Cloudflare Docs
Cloudflare Zero Trust
Edit this page on GitHub
Set theme to dark (⇧+D)

Connect with SSH through Cloudflare Tunnel

The Secure Shell Protocol (SSH) enables users to remotely access devices through the command line. With Cloudflare Zero Trust, you can make your SSH server available over the Internet without the risk of opening inbound ports on the server.

Cloudflare Zero Trust offers two solutions to provide secure access to SSH servers:

​​ Set up an SSH server in GCP

This example walks through how to set up an SSH server on a Google Cloud Platform (GCP) virtual machine (VM), but you can use any machine that supports SSH connections.

​​ 1. Create an SSH key pair

Before creating your VM instance you will need to create an SSH key pair.

  1. Open a terminal and type the following command:

    $ ssh-keygen -t rsa -f ~/.ssh/gcp_ssh -C <username in GCP>
  2. Enter your passphrase when prompted. It will need to be entered twice.

    Two files will be generated: gcp_ssh which contains the private key, and gcp_ssh.pub which contains the public key.

  3. In the command line, enter:

    $ cat ~/.ssh/gcp_ssh.pub
  4. Copy the output. This will be used when creating the VM instance in GCP.

​​ 2. Create a VM instance in GCP

Now that the SSH key pair has been created, you can create a VM instance.

  1. In your Google Cloud Console, create a new project.
  2. Go to Compute Engine > VM instances.
  3. Select Create instance.
  4. Name your VM instance, for example ssh-server.
  5. Scroll down to Advanced options > Security > Manage Access.
  6. Under Add manually generated SSH keys, select Add item and paste the public key that you have created.
  7. Select Create.
  8. Once your VM instance is running, open the dropdown next to SSH and select Open in browser window.

​​ Connect to SSH server with WARP to Tunnel

You can use Cloudflare Tunnel to create a secure, outbound-only connection from your server to Cloudflare’s edge. This requires running the cloudflared daemon on the server. Users reach the service by installing the Cloudflare WARP client on their device and enrolling in your Zero Trust organization. Remote devices will be able to connect as if they were on your private network. By default, all devices enrolled in your organization can access the service unless you build policies to allow or block specific users.

​​ 1. Connect the server to Cloudflare

  1. Create a Cloudflare Tunnel for your server by following our dashboard setup guide. You can skip the connect an application step and go straight to connecting a network.

  2. In the Private Networks tab for the tunnel, enter the private IP address of your server (or a range that includes the server IP). In GCP, the server IP is the Internal IP of the VM instance.

  3. (Optional) Set up Zero Trust policies to fine-tune access to your server.

​​ 2. Set up the client

To connect your devices to Cloudflare:

  1. Deploy the WARP client on your devices in Gateway with WARP mode. The Cloudflare certificate is only required if you want to display a custom block page or filter HTTPS traffic.
  2. Create device enrollment rules to determine which devices can enroll to your Zero Trust organization.

​​ 3. Route private network IPs through WARP

By default, WARP excludes traffic bound for RFC 1918 space, which are IP addresses typically used in private networks and not reachable from the Internet. In order for WARP to send traffic to your private network, you must configure Split Tunnels so that the IP/CIDR of your private network routes through WARP.

  1. First, check whether your Split Tunnels mode is set to Exclude or Include mode.

  2. If you are using Include mode, add your network’s IP/CIDR range to the list. Your list should also include the domains necessary for Cloudflare Zero Trust functionality.

  3. If you are using Exclude mode:

    1. Delete your network’s IP/CIDR range from the list. For example, if your network uses the default AWS range of 172.31.0.0/16, delete 172.16.0.0/12.
    2. Re-add IP/CDIR ranges that are not explicitly used by your private network. For the AWS example above, you would add new entries for 172.16.0.0/13, 172.24.0.0/14, 172.28.0.0/15, and 172.30.0.0/16. This ensures that only traffic to 172.31.0.0/16 routes through WARP.

By tightening the private IP range included in WARP, you reduce the risk of breaking a user’s access to local resources.

​​ 4. Connect as a user

Once you have set up the application and the user device, the user can now SSH into the machine using its private IP address. If your SSH server requires an SSH key, the key should be included in the command.

$ ssh -i ~/.ssh/gcp_ssh <username>@<server IP>

​​ Connect to SSH server with cloudflared access

Cloudflare Tunnel can also route applications through a public hostname, which allows users to connect to the application without the WARP client. This method requires having cloudflared installed on both the server machine and on the client machine, as well as an active zone on Cloudflare. The traffic is proxied over this connection, and the user logs in to the server with their Cloudflare Access credentials.

The public hostname method can be implemented in conjunction with routing over WARP so that there are multiple ways to connect to the server. You can reuse the same tunnel for both the private network and public hostname routes.

​​ 1. Connect the server to Cloudflare

  1. Create a Cloudflare Tunnel by following our dashboard setup guide.

  2. In the Public Hostnames tab, choose a domain from the drop-down menu and specify any subdomain (for example, ssh.example.com).

  3. For Service, select SSH and enter localhost:22. If the SSH server is on a different machine from where you installed the tunnel, enter <server IP>:22.

  4. Select Save hostname.

  5. (Recommended) Add a self-hosted application to Cloudflare Access in order to manage access to your server.

​​ 2. Connect as a user

Users can connect from their device by authenticating through cloudflared, or from a browser-rendered terminal.

​​ Native Terminal

  1. Install cloudflared on the client machine.

  2. Make a one-time change to your SSH configuration file:

    $ vim ~/.ssh/config
  3. Input the following values; replacing ssh.example.com with the hostname you created.

    Host ssh.example.com
    ProxyCommand /usr/local/bin/cloudflared access ssh --hostname %h

    The cloudflared path may be different depending on your OS and package manager. For example, if you installed cloudflared on macOS with Homebrew, the path is /opt/homebrew/bin/cloudflared.

  4. You can now test the connection by running a command to reach the service:

    $ ssh <username>@ssh.example.com

    When the command is run, cloudflared will launch a browser window to prompt you to authenticate with your identity provider before establishing the connection from your terminal.

​​ Browser-rendered terminal

End users can connect to the SSH server without any configuration by using Cloudflare’s browser-based terminal. When users visit the public hostname URL (for example, https://ssh.example.com) and log in with their Access credentials, Cloudflare will render a terminal in their browser.

To enable, refer to Enable browser rendering.