The Secure Shell Protocol (SSH) enables users to remotely access devices through the command line. With Cloudflare One, you can make your SSH server available over the Internet without the risk of opening inbound ports on the server.
Cloudflare offers four ways to secure SSH:
SSH with client-side cloudflared
Setup time: 15-30 minutes
Required products: Cloudflare Tunnel (cloudflared on server and client), Access
Best for: Seamless SSH access with identity-based authentication using native terminal
Key differentiator: No WARP client required — works with just cloudflared on both ends
SSH with Access for Infrastructure
Setup time: 45-60 minutes
Required products: Cloudflare Tunnel (cloudflared on server), WARP or Magic WAN (client on-ramp), Gateway, Access
Best for: Advanced SSH certificate-based authentication with short-lived credentials
Key differentiator: SSH certificates with Access policies and command logging
Setup time: 30-45 minutes
Required products: Cloudflare Tunnel (cloudflared on server), WARP or Magic WAN (client on-ramp), Gateway
Best for: Traditional SSH key management with network-level policy enforcement
Key differentiator: Keep your existing SSH key infrastructure with no client-side cloudflared or SSH config changes needed
Setup time: 20-30 minutes
Required products: Cloudflare Tunnel (cloudflared on server), Access
Best for: Browser-based SSH access for quick administrative tasks
Key differentiator: No SSH client or WARP required — connect directly from a browser
