Cloudflare Access SSH tunnel with multi-hops

Security Access
#1

I would like to use Cloudflare Access’ ssh feature to tunnel into my server. It worked perfectly on my home setup. But when I’m at work behind a http proxy server. I cannot access and I don’t know what the correct proxy command combination is.

Previously if I’d ssh to my server behind company proxy gateway, I would have one proxy command line in ssh config like this:

Host h1
HostName
ProxyCommand corkscrew 10.10.101.9 8080 %h %p
Port
User root
IdentityFile ~/.ssh/id_rsa
AddKeysToAgent ask

But with cf’s ProxyCommand /usr/local/bin/cloudflared access ssh --hostname %h, I tried several combinations and it won’t work. Help appreciated.

#2

My eyes began to glaze over, but nobody else has answered.

There are two halves to this (Argo Tunnel):

  1. Your server, which is running Cloudflared to connect to Cloudflare and create that tunnel to your server’s Port 22.
  2. Cloudflared from you, to proxy that on-demand SSH connection through the tunnel

I believe that’s the two ends of the Port 22 bridge.

According to docs, and this is what I see on my server, it’s using Port 7844 to connect the two ends of that bridge.

So I don’t believe you can Tunnel if Port 7844 is firewalled off.

1 Like
#3

Thanks for the answer but I do think it’s feasible.

  1. Without Cloudflared, I can ssh through the proxy using http connect method. And the port is not 22 on my server. The outbound traffic from my machine to the http gateway is on port 8080, and it will then connect on port say 10000 to my server.

  2. With Cloudflared, I just need a way to route cloudflared to the http gateway on port 8080 using http connect method. And this is the part I’m asking for. The other sections of the path are all good I believe.

To put it into a diagram.

  1. me -> http proxy 10.0.0.1:8080 -> server port 10000 WORKS
  2. me -> http proxy 10.0.0.1:8080 -> Cloudflare Argo Tunnel -> server port 10000, how?
#4

I still think the problem is the Argo Tunnel connection due to it using Port 7844. I don’t even know if that is configurable.

I don’t know if any of the Argo Tunnel team is in the Community, but maybe an @MVP knows if Argo Tunnel only works through Port 7844.

#5

From my testing, yes it requires outbound port 7844 connection. Not sure whether other ports are required, but so far it works by only allowing outbound port 7844.

1 Like