Secure Shell (SSH) protocol allows users to connect to infrastructure to perform activites like remote command execution.
Cloudflare Access provides a mechanism for end users to authenticate with their single sign-on (SSO) provider and connect to shared files over RDP without being on a virtual private network (VPN).
cloudflareddaemon installed on the host and client machines
If you have an origin that serves both SSH and HTTP requests, you need to place those services on separate domains or subdomains. Otherwise, errors occur when attempting to access the machine over different protocols. For example, requests made in a web browser will route over SSH and fail.
To use Cloudflare Access, you first need to add a site to Cloudflare. You can use any site you have registered; the site does not need to be the same one you use for customer traffic and it does not need to match sites in your internal DNS.
Adding the site to Cloudflare requires changing your domain’s authoritative DNS to point to Cloudflare’s nameservers. Once configured, all requests to that hostname will be sent to Cloudflare’s network first, where Access policies can be applied.
The Cloudflare daemon,
cloudflared, will maintain a secure, persistent, outbound-only connection from the machine to Cloudflare. SSH traffic will be proxied over this connection using Cloudflare Argo Tunnel.
Follow these instructions to download and install
cloudflared on the host.
Run the following command to authenticate
cloudflared into your Cloudflare account.
cloudflared tunnel login
cloudflared will open a browser window and prompt you to login to your Cloudflare account. If you are working on a machine that does not have a browser, or a browser window does not launch, you can copy the URL from the command-line output and visit the URL in a browser on any machine.
Once you login, Cloudflare will display the sites that you added to your account. Select the site where you will create a subdomain to represent the machine or server. For example, if you plan to share the machine at
site.com from the list.
cloudflared will download a wildcard certificate for the site. This certificate will allow
cloudflared to create a DNS record for a subdomain of the site.
Next, protect the subdomain you plan to register with a Cloudflare Access policy. Follow these instructions to build a new policy to control who can connect to the machine.
For example, if you share the machine at
ssh.site.com, build a policy to only allow your team members to connect to that subdomain.
By default, the SSH protocol listens on port 22. Confirm which port your infrastructure uses. You can use nonstandard ports, as well.
Run the following command to connect the machine to Cloudflare, replacing the
22 values with your site and port.
cloudflared tunnel --hostname ssh.site.com --url ssh://localhost:22
cloudflared will confirm that the connection has been established. The process needs to be configured to stay alive and autostart. If the process is killed, end users will not be able to connect.
cloudflaredwill return an error.
Follow the same steps above to download and install
cloudflared on the client desktop that will connect to the machine.
cloudflared will need to be installed on each user device that will connect.
Cloudflare Access does not require any unique commands or SSH wrappers. The only change required is the update to your SSH configuration file.
cloudflared will print these details.
To generate generic configuration settings, run the following command:
cloudflared access ssh-config
The command will print SSH configuration details in the following format:
Host [your hostname] ProxyCommand /usr/local/bin/cloudflared access ssh --hostname %h
[your hostname] value with the hostname configured for the remote machine.
Optionally, if you know the hostname, you can run the following command to generate the exact SSH configuration details. Replace
ssh.site.com with your remote machine’s hostname.
cloudflared access ssh-config --hostname ssh.site.com
The command will print the following details:
Host ssh.site.com ProxyCommand /usr/local/bin/cloudflared access ssh --hostname %h
Run the following command to create a connection from the device to Cloudflare.
cloudflared will launch a browser window and prompt the user to authenticate with your SSO provider.
If you use SSH to reach a Git repository, you can continue to use the
git command without any wrapper. You will still need to update your SSH configuration file using the instructions above.
Once configured, you can run the following command to test the connection:
git clone ssh -T [email protected]
Cloudflare Access does not replace SSH key exchange with a Git repository.
In this video, you’ll learn how to use Cloudflare Access to protect an SSH connection by setting up a secure link with Argo Tunnel.
A video guide is also available.