67d1a1b5
--- /dev/null
+++ b/infra/modules/vpn/ansible/roles/cloudflared/templates/config.yml.j2
@@ -0,0 +1,7 @@
+tunnel: homelab-vpn
+credentials-file: /etc/cloudflared/cert.pem
+
+ingress:
+  - hostname: "*.khuedoan.com"
+    service: http://192.168.1.150 # TODO (optimize) Use variable for ingress address
+  - service: http_status:404
diff --git a/infra/modules/vpn/ansible/roles/cloudflared/templates/credentials.json.j2 b/infra/modules/vpn/ansible/roles/cloudflared/templates/credentials.json.j2
new file mode 100644
index 00000000..0541fdcc
--- /dev/null
+++ b/infra/modules/vpn/ansible/roles/cloudflared/templates/credentials.json.j2
@@ -0,0 +1,6 @@
+{
+  "TunnelName": "{{ tunnel_name }}",
+  "AccountTag": "{{ account_id }}",
+  "TunnelID": "{{ tunnel_id }}",
+  "TunnelSecret": "{{ tunnel_secret }}"
+}