diff --git a/cmd/flipt/main.go b/cmd/flipt/main.go
index 65af452e42..640981c64d 100644
--- a/cmd/flipt/main.go
+++ b/cmd/flipt/main.go
@@ -3,9 +3,11 @@ package main
 import (
 	"bytes"
 	"context"
+	"crypto/tls"
 	"errors"
 	"fmt"
 	"io/fs"
+	"net/http"
 	"os"
 	"os/signal"
 	"path/filepath"
@@ -22,6 +24,8 @@ import (
 	"go.flipt.io/flipt/internal/info"
 	"go.flipt.io/flipt/internal/release"
 	"go.flipt.io/flipt/internal/telemetry"
+	"go.flipt.io/reverst/client"
+	"go.flipt.io/reverst/pkg/protocol"
 	"go.uber.org/zap"
 	"go.uber.org/zap/zapcore"
 	"golang.org/x/sync/errgroup"
@@ -370,26 +374,32 @@ func run(ctx context.Context, logger *zap.Logger, cfg *config.Config) error {
 
 	if cfg.Server.Cloud.Enabled {
 		// starts QUIC tunnel server to connect to Cloud
+		var (
+			orgHost = fmt.Sprintf("%s.%s", cfg.Server.Cloud.Organization, cfg.Server.Cloud.Address)
+			tunnel  = fmt.Sprintf("%s-%s", cfg.Server.Cloud.Instance, orgHost)
+		)
 
-		// TODO: get organization, instance, and authentication from config
-
-		// g.Go(func() error {
-		// 	tunnelServer := &client.Server{
-		// 		TunnelGroup:   fmt.Sprintf("%s.%s", cfg.Server.Cloud.Organization, cfg.Server.Cloud.Address),
-		// 		Handler:       httpServer.Handler,
-		// 		Authenticator: client.BearerAuthenticator(cfg.Server.Cloud.Authentication.ApiKey),
-		// 	}
+		g.Go(func() error {
+			tunnelServer := &client.Server{
+				TunnelGroup:   tunnel,
+				Handler:       httpServer.Handler,
+				Authenticator: client.BearerAuthenticator(cfg.Server.Cloud.Authentication.ApiKey),
+				TLSConfig: &tls.Config{
+					NextProtos: []string{protocol.Name},
+					ServerName: orgHost,
+				},
+			}
 
-		// 	tunnel := fmt.Sprintf("%s-%s.%s", cfg.Server.Cloud.Instance, cfg.Server.Cloud.Organization, cfg.Server.Cloud.Address)
+			addr := fmt.Sprintf("%s:%d", tunnel, cfg.Server.Cloud.Port)
 
-		// 	logger.Info("cloud tunnel available", zap.String("address", tunnel), zap.Int("port", cfg.Server.Cloud.Port))
+			logger.Info("cloud tunnel established", zap.String("address", fmt.Sprintf("https://%s", tunnel)))
 
-		// 	if err := tunnelServer.DialAndServe(ctx, fmt.Sprintf("%s:%d", tunnel, cfg.Server.Cloud.Port)); !errors.Is(err, http.ErrServerClosed) {
-		// 		return fmt.Errorf("cloud tunnel server: %w", err)
-		// 	}
+			if err := tunnelServer.DialAndServe(ctx, addr); err != nil && !errors.Is(err, http.ErrServerClosed) {
+				return fmt.Errorf("cloud tunnel server: %w", err)
+			}
 
-		// 	return nil
-		// })
+			return nil
+		})
 	}
 
 	// block until root context is cancelled
diff --git a/go.mod b/go.mod
index 3015811f3c..062ed45360 100644
--- a/go.mod
+++ b/go.mod
@@ -245,6 +245,7 @@ require (
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
 	github.com/xtgo/uuid v0.0.0-20140804021211-a0b114877d4c // indirect
 	github.com/yusufpapurcu/wmi v1.2.3 // indirect
+	go.flipt.io/reverst v0.1.2 // indirect
 	go.opencensus.io v0.24.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0 // indirect
 	go.opentelemetry.io/contrib/propagators/aws v1.25.0 // indirect
diff --git a/go.sum b/go.sum
index 18d6e64774..67712b0506 100644
--- a/go.sum
+++ b/go.sum
@@ -728,6 +728,8 @@ github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5t
 github.com/yusufpapurcu/wmi v1.2.3 h1:E1ctvB7uKFMOJw3fdOW32DwGE9I7t++CRUEMKvFoFiw=
 github.com/yusufpapurcu/wmi v1.2.3/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQmPyzfmi0=
 github.com/zenazn/goji v0.9.0/go.mod h1:7S9M489iMyHBNxwZnk9/EHS098H4/F6TATF2mIxtB1Q=
+go.flipt.io/reverst v0.1.2 h1:L43Jx5oWAQwOCK6J/bCN9fXgIIGymnJx1yyp2UCbb14=
+go.flipt.io/reverst v0.1.2/go.mod h1:0kDf22udIDgZAruOu6/9/dZIHRpWJhDcZ3fqoP33jc0=
 go.mongodb.org/mongo-driver v1.11.4/go.mod h1:PTSz5yu21bkT/wXpkS7WR5f0ddqw5quethTUn9WM+2g=
 go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0=
 go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo=