Introduction
SSH is a secure (not so) protocol used to access remote servers. In order to access a server remotely, you need to expose your server to the internet. Let’s say, you’re using a cloud provider to tunnel your server, you will get a public IP address. This public IP address can be used to access your server. However, exposing your server to the internet can be risky. Instead of exposing your server to the internet, you can create an SSH tunnel using Cloudflared.
What is Cloudflared? Cloudflared (formerly known as Argo Tunnel) is a lightweight daemon that creates an encrypted tunnel (reverse proxy) between your server and Cloudflare’s edge network. This tunnel allows you to expose your server to the internet without exposing your server’s IP address.
Is this free? Yes (at least for now). Cloudflare offers a free plan for Cloudflared. You can use this free plan to create an SSH tunnel.
TL;DR: Cloudflared is a reverse proxy that allows you to expose your server to the internet without exposing your server’s IP address. Official documentation can be found here.
Note: This article works on Linux-based OS (Debian), please adjust the command based on your OS.
Prerequisites
Before you begin, please make sure you have the following:
- The domain name–you can get it really cheap from you provider.
- Cloudflare account–you can register here.
- Transfer your domain to Cloudflare–you can follow the instruction here.
All set? Let’s get started!
Setup through dashboard
The easiest way to create and manage SSH tunnel with Cloudflared is by using their dashboard. Please follow the instruction below:
-
Login to Zero Trust dashboard, then go to
Networks > Tunnels. -
Click
Create Tunnel. -
Choose Cloudflared as the tunnel type and click
Next. -
Enter the tunnel name and click
Save tunnel. Please reflect the purpose of the tunnel. For example,site001-pc001. -
Install Cloudflared on your remote server and run the connector (by providing the token). You can follow the installation that appears on the dashboard. Or you can manually install by following the instruction below.
Install Cloudflared on remote server by running the following command:
Terminal window curl -L --output cloudflared.deb https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb &&sudo dpkg -i cloudflared.deb &&rm cloudflared.debNext, you need to add token
Terminal window sudo cloudflared service install <TOKEN>You can find the token on the dashboard.
-
Route the tunnel by using your domain name. For example, you can route the tunnel to
ssh-site001-pc001.yourdomain.com. Next, choose service type asSSHand url aslocalhost:22. -
Save the tunnel and you’re done!
Access from local
In order to access the server from your local machine, you need to install Cloudflared on your local machine. You can follow the installation by running the following command:
curl -L --output cloudflared.deb https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb && sudo dpkg -i cloudflared.deb && rm cloudflared.debNext, you need to add remote server to your SSH config. You can do this by adding the following configuration to your ~/.ssh/config:
Host site001-pc001 Hostname ssh-site001-pc001.yourdomain.com ProxyCommand /usr/local/bin/cloudflared access ssh --hostname %hNow you can access the server by running the following command:
ssh site001-pc001That’s it! You have successfully created an SSH tunnel using Cloudflared.
Login with SSH key
To login to the server using SSH key, you need to generate SSH key on your local machine. You can do this by running the following command:
ssh-keygen -t rsaNext, you need to copy the public key to the server. You can do this by running the following command:
ssh-copy-id -i ~/.ssh/id_rsa.pub site001-pc001Now, you can access the server using SSH key.
Disable login by password
To make your server more secure, you can disable login by password. You can do this by editing the SSH config file on server. You can do this by running the following command:
sudo nano /etc/ssh/sshd_configNext, find the following line:
PasswordAuthentication yesChange it to:
PasswordAuthentication noSave the file and restart the SSH service by running the following command:
sudo systemctl restart sshdNow, you can only access the server using SSH key.
Conclusion
In this article, I have shown you how to create an SSH tunnel using Cloudflared. By using Cloudflared, you can expose your server to the internet without exposing your server’s IP address. This will make your server more secure.