Connect through Cloudflare Access over SSH
You can connect to machines over SSH using Cloudflare's Zero Trust platform.
🗺️ This walkthrough covers how to:
- Build a policy in Cloudflare Access to secure the machine
- Connect a machine to Cloudflare's network using an SSH connection
- Connect from a client machine
⏲️ Time to complete:
Before you start
Create a Zero Trust policy
First, navigate to the Cloudflare for Teams dashboard to create a new application. Select the
Applications page from the sidebar. Click Add application.
Choose Self-hosted on the next page.
Input a subdomain where your application will be availble to users.
Next, create rules that control who can reach the application.
Finally, click Save to save the policy. You can return to edit the policy to make changes to who should be allowed or to choose what authentication providers can be used.
Cloudflare Argo Tunnel creates a secure, outbound-only, connection between this machine and Cloudflare's network. With an outbound-only model, you can prevent any direct access to this machine and lock down any externally exposed points of ingress. And with that, no open firewall ports.
Argo Tunnel is made possible through a lightweight daemon from Cloudflare called
cloudflared. Download and then install
cloudflared with the commands below. You can find releases for other operating systems .
$ sudo wget https://bin.equinox.io/c/VdrWdbjqyF/cloudflared-stable-linux-amd64.deb$ sudo dpkg -i ./cloudflared-stable-linux-amd64.deb
Run the following command to authenticate cloudflared into your Cloudflare account.
$ cloudflared tunnel login
cloudflared will open a browser window and prompt you to login to your Cloudflare account. If you are working on a machine that does not have a browser, or a browser window does not launch, you can copy the URL from the command-line output and visit the URL in a browser on any machine.
Choose any hostname presented in the list. Cloudflare will issue a certificate scoped to your account. You do not need to pick the specific hostname where you will serve the Tunnel.
Create an Argo Tunnel
$ cloudflared tunnel create <NAME>
<NAME> with a name for the Tunnel. This name can be any value. A single Argo Tunnel can also serve traffic for multiple hostnames to multiple services in your environment, including a mix of connection types like SSH and HTTP.
The command will output an ID for the Tunnel and generate an associated credentials file. At any time you can list the Tunnels in your account with the following command.
$ cloudflared tunnel list
Configure the Tunnel
YAML file that
cloudflared can reach. By default,
cloudflared will look for the file in the same folder where
cloudflared has been installed.
$ vim ~/.cloudflared/config.yml
Next, configure the Tunnel, replacing the example ID below with the ID of the Tunnel created above. Additionally, replace the hostname in this example with the hostname of the application configured with Cloudflare Access.
tunnel: 6ff42ae2-765d-4adf-8112-31c55c1551efcredentials-file: /root/.cloudflared/6ff42ae2-765d-4adf-8112-31c55c1551ef.json ingress: - hostname: azure.widgetcorp.tech service: ssh://localhost:22 - service: http_status:404 # Catch-all rule, which responds with 404 if traffic doesn't match any of # the earlier rules
Route to the Tunnel
You can now create a DNS record that will route traffic to this Tunnel. Multiple DNS records can point to a single Tunnel and will send traffic to the service configured as long as the hostname is defined with an .
dash.cloudflare.com and choose the hostname where you want to create a Tunnel. This should match the hostname of the Access policy. Click + Add record.
CNAME as the record type. For the target, input the ID of your Tunnel followed by
cfargotunnel.com. In this example, the target would be:
Run the Tunnel
You can now run the Tunnel to connect the target service to Cloudflare. Use the following command to run the Tunnel, replacing
<NAME> with the name created for your Tunnel.
cloudflared tunnel run <NAME>
Connect from a client machine
You can now connect from a client machine using
This example uses a macOS laptop. On macOS, you can install
cloudflared with the following command using Homebrew.
$ brew install cloudflare/cloudflare/cloudflared
While you need to install
cloudflared, you do not need to wrap your SSH commands in any unique way. Instead, you will need to make a one-time change to your SSH configuration file.
Input the following values; replacing
azure.widgetcorp.tech with the hostname you created.
Host azure.widgetcorp.tech ProxyCommand /usr/local/bin/cloudflared access ssh --hostname %h
You can now test the SSH flow by running a command to reach the service. When the command is run,
cloudflared will launch a browser window to prompt you to authenticate with your identity provider before establishing the connection from your terminal.
Cloudflare can render an SSH client in your browser without the need for client software or end user configuration changes.
To enable, navigate to the application page of the Access section in the Cloudflare for Teams dashboard. Click Edit and select the Settings tab. In the
cloudflared settings card, toggle
Enable browser rendering to on.
Once enabled, when users authenticate and visit the URL of the application, Cloudflare will render a terminal in their browser.