SSH Tunneling
I have created a tunnel for my domain which I want to use to connect to SSH with rather than the IP address. I've create the public hostname with the SSH service and I've created a route with my IP address I'd usually use to connect to the SSH server. I've saved it all, but I can't connect to the SSH using the domain still
6 Replies
In the URL, I included the same IP address that I put as the route, I'm not sure if that's what I did wrong or not since this is my first time using this. I'm also not using default port 22, I don't know if that makes a difference at all
Also, I'm not sure if tunnel is exactly what I need tbh. I have a service which requires people to connect to SSH, and most of them wont be knowledgeable enough, nor want to put in the effort of either using cloudflared, gcp, or anything of the like rather than a standard SSH connection via PuTTY or the command line
Yea might not work for your use then, you'd need to use cloudflared or WARP locally to get it working, guides here: https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/use-cases/ssh/
Reasoning being that Cloudflare isn't assigning you a single IP per tunnel or anything like that. You're just using the normal reverse proxy inbound, which shares the IPs with lots of other users and identifies requests based on host header/SNI. Works for HTTP, but for non http protocols, using cloudflared or warp locally provides the extra info to know to route it to you
SSH · Cloudflare Zero Trust docs
The Secure Shell Protocol (SSH) enables users to remotely access devices through the command line. With Cloudflare Zero Trust, you can make your SSH …
Ahh, makes sense. Is there anything I can do inside of cloudflare to proxy my domain and still let people use that domain while it's being proxied to connect via SSH normally? I'd assume I'd probably need to have to do something with my firewall with that, I'm not sure
Proxy means Cloudflare responds to DNS Queries with their proxy IPs, the same ones shared with lots of other customers. DNS doesn't care about ports or anything like that, when you do
ssh example.com, it's just looking up the A/AAAA record for example.com, which will be the proxy IPs if you have that enabled.
You could have a separate subdomain unproxied, like ssh.example.com, and tell people to use that, and then yea you'd need to open your firewall/port forward if behind NAT
(and of course keeping it unproxied means you're leaking your real IP, no DDoS protection, etc)Yep, leaking the backend IP is the main issue. I have some good DDoS protection since I use Cosmic Guard, but it's nothing good enough for me to be comfortable enough giving out the IP address to people. Thanks for the information though, I'll see what I can figure out
Are you using cloudflared/warp for this? you need to setup a tunnel for the connection both inbound from your client device, as well as a cloudflared tunnel between the orgin and somewhere in your network, the ssh is then initiated from that cloudflared host to the ssh server (as per the guide Chaika sent )