Connect with self-managed SSH keys
If you want to manage your own SSH keys, you can use Cloudflare Tunnel to create a secure, outbound-only connection from your server to Cloudflare's global network. This requires running the
cloudflared daemon on the server (or any other host machine within the private network). Users with SSH keys that are trusted by the SSH server can access the server by installing the Cloudflare WARP client on their device and enrolling in your Zero Trust organization. Remote devices will be able to connect as if they were on your private network. By default, all devices enrolled in your organization can SSH to the server unless you build policies to allow or block specific users.
This example walks through how to set up an SSH server on a Google Cloud Platform (GCP) virtual machine (VM), but you can use any machine that supports SSH connections.
Before creating your VM instance you will need to create an SSH key pair.
-
Open a terminal and type the following command:
-
Enter your passphrase when prompted. It will need to be entered twice.
Two files will be generated:
gcp_sshwhich contains the private key, and
gcp_ssh.pubwhich contains the public key.
-
In the command line, enter:
-
Copy the output. This will be used when creating the VM instance in GCP.
Now that the SSH key pair has been created, you can create a VM instance.
- In your Google Cloud Console ↗, create a new project ↗.
- Go to Compute Engine > VM instances.
- Select Create instance.
- Name your VM instance, for example
ssh-server.
- Scroll down to Advanced options > Security > Manage Access.
- Under Add manually generated SSH keys, select Add item and paste the public key that you have created.
- Select Create.
- Once your VM instance is running, open the dropdown next to SSH and select Open in browser window.
-
In Zero Trust ↗, go to Networks > Tunnels.
-
Create a new tunnel or edit an existing
cloudflaredtunnel.
-
In the CIDR tab for the tunnel, enter the private IP or CIDR address of your server. In GCP, the server IP is the Internal IP of the VM instance.
-
(Optional) Set up Zero Trust policies to fine-tune access to your server.
To connect your devices to Cloudflare:
- Deploy the WARP client on your devices in Gateway with WARP mode or generate a proxy endpoint and deploy a PAC file.
- Create device enrollment rules to determine which devices can enroll to your Zero Trust organization.
By default, WARP excludes traffic bound for RFC 1918 space ↗, which are IP addresses typically used in private networks and not reachable from the Internet. In order for WARP to send traffic to your private network, you must configure Split Tunnels so that the IP/CIDR of your private network routes through WARP.
-
First, check whether your Split Tunnels mode is set to Exclude or Include mode.
-
Edit your Split Tunnel routes depending on the mode:
If you are using Exclude mode:
a. Delete the route containing your private network's IP/CIDR range. For example, if your network uses the default AWS range of
172.31.0.0/16, delete
172.16.0.0/12.
b. Re-add IP/CIDR ranges that are not explicitly used by your private network. For the AWS example above, you would add new entries for
172.16.0.0/13,
172.24.0.0/14,
172.28.0.0/15, and
172.30.0.0/16. This ensures that only traffic to
172.31.0.0/16routes through WARP.
You can use the following calculator to determine which IP addresses to re-add:
Calculator instructions
- In Base CIDR, enter the RFC 1918 range that you deleted from Split Tunnels.
- In Excluded CIDRs, enter the IP/CIDR range used by your private network.
- Re-add the calculator results to your Split Tunnel Exclude mode list.
By tightening the private IP range included in WARP, you reduce the risk of breaking a user's access to local resources.
If you are using Include mode:
- Add the required Zero Trust domains or IP addresses to your Split Tunnel include list.
- Add a route to include your private network's IP/CIDR range.
Once you have set up the application and the user device, the user can now SSH into the machine using its private IP address. If your SSH server requires an SSH key, the key should be included in the command.
