Skip to content

Connect with self-managed SSH keys

If you want to manage your own SSH keys, you can use Cloudflare Tunnel to create a secure, outbound-only connection from your server to Cloudflare's global network. This requires running the cloudflared daemon on the server (or any other host machine within the private network). Users with SSH keys that are trusted by the SSH server can access the server by installing the Cloudflare WARP client on their device and enrolling in your Zero Trust organization. Remote devices will be able to connect as if they were on your private network. By default, all devices enrolled in your organization can SSH to the server unless you build policies to allow or block specific users.

This example walks through how to set up an SSH server on a Google Cloud Platform (GCP) virtual machine (VM), but you can use any machine that supports SSH connections.

1. Create an SSH key pair

Before creating your VM instance you will need to create an SSH key pair.

  1. Open a terminal and type the following command:

    Terminal window
    ssh-keygen -t rsa -f ~/.ssh/gcp_ssh -C <username in GCP>
  2. Enter your passphrase when prompted. It will need to be entered twice.

    Two files will be generated: gcp_ssh which contains the private key, and gcp_ssh.pub which contains the public key.

  3. In the command line, enter:

    Terminal window
    cat ~/.ssh/gcp_ssh.pub
  4. Copy the output. This will be used when creating the VM instance in GCP.

2. Create a VM instance in GCP

Now that the SSH key pair has been created, you can create a VM instance.

  1. In your Google Cloud Console, create a new project.
  2. Go to Compute Engine > VM instances.
  3. Select Create instance.
  4. Name your VM instance, for example ssh-server.
  5. Scroll down to Advanced options > Security > Manage Access.
  6. Under Add manually generated SSH keys, select Add item and paste the public key that you have created.
  7. Select Create.
  8. Once your VM instance is running, open the dropdown next to SSH and select Open in browser window.

3. Connect the server to Cloudflare

  1. Create a Cloudflare Tunnel for your server by following our dashboard setup guide. You can skip the connect an application step and go straight to connecting a network.

  2. In the Private Networks tab for the tunnel, enter the private IP address of your server (or a range that includes the server IP). In GCP, the server IP is the Internal IP of the VM instance.

  3. (Optional) Set up Zero Trust policies to fine-tune access to your server.

4. Set up the client

To connect your devices to Cloudflare:

  1. Deploy the WARP client on your devices in Gateway with WARP mode.
  2. Create device enrollment rules to determine which devices can enroll to your Zero Trust organization.

5. Route private network IPs through WARP

By default, WARP excludes traffic bound for RFC 1918 space, which are IP addresses typically used in private networks and not reachable from the Internet. In order for WARP to send traffic to your private network, you must configure Split Tunnels so that the IP/CIDR of your private network routes through WARP.

  1. First, check whether your Split Tunnels mode is set to Exclude or Include mode.
  2. If you are using Include mode, add your private network's IP/CIDR range to the list. Your list should also include the domains necessary for Cloudflare Zero Trust functionality.
  3. If you are using Exclude mode:
    1. Delete your private network's IP/CIDR range from the list. For example, if your network uses the default AWS range of 172.31.0.0/16, delete 172.16.0.0/12.
    2. Re-add IP/CIDR ranges that are not explicitly used by your private network. For the AWS example above, you would add new entries for 172.16.0.0/13, 172.24.0.0/14, 172.28.0.0/15, and 172.30.0.0/16. This ensures that only traffic to 172.31.0.0/16 routes through WARP.

By tightening the private IP range included in WARP, you reduce the risk of breaking a user's access to local resources.

6. Connect as a user

Once you have set up the application and the user device, the user can now SSH into the machine using its private IP address. If your SSH server requires an SSH key, the key should be included in the command.

Terminal window
ssh -i ~/.ssh/gcp_ssh <username>@<server IP>