Connect with self-managed SSH keys
If you want to manage your own SSH keys, you can use Cloudflare Tunnel to create a secure, outbound-only connection from your server to Cloudflare’s global network. This requires running the cloudflared daemon on the server (or any other host machine within the private network). Users with SSH keys that are trusted by the SSH server can access the server by installing the Cloudflare WARP client on their device and enrolling in your Zero Trust organization. Remote devices will be able to connect as if they were on your private network. By default, all devices enrolled in your organization can SSH to the server unless you build policies to allow or block specific users.
This example walks through how to set up an SSH server on a Google Cloud Platform (GCP) virtual machine (VM), but you can use any machine that supports SSH connections.
Before creating your VM instance you will need to create an SSH key pair.
-
Open a terminal and type the following command:
Terminal window ssh-keygen -t rsa -f ~/.ssh/gcp_ssh -C <username in GCP> -
Enter your passphrase when prompted. It will need to be entered twice.
Two files will be generated:
gcp_sshwhich contains the private key, andgcp_ssh.pubwhich contains the public key. -
In the command line, enter:
Terminal window cat ~/.ssh/gcp_ssh.pub -
Copy the output. This will be used when creating the VM instance in GCP.
Now that the SSH key pair has been created, you can create a VM instance.
- In your Google Cloud Console ↗, create a new project ↗.
- Go to Compute Engine > VM instances.
- Select Create instance.
- Name your VM instance, for example
ssh-server. - Scroll down to Advanced options > Security > Manage Access.
- Under Add manually generated SSH keys, select Add item and paste the public key that you have created.
- Select Create.
- Once your VM instance is running, open the dropdown next to SSH and select Open in browser window.
-
Create a Cloudflare Tunnel for your server by following our dashboard setup guide. You can skip the connect an application step and go straight to connecting a network.
-
In the Private Networks tab for the tunnel, enter the private IP address of your server (or a range that includes the server IP). In GCP, the server IP is the Internal IP of the VM instance.
-
(Optional) Set up Zero Trust policies to fine-tune access to your server.
To connect your devices to Cloudflare:
- Deploy the WARP client on your devices in Gateway with WARP mode.
- Create device enrollment rules to determine which devices can enroll to your Zero Trust organization.
By default, WARP excludes traffic bound for RFC 1918 space ↗, which are IP addresses typically used in private networks and not reachable from the Internet. In order for WARP to send traffic to your private network, you must configure Split Tunnels so that the IP/CIDR of your private network routes through WARP.
-
First, check whether your Split Tunnels mode is set to Exclude or Include mode.
-
If you are using Include mode, add your network’s IP/CIDR range to the list. Your list should also include the domains necessary for Cloudflare Zero Trust functionality.
-
If you are using Exclude mode:
- Delete your network’s IP/CIDR range from the list. For example, if your network uses the default AWS range of
172.31.0.0/16, delete172.16.0.0/12. - Re-add IP/CDIR ranges that are not explicitly used by your private network. For the AWS example above, you would add new entries for
172.16.0.0/13,172.24.0.0/14,172.28.0.0/15, and172.30.0.0/16. This ensures that only traffic to172.31.0.0/16routes through WARP.
- Delete your network’s IP/CIDR range from the list. For example, if your network uses the default AWS range of
By tightening the private IP range included in WARP, you reduce the risk of breaking a user’s access to local resources.
Once you have set up the application and the user device, the user can now SSH into the machine using its private IP address. If your SSH server requires an SSH key, the key should be included in the command.
ssh -i ~/.ssh/gcp_ssh <username>@<server IP>