This page looks best with JavaScript enabled

Configuring cloudflare tunnel for ssh access

 ·   ·  β˜• 3 min read

    Install cloudflared on the server

    sudo wget https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-arm64.deb
sudo dpkg -i ./cloudflared-linux-arm64.deb

    Authenticate cloudflared

    Run the following command on the server to authenticate cloudflared into your Cloudflare account.

    cloudflared tunnel login

    Create a Tunnel

    Next, create a Tunnel on the server with the command below.

    cloudflared tunnel create <NAME>

    for example: cloudflared tunnel create pi-tunnel

    Replacing with a name for the Tunnel. This name can be any value. A single Tunnel can also serve traffic for multiple hostnames to multiple services in your environment, including a mix of connection types like SSH and HTTP.

    The command will output an ID for the Tunnel and generate an associated credentials file. At any time you can list the Tunnels in your account with the following command.

    cloudflared tunnel list

    Add ingress rule

    nano /home/ubuntu/.cloudflared/config.yml

    Sample config

    tunnel: d056d12e-b9d1-433d-837b-076b6cc5d6c6
credentials-file: /home/ubuntu/.cloudflared/d056d12e-b9d1-433d-837b-076b6cc5d6c6.json

ingress:
  - hostname: pi.ohidur.com
    service: http://localhost:80
  - hostname: pi-ssh.ohidur.com
    service: ssh://localhost:22
  - hostname: portainer.ohidur.com
    service: http://localhost:9000
  - hostname: code.ohidur.com
    service: http://localhost:8443
  - hostname: home.ohidur.com
    service: http://localhost:8004
  - hostname: cloud.ohidur.com
    service: http://localhost:7000
  - hostname: cockpit.ohidur.com
    service: https://localhost:9090
  - hostname: pub.ohidur.com
    service: http://localhost:5000
    originRequest:
        noTLSVerify: true
  - service: http_status:404

    Find more: https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/configuration/configuration-file/ingress

    Route to the Tunnel

    You can now create a DNS record that will route traffic to this Tunnel. Multiple DNS records can point to a single Tunnel and will send traffic to the service configured as long as the hostname is defined with an ingress rule.

    Navigate to dash.cloudflare.com and choose the hostname where you want to create a Tunnel. This should match the hostname of the Access policy. Click + Add record.

    Select CNAME as the record type. For the target, input the ID of your Tunnel followed by cfargotunnel.com. In this example, the target would be:

    d056d12e-b9d1-433d-837b-076b6cc5d6c6.cfargotunnel.com

    Run the Tunnel

    You can now run the Tunnel to connect the target service to Cloudflare. Use the following command to run the Tunnel, replacing with the name created for your Tunnel.

    cloudflared tunnel run <NAME>

    Run cloudflared as a service

    Linux

    sudo cloudflared service install

    Eg: sudo cloudflared –config /home/ubuntu/.cloudflared/config.yml service install

    alternatively,

    copy the configuration file

    sudo cp ~/.cloudflared/config.yml /etc/cloudflared/config.yml

    If you have already logged in and have a configuration file in ~/.cloudflared/, these will be copied to /etc/cloudflared. If you do not have a configuration file, you will need to create a config.yml file with fields listed above. You can pass a custom file by running cloudflared –config CONFIG-FILE service install. The above arguments are required for pre-configured Cloudflare Tunnel deployments. If you are using legacy Tunnels, without names, you can append the –legacy flag when running cloudflared tunnel install command.

    Then, start the system service with the following command:

    sudo systemctl start cloudflared

    Or start on boot with:

    sudo systemctl enable cloudflared

    Connect from a client machine

    Native Terminal
    You can now connect from a client machine using cloudflared.

    This example uses a macOS laptop. On macOS, you can install cloudflared with the following command using Homebrew.

    $ brew install cloudflare/cloudflare/cloudflared

    While you need to install cloudflared, you do not need to wrap your SSH commands in any unique way. Instead, you will need to make a one-time change to your SSH configuration file.

    vim ~/.ssh/config

    Input the following values; replacing azure.widgetcorp.tech with the hostname you created.

    Host azure.widgetcorp.tech
  ProxyCommand /usr/local/bin/cloudflared access ssh --hostname %h

    You can now test the SSH flow by running a command to reach the service. When the command is run, cloudflared will launch a browser window to prompt you to authenticate with your identity provider before establishing the connection from your terminal.

    For windows

    Added

    Host azure.widgetcorp.tech
  ProxyCommand cloudflared access ssh --hostname %h

    don’t forget to add cloudflared binary to the path.

    Ohidur Rahman Bappy
    WRITTEN BY
    Ohidur Rahman Bappy
    πŸ“šLearner 🐍 Developer

    Β©2024 Ohidur.com