Connect to SSH with client-side cloudflared (legacy)
End users can connect to an SSH server without the WARP client by authenticating through cloudflared
in their native terminal. This method requires having cloudflared
installed on both the server machine and on the client machine, as well as an active zone on Cloudflare. The traffic is proxied over this connection, and the user logs in to the server with their Cloudflare Access credentials.
Client-side cloudflared
can be used in conjunction with routing over WARP and Access for Infrastructure so that there are multiple ways to connect to the server. You can reuse the same Cloudflare Tunnel when configuring each connection method.
1. Connect the server to Cloudflare
-
Create a Cloudflare Tunnel by following our dashboard setup guide.
-
In the Public Hostnames tab, choose a domain from the drop-down menu and specify any subdomain (for example,
ssh.example.com
). -
For Service, select SSH and enter
localhost:22
. If the SSH server is on a different machine from where you installed the tunnel, enter<server IP>:22
. -
Select Save hostname.
-
(Recommended) Add a self-hosted application to Cloudflare Access in order to manage access to your server.
2. Connect as a user
-
Install
cloudflared
on the client machine. -
Make a one-time change to your SSH configuration file:
-
Input the following values; replacing
ssh.example.com
with the hostname you created.The
cloudflared
path may be different depending on your OS and package manager. For example, if you installedcloudflared
on macOS with Homebrew, the path is/opt/homebrew/bin/cloudflared
. -
You can now test the connection by running a command to reach the service:
When the command is run,
cloudflared
will launch a browser window to prompt you to authenticate with your identity provider before establishing the connection from your terminal.