This page looks best with JavaScript enabled

Configuring cloudflare tunnel for ssh access

 ·   ·  β˜• 3 min read

    Install cloudflared on the server

    sudo wget
    sudo dpkg -i ./cloudflared-linux-arm64.deb

    Authenticate cloudflared

    Run the following command on the server to authenticate cloudflared into your Cloudflare account.

    cloudflared tunnel login

    Create a Tunnel

    Next, create a Tunnel on the server with the command below.

    cloudflared tunnel create <NAME>

    for example: cloudflared tunnel create pi-tunnel

    Replacing with a name for the Tunnel. This name can be any value. A single Tunnel can also serve traffic for multiple hostnames to multiple services in your environment, including a mix of connection types like SSH and HTTP.

    The command will output an ID for the Tunnel and generate an associated credentials file. At any time you can list the Tunnels in your account with the following command.

    cloudflared tunnel list

    Add ingress rule

    nano /home/ubuntu/.cloudflared/config.yml

    Sample config

    tunnel: d056d12e-b9d1-433d-837b-076b6cc5d6c6
    credentials-file: /home/ubuntu/.cloudflared/d056d12e-b9d1-433d-837b-076b6cc5d6c6.json
      - hostname:
        service: http://localhost:80
      - hostname:
        service: ssh://localhost:22
      - hostname:
        service: http://localhost:9000
      - hostname:
        service: http://localhost:8443
      - hostname:
        service: http://localhost:8004
      - hostname:
        service: http://localhost:7000
      - hostname:
        service: https://localhost:9090
      - hostname:
        service: http://localhost:5000
            noTLSVerify: true
      - service: http_status:404

    Find more:

    Route to the Tunnel

    You can now create a DNS record that will route traffic to this Tunnel. Multiple DNS records can point to a single Tunnel and will send traffic to the service configured as long as the hostname is defined with an ingress rule.

    Navigate to and choose the hostname where you want to create a Tunnel. This should match the hostname of the Access policy. Click + Add record.

    Select CNAME as the record type. For the target, input the ID of your Tunnel followed by In this example, the target would be:

    Run the Tunnel

    You can now run the Tunnel to connect the target service to Cloudflare. Use the following command to run the Tunnel, replacing with the name created for your Tunnel.

    cloudflared tunnel run <NAME>

    Run cloudflared as a service


    sudo cloudflared service install

    Eg: sudo cloudflared –config /home/ubuntu/.cloudflared/config.yml service install


    copy the configuration file

    sudo cp ~/.cloudflared/config.yml /etc/cloudflared/config.yml

    If you have already logged in and have a configuration file in ~/.cloudflared/, these will be copied to /etc/cloudflared. If you do not have a configuration file, you will need to create a config.yml file with fields listed above. You can pass a custom file by running cloudflared –config CONFIG-FILE service install. The above arguments are required for pre-configured Cloudflare Tunnel deployments. If you are using legacy Tunnels, without names, you can append the –legacy flag when running cloudflared tunnel install command.

    Then, start the system service with the following command:

    sudo systemctl start cloudflared

    Or start on boot with:

    sudo systemctl enable cloudflared

    Connect from a client machine

    Native Terminal
    You can now connect from a client machine using cloudflared.

    This example uses a macOS laptop. On macOS, you can install cloudflared with the following command using Homebrew.

    $ brew install cloudflare/cloudflare/cloudflared

    While you need to install cloudflared, you do not need to wrap your SSH commands in any unique way. Instead, you will need to make a one-time change to your SSH configuration file.

    vim ~/.ssh/config

    Input the following values; replacing with the hostname you created.

      ProxyCommand /usr/local/bin/cloudflared access ssh --hostname %h

    You can now test the SSH flow by running a command to reach the service. When the command is run, cloudflared will launch a browser window to prompt you to authenticate with your identity provider before establishing the connection from your terminal.

    For windows


      ProxyCommand cloudflared access ssh --hostname %h

    don’t forget to add cloudflared binary to the path.

    Ohidur Rahman Bappy
    Ohidur Rahman Bappy
    πŸ“šLearner 🐍 Developer