Install cloudflared on the server
sudo wget https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-arm64.deb sudo dpkg -i ./cloudflared-linux-arm64.deb
Run the following command on the server to authenticate cloudflared into your Cloudflare account.
cloudflared tunnel login
Create a Tunnel
Next, create a Tunnel on the server with the command below.
cloudflared tunnel create <NAME>
for example: cloudflared tunnel create pi-tunnel
The command will output an ID for the Tunnel and generate an associated credentials file. At any time you can list the Tunnels in your account with the following command.
cloudflared tunnel list
Add ingress rule
tunnel: d056d12e-b9d1-433d-837b-076b6cc5d6c6 credentials-file: /home/ubuntu/.cloudflared/d056d12e-b9d1-433d-837b-076b6cc5d6c6.json ingress: - hostname: pi.ohidur.com service: http://localhost:80 - hostname: pi-ssh.ohidur.com service: ssh://localhost:22 - hostname: portainer.ohidur.com service: http://localhost:9000 - hostname: code.ohidur.com service: http://localhost:8443 - hostname: home.ohidur.com service: http://localhost:8004 - hostname: cloud.ohidur.com service: http://localhost:7000 - hostname: cockpit.ohidur.com service: https://localhost:9090 - hostname: pub.ohidur.com service: http://localhost:5000 originRequest: noTLSVerify: true - service: http_status:404
Find more: https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/configuration/configuration-file/ingress
Route to the Tunnel
You can now create a DNS record that will route traffic to this Tunnel. Multiple DNS records can point to a single Tunnel and will send traffic to the service configured as long as the hostname is defined with an ingress rule.
Navigate to dash.cloudflare.com and choose the hostname where you want to create a Tunnel. This should match the hostname of the Access policy. Click + Add record.
Select CNAME as the record type. For the target, input the ID of your Tunnel followed by cfargotunnel.com. In this example, the target would be:
Run the Tunnel
You can now run the Tunnel to connect the target service to Cloudflare. Use the following command to run the Tunnel, replacing
cloudflared tunnel run <NAME>
Run cloudflared as a service
sudo cloudflared service install
Eg: sudo cloudflared –config /home/ubuntu/.cloudflared/config.yml service install
copy the configuration file
sudo cp ~/.cloudflared/config.yml /etc/cloudflared/config.yml
If you have already logged in and have a configuration file in ~/.cloudflared/, these will be copied to /etc/cloudflared. If you do not have a configuration file, you will need to create a config.yml file with fields listed above. You can pass a custom file by running cloudflared –config CONFIG-FILE service install. The above arguments are required for pre-configured Cloudflare Tunnel deployments. If you are using legacy Tunnels, without names, you can append the –legacy flag when running cloudflared tunnel install command.
Then, start the system service with the following command:
sudo systemctl start cloudflared
Or start on boot with:
sudo systemctl enable cloudflared
Connect from a client machine
You can now connect from a client machine using cloudflared.
This example uses a macOS laptop. On macOS, you can install cloudflared with the following command using Homebrew.
$ brew install cloudflare/cloudflare/cloudflared
While you need to install cloudflared, you do not need to wrap your SSH commands in any unique way. Instead, you will need to make a one-time change to your SSH configuration file.
Input the following values; replacing azure.widgetcorp.tech with the hostname you created.
Host azure.widgetcorp.tech ProxyCommand /usr/local/bin/cloudflared access ssh --hostname %h
You can now test the SSH flow by running a command to reach the service. When the command is run, cloudflared will launch a browser window to prompt you to authenticate with your identity provider before establishing the connection from your terminal.
Host azure.widgetcorp.tech ProxyCommand cloudflared access ssh --hostname %h
don’t forget to add cloudflared binary to the path.