Replace SSH Key and IP/VPN with Access - Help!

I’ve recently found CF Access and LOVE IT SO FAR. I have Teams set up, I have Warp set up and I’ve even configured MS Azure as my SSO. I was able to figure out how to protect my website’s manager URL by creating the access rule.

The next thing I’d like to do is figure out how I can lock down SSH access to my entire server so that only those that can authenticate can SSH to it. I’ve tried looking for guides but haven’t found anything followable.

Anyone have experience doing this who could offer a solution?

The closest I think I know is that I need to set up cloudflared on the server. This is a web server though, so, i still need regular access over port 443 to work (who cares about 80 when you’re running everything on CF!)

Thanks in advance

On my Ubuntu 20.04 box, I have this in /etc/cloudflared/config.yml:

hostname: ssh.EXAMPLE.COM
url: ssh://localhost:22
logfile: /var/log/cloudflared.log

I did this to create my tunnel:
cloudflared tunnel create TUNNELNAME
After that, it gave me a link to set the endpoint of my tunnel and then the cert to put into /etc/cloudflared/

And then ran this:
cloudflared service install --legacy

I may have missed a bit in my instructions here, like starting the service and the Access Policy, but the biggest obstacle was that I wasn’t using the --legacy flag to read the config file.

Here’s where I got some of my hints.

On my Mac, it was much easier. I installed what I think was the binary, then added this to my .ssh/config file:

	HostName ssh.EXAMPLE.COM
	ProxyCommand /usr/local/bin/cloudflared access ssh --hostname %h

AH! Thank you, seems so simple. I’ll start playing with that and will report back any findings. Thank you.

1 Like