Clouflare does not forward ssh to locally managed cloudflare tunnel

tanyalcin.ibrahim · March 9, 2025, 4:41pm

What is the name of the domain?

t******.com

What is the error message?

kex_exchange_identification: Connection closed by remote host Connection closed by UNKNOWN port 65535

What is the issue you’re encountering

cannot reach from external machine to ssh server

What steps have you taken to resolve the issue?

I set up cloudflared as described in the docs:

installed cloudflared on Debian
cloudflared tunnel login which gave a browser url and upon completion created .cloudflared folder. There I could see cert.pem and a credentials json.
created the config.yml:

tunnel: my-uuid
credentials-file: /home/path/to/my-uid.json

ingress:
   - hostname: my-uuid.cfargotunnel.com
     service: ssh://localhost:22
   - service: http_status:404

did cloudflared tunnel ingress validate and it displays: Validating rules from /path/to/config.yml OK

Then I do cloudflared tunnel start my-tunnel-name, which starts the tunnel.

Then in another machine, I added to ssh config:

Host my-test
    HostName my-uuid.cfargotunnel.com
    User someuser
    Port 22
    IdentityFile /path/to/key
    ProxyCommand cloudflared acess ssh --hostname %h

when I do ssh -vvv my-test it says:

.....
kex_exchange_identification: Connection closed by remote host
Connection closed by UNKNOWN port 65535

This does not change if I add a CNAME to one of the domains I own in cloudflare and replace hostname with that human friendly subdomain. This thing does not seems to work at all.

I can connect to this machine easily in the LAN, it gets the key and asks for verification etc since it has sshd running.

Ideally I just want this tunnel to forward ssh request to localhost:22 and my server still prompting for verification. I also do not want to use my domain but the automatically assigned *.cfargotunnel.com.

I must be missing something, it cant be this convoluted…

The same question has been posted on cloudflare - Cloudflared tunnel is not properly forwarding ssh - Stack Overflow

I did not create any access rules or anythign from Zero Truest Dashboard. Is that even necessary? From a technical standpoint, since the tunnel is bidirectional, cloudflare has all the information it needs to relay traffic. And even if a foreigner tries to ssh, it will get stuck on sshd’s key validation. So what am I missing?

What are the steps to reproduce the issue?

Follow the steps above

tanyalcin.ibrahim · March 9, 2025, 4:49pm

Additional info:
Yes, I have cloudflared installed on the machine that is trying to ssh into the server. But I did not configure anything on it. It just is there so that ProxyCommand can work.

Laudian · March 9, 2025, 5:01pm

Did you create the CNAME record to point the public hostname towards your tunnel?

You have a typo in your proxy command, it’s access. Your hostname is also wrong. It should be your public hostname, not your tunnel id.

tanyalcin.ibrahim · March 9, 2025, 6:08pm

Ty for response.
I have no idea where the typo came from, just checked my ssh config, both have ‘access’. I created a CNAME just incase *.cfargotunnel is not accepted as hostname, and it didnt matter. In the machine that wants to connect I have these:

Host test-cloudflare
    HostName myuid.cfargotunnel.com
    User myuser
    Port 22
    IdentityFile /path/to/key
    ProxyCommand cloudflared access ssh --hostname myuid.cfargotunnel.com

Host test-cloudflare-cname
    HostName subdomain.mydomain.com
    User myuser
    Port 22
    IdentityFile /path/to/key
    ProxyCommand cloudflared access ssh --hostname %h

both of these return the kex_exchange_identification error with Connection closed by UNKNOWN port 65535.

On the ssh server, when I do cloudflared tunnel run my-tunnel, I can see on ZeroTrust that it is up and healthy.

The reason I prefer not CNAME is because, it is harder to block.

tanyalcin.ibrahim · March 9, 2025, 6:09pm

Laudian:

u create the CNAME record to point the public hostname towards your tunnel?
tanyalcin.ibrahim:
Host my-test
    HostName my-uuid.cfargotunnel.com
    User someuser
    Port 22
    IdentityFile /path/to/key
    ProxyCommand cloudflared

How long does it take CNAME to propagate, I guess instant? Shall I readd the recorrd and wait for 1 hour and try?

cscharff · March 9, 2025, 6:14pm

You need to ssh to your hostname not the cfargotunnel and your Cloudflare Tunnel internal hostname needs to be your hostname and resolvable to your origin from the machine running tunnel.

Laudian · March 9, 2025, 6:44pm

Let’s say you want to use the tunnel for ssh.example.com:

Create a proxied CNAME record with name ssh and the tunnel as the value (xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.cfargotunnel.com).

Then, your ssh config as follows:

Host ssh.example.com
    User myuser
    IdentityFile /path/to/key
    ProxyCommand /usr/local/bin/cloudflared access ssh --hostname %h

tanyalcin.ibrahim · March 9, 2025, 8:09pm

@Laudian @cscharff

First of all thanks to both of you for your swift response. Respect on Sunday evening!

The issue was c name records did not take instant effect, and one has to wait a bit, let’s say 15 mins for thing to work.

After adding the c name and updating

Host my-server
    HostName mysubdomain dot mydomain dot com
    ....

and did:

cloudflared tunnel --loglevel debug --logfile ./.cloudflared/test.log run my_tunnel_name

things started working. So for anyone who got stuck:

supplying myuid.cfargotunnel dot com DOES NOT seem to work. As suggested by Laudian and cscharff , cloudflare needs to resolve it via c name.
after adding C NAME, WAIT. Wait 15 mins before startign a tunnel again.
arguments --loglevel and --logfile do help a lot.

If anyone from cloudflare is seeing this, a feature request would be to specify hostnames as `myuid.cfargotunnel.com` because an ISP or other service in the middle cannot block entire *.cfargotunnel.com without dealing collateral damage, which I dont think many will dare to. Whereas they easily block entire domains owned by people. Is this possible?

In am guessing Cloudflare is making sure their service is not abused by letting only domain owners using their nameservers to use the tunnel via C NAME, but one has to initially execute cloudflared tunnel login and then pick a domain anyway, so I fail to understand why C NAME’s are required as hostnames.Cfservers that receive the outgoing tunnel request already can match ip addresses to *.cfargotunnel.

I can only mark single answer as solution, but both Laudian and cscharff pointed on the same answer: that is hostnames cannot be from *.cfargotunnel.

system · March 11, 2025, 8:09pm

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
SSH through cloudflare tunnel with cloudflared on client not working Cloudflare Tunnel	2	3444	February 4, 2024
Exposing local SSH Server via cloudflared tunnel Cloudflare Tunnel CloudflareTunnel	2	2898	January 15, 2022
Fail to ssh to pc via Cloudflare tunnel Access	2	2135	December 1, 2023
Ssh forwarding over (argo/cloudflare) tunnel w/ cloudflared Cloudflare Tunnel	7	4100	August 6, 2021
Unable to connect to server behind ssh tunnel via public hostname Cloudflare Tunnel	2	17	March 10, 2025