Connect to SSH with client-side cloudflared (legacy)
End users can connect to an SSH server without the WARP client by authenticating through cloudflared in their native terminal. This method requires having cloudflared installed on both the server machine and on the client machine, as well as an active zone on Cloudflare. The traffic is proxied over this connection, and the user logs in to the server with their Cloudflare Access credentials.
Client-side cloudflared can be used in conjunction with routing over WARP and Access for Infrastructure so that there are multiple ways to connect to the server. You can reuse the same Cloudflare Tunnel when configuring each connection method.
-
Create a Cloudflare Tunnel by following our dashboard setup guide.
-
In the Public Hostnames tab, choose a domain from the drop-down menu and specify any subdomain (for example,
ssh.example.com). -
For Service, select SSH and enter
localhost:22. If the SSH server is on a different machine from where you installed the tunnel, enter<server IP>:22. -
Select Save hostname.
-
(Recommended) Add a self-hosted application to Cloudflare Access in order to manage access to your server.
-
Install
cloudflaredon the client machine. -
Make a one-time change to your SSH configuration file:
Terminal window vim ~/.ssh/config -
Input the following values; replacing
ssh.example.comwith the hostname you created.Host ssh.example.comProxyCommand /usr/local/bin/cloudflared access ssh --hostname %hThe
cloudflaredpath may be different depending on your OS and package manager. For example, if you installedcloudflaredon macOS with Homebrew, the path is/opt/homebrew/bin/cloudflared. -
You can now test the connection by running a command to reach the service:
Terminal window ssh <username>@ssh.example.comWhen the command is run,
cloudflaredwill launch a browser window to prompt you to authenticate with your identity provider before establishing the connection from your terminal.