CF Access - No traffic reaches origin


I’m trying to set up CF Access to reach an origin server on port 22 and have configured this as an emulated browser SSH session but when connecting the authentication completes but then the page promptly goes to an error stating that the origin could not be reached and please to check that the tunnel is up and the origin is healthy.

“Unable to connect to origin. Please confirm that the tunnel is set up correctly and the origin is healthy”

The IP of the origin server is a public IP and are not setting up a tunnel or any additional origin authentication etc. No packets are received to the origin’s public IP at the time of one of these SSH login requests. Is connecting CF Access through tunnel now the only way of doing it or have I pressed a button that’s caused it to wait for a tunnel to come in from the origin rather than just to forward the traffic to the origin over the internet?

I had previously seen instructions for setting up the origin firewall to permit CF Access that mentioned that Access traffic would come from a limited IP range (could even request your own dedicated IP?) and this would give a very tightly defined hole to make in the origin firewall, but can’t see this anywhere now and all the instructions seem to relate to setting up a tunnel.

Thanks for any thoughts and what the current product offering is etc.

Kind regards,

Hi again,

I’ve since managed to get direct access to the server and have set up a tunnel and SSH is now being routed as hoped. I had hoped to make initial SSH connection to the server through Access but do I understand correctly that this is not possible and that SSH etc is only possible once alternative connectivity has been made and cloudflared daemon installed etc? I’m not sure what documentation I had seen before that detailed the smaller CF Access source address range that you could use to create a small opening in your firewall, or even a dedicated /32 if you asked nicely, and can only seem to find documents extolling the virtues of having no inbound connectivity and doing everything via an origin initiated tunnel.

Is there a way under the current product offerings to secure initial CLI access to a server through CF Access authentication policies etc that I’m failing to find details of, or does everything need a tunnel to have been created on the server first?

Thanks for your help.