Setting up SSH Tunnel using Self-hosted Cloudflare Zero Trust

This tutorial will guide you through the process of setting up an SSH tunnel using self-hosted Cloudflare Zero Trust. This allows you to securely access your server from anywhere with an internet connection.

Step 1: Buy a Domain

First, you need to purchase a domain name. For this example, we'll use Namecheap.

1. Go to Namecheap.
2. Search for a domain name and purchase it.

Step 2: Add Domain to Cloudflare

Next, add your domain to Cloudflare.

1. Go to Cloudflare.
2. Sign up for an account or log in.
3. Add your domain to Cloudflare.
4. Follow the instructions to change your domain's nameservers to Cloudflare's nameservers.

Step 3: Choose Your Plan

1. In my case, I choose the Free plan that is enough for personal use.
2. Click "Confirm".

Step 4: Update Nameservers at Namecheap

Update your domain's nameservers at Namecheap to point to Cloudflare.

1. Copy the nameservers provided by Cloudflare.
2. Go to your domain management page on Namecheap.
3. Change the nameservers to the ones provided by Cloudflare.
4. Save the changes.

Step 5: Set up Self-hosted Zero Trust

Set up self-hosted Zero Trust on Cloudflare.

1. In the Cloudflare dashboard, go to "Access" > "Overview".
2. Click "Add an application".
3. Configure the application settings.
4. Create a tunnel if your application is in a private network.
5. Add access policies.
6. Save the configuration.

Step 6: Create Policy

Create a policy to control access to your application.

1. In the Cloudflare dashboard, go to "Access" > "Policies".
2. Click "Create a policy".
3. Configure the policy settings.
4. Add rules to the policy.
5. Save the policy.

Step 7: Set up SSH Application

Set up the SSH application in Cloudflare Zero Trust.

1. In the Cloudflare dashboard, go to "Access" > "Applications".
2. Edit the SSH application.
3. Configure the application settings.
4. Save the configuration.

Note: Free Plan SSH Issue

The Cloudflare Free Plan may not work with SSH on subdomain. It may cause the error like:

kex_exchange_identification: Connection closed by remote host
Connection closed by UNKNOWN port 65535        

So I recommend leave the subdomain blank in the application configuration.

Step 8: Set up Tunnel

Set up the Cloudflare Tunnel.

1. In the Cloudflare dashboard, go to "Access" > "Tunnels".
2. Click "Create a tunnel".
3. Name the tunnel.
4. Select your environment.
5. Install and run the connector on your server.

Step 9: Configure Public Hostname for SSH Tunnel

Configure the public hostname for the SSH tunnel.

1. In the Cloudflare dashboard, go to "Access" > "Tunnels".
2. Select your tunnel.
3. Go to the "Public Hostname" tab.
4. Configure the public hostname settings.
5. Save the configuration.

Note: Open SSH server

Please note that the SSH server must be open on the machine. Use OpenSSH server to open SSH on port 22.

In case you want to open SSH on another port, please also specify the `ssh://<your_domain>:<port>` in the above Public Hostname configuration.

Step 10: Set up Access at Client

Set up access at the client machine.

1. Install cloudflared on your client machine
2. Run the command and add the generated configuration to your ~/.ssh/config file:

cloudflared access ssh-config --hostname yourdomain.com        

Step 11: Connect SSH

Connect to your server using SSH.

ssh user@yourdomain.com        

1. Run the command above.
2. Log in with the email specified in the policy.

You have now successfully set up an SSH tunnel using self-hosted Cloudflare Zero Trust!