03.2 Cloudflared Argo Tunnel for SSH

In 03.1 only allow Cloudflare IPs we updated Ubuntu’s iptables to only allow traffic from Cloudflare IPs on ports:

  • http: 80
  • http-alt: 8080
  • https: 443
  • https-alt: 8443
  • clearvisn: 2052
  • lot105-ds-upd: 2053
  • infowave: 2082
  • radsec: 2083
  • gnunet: 2086
  • eli: 2087 (event logging)
  • nbx-ser: 2095
  • nbx-dir: 2096
  • cddbp-alt: 8880

We also then denied http and https access to our server from IPs that are not Cloudflare’s. The advantage to this approach is that it forces all web traffic through Cloudflare, which insures their security features are able to address all the web traffic headed to our server prior to arrival.

What if we could also guarantee that any ssh requests had to also go through Cloudflare? In other words, what if we didn’t accept ssh requests to the server IP but could force those through Cloudflare as well?

Enter Cloudflared. It runs Cloudflare’s Argo Tunnel and maintains it as a service on your server so that you can connect through Cloudflare Access over SSH.

The Cloudflare tutorial is really all you need. Gotcha’s I encountered were pretty small. Essentially, you’ll install cloudflared on your server. Set it up as a service. Connect it to one of your domains pointed to the server. Then install the client on your local machine. You make an update to your sshd_config file locally and it is a painless way to run ssh through Cloudflare.