If you do not want to open ports on your network but want to ssh from the internet you could use Cloudflare Access to achieve this.
App on Cloudflare Access
Head to the Zero Trust dashboard to create a new application. Select the Applications page from the sidebar. Click Add application
.
Select
Self Hosted
Self Hosted app on CloudFlare Zero Trust DashboardEnter the
Application name
and add the subdomain: Application name and other optionsEdit the
App Policy
to allow only the email address that you would like to authenticate: App policy
Cloudflared on the origin server
Cloudflare Tunnel creates a secure, outbound-only, connection between the origin server and Cloudflare’s network. With this, you can lock down any externally exposed points of ingress which means no open ports. So, now we want to configure the tunnel on the origin server.
For that, grab the package from Github
Install the downloaded deb (in case if it is a Debian derivative):
1
$ sudo apt install ./cloudflared.deb
Run the following command on the server to authenticate cloudflared into your Cloudflare account.
1
$ cloudflared tunnel login
cloudflared on the headless server will let you copy the URL from the command-line output so that you could visit the URL in a browser on any machine and authenticate.
Creating the tunnel
1
$ cloudflared tunnel create <tunnel name>
This will create a tunnel for you and output the relevant details such as the tunnel UUID to proceed to the next step. A sample output as follows:
1
2
3
Tunnel credentials written to /home/user/.cloudflared/ce347-ewr-rbweb-b1b.json. cloudflared chose this file based on where your origin certificate was found. Keep this file secret. To revoke these credentials, delete the tunnel.
Created tunnel tunnel name` with id `unique id
Create a YAML file as follows:
1
$ sudo nano /etc/cloudflared/config.yml
Next, configure the Tunnel, replacing the example ID below with the unique ID of the Tunnel created above. Additionally, replace the hostname in this example with the hostname of the application configured with Cloudflare Access.
1
2
3
4
5
6
tunnel: 6ff42ae2-id-demo-unique-31cid1551ef
credentials-file: /home/user/.cloudflared/6ff42ae2-765d-4adf-8112-31c55c1551ef.json
ingress:
- hostname: ssh.yourdomain.com
service: ssh://localhost:22
- service: http_status:404
You can now create a DNS record that will route traffic to this Tunnel. Multiple DNS records can point to a single Tunnel and will send traffic to the service configured as long as the hostname is defined with an ingress rule.
Navigate to Cloudflare Dashboard and choose the hostname where you want to create a Tunnel. This should match the hostname of the Access policy. Click + Add record
.
Select CNAME
as the record type. For the target, input the ID
of your Tunnel followed by cfargotunnel.com
. In this example, the target would be:
unique id
.cfargotunnel.com
Running cloudflared as a service
I use linux so, in this article I will explain how to do it via systemctl.
1
2
3
$ sudo cloudflared service install
$ sudo systemctl enable cloudflared
$ sudo systemctl start cloudflared
SSH-ing from a browser on the client
Cloudflare can render an SSH client in your browser.
To enable, navigate to the application page of the Access section in the Zero Trust dashboard. Click Edit
and select the Settings tab. In the cloudflared settings card
, select SSH
from the Browser Rendering
drop-down menu.
Once enabled, when users authenticate and visit the URL of the application, Cloudflare will render a terminal in their browser.