Client-side cloudflared

With Cloudflare Zero Trust, users can connect to non-HTTP applications via a public hostname without installing the WARP client. This method requires you to onboard a domain to Cloudflare and install cloudflared on both the server and the user’s device.

Users log in to the application by running a cloudflared access command in their terminal. cloudflared will launch a browser window and prompt the user to authenticate with your identity provider.

Note

Automated services should only authenticate with cloudflared if they cannot use a service token. Cloudflared authentication relies on WebSockets to establish a connection. WebSockets have a known limitation where persistent connections may close unexpectedly. We recommend either a Service Auth policy or using Warp to Tunnel routing in these instances.

For examples of how to connect to Access applications with client-side cloudflared, refer to these tutorials:

• Connect through Access using a CLI
• Connect through Access using kubectl
• Connect over SSH with cloudflared (legacy) — SSH connections are now managed through Access for Infrastructure.
• Connect over RDP with cloudflared
• Connect over SMB with cloudflared
• Connect over arbitrary TCP with cloudflared