Cloudflared Tunnels are a great option for accessing services on a self-hosted home server remotely, but what about accessing the server directly?
In this short guide, I'll show how to set up remote SSH on a self-hosted server running a Cloudflared Tunnel so that you can access its command line for development, debugging, or maintenance while physically away from the machine.
Prerequisites
A host machine running a Cloudflared Tunnel. If this is a foreign concept to you, I recommend checking out my previous guide on the topic, all the way up to (but not including) the Onboarding Services section.
A client machine (the one using to SSH into the server) with OpenSSH installed is also required.
Preparing the Host
First, SSH needs to be configured as a valid service through the Cloudflared Tunnel. This is very similar to the process outlined in the Onboarding Services section of the previous guide, with one key difference:
- Navigate to your tunnel configuration page: Home Dashboard > Zero Trust > Networks > Tunnels > yourTunnel > ... > Configure > Public Hostname
- Click + Add a public hostname.
- Fill out the subdomain, domain, and path fields based on how you want to access your service. For example:
- For accessing the endpoint at ssh.mytld.com
- subdomain: ssh
- domain: yourtld.com
- path: <blank>
- For accessing the endpoint at mytld.com/ssh
- subdomain: <blank>
- domain: yourtld.com
- path: ssh
- For accessing the endpoint at ssh.mytld.com
- Under Type, select SSH
- Under URL, type localhost:<port>, where <port> is the port that SSH is exposed on the server's interface (this will be 22 in a standard configuration)
Preparing the Client
Next, let's move on to preparing the machine that you'll be SSH'ing from. This is the machine instance from which you'll be running SSH commands in order to access your remote server (the "host").
Install cloudflared
To access our remote server through SSH, the client needs to use the cloudflared CLI.
The steps required for setting up the CLI are different based on the OS of the client machine. Downloads and instructions for installing the CLI on Windows, Mac, and Linux can be found in the Cloudflare documentation here.
Configuring the SSH Command
Accessing the remote server through SSH requires a special command to be run by the client (as opposed to the standard ssh user@host usage pattern in SSH).
However, we will configure our SSH config file to run this command in the background so that the front-end usage in the client terminal will be the same (e.g. ssh user@host).
To do this, open up the config file in .ssh/ directory in the user's home folder on the client machine. This should be at the following locations:
- Windows:
C:\Users\<username>\.ssh\config - Mac:
/Users/<username>/.ssh/config - Linux:
/home/<username>/.ssh/config
If the config file doesn't exist in the directory yet, simply create it now.
Add the following entry into the .ssh/config file, where <host> is the SSH endpoint that you configured in the Cloudflared Tunnel UI above (in Preparing the Host section):
Host <host>
ProxyCommand /usr/bin/cloudflared access ssh --hostname %hReplace the <host> string with the SSH endpoint configured for the host
In Linux, you can use the following one-liner to achieve this:
eric@ubuntu-client:~$ echo -e "Host <host>\n ProxyCommand /usr/bin/cloudflared access ssh --hostname %h" >> ~/.ssh/configReplace the <host> string with the SSH endpoint configured for the host
Now, when you run ssh <user>@<host>, the OpenSSH client will automatically run the ProxyCommand configured above (cloudflared access ssh ...) in order to access the client.
That's it! Your host is now accessible over remote SSH!
eric@ubuntu-client:~$ cat ~/.ssh/config
Host ssh.test-ubuntu-host.com
ProxyCommand /usr/bin/cloudflared access ssh --hostname %h
eric@ubuntu-client:~$ ssh [email protected]
eric@ubuntu-host's password:
Welcome to Ubuntu 22.04.5 LTS (GNU/Linux 5.15.0-119-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/pro
Last login: Mon Sep 30 04:44:10 2024 from 127.0.0.1Conclusion & Next Steps
In this guide, I showed how to set up external/remote SSH access to a server that is reverse-proxied using a Cloudflared Tunnel by configuring the SSH endpoint in the Cloudflared Tunnel configuration and configuring the correct OpenSSH settings on the client machine.
Moving forward, it is highly recommended to set up key-based SSH access and remove password-based access to the server for optimized security. This way, only designated clients will be able to access the server and no one will be able to brute force their way into your server by attempting to guess the user's password.
As always, thanks for reading! Please leave any thoughts, comments, or criticisms below.
