What is the name of the domain?
What is the issue you’re encountering
I have successfully configured SSH Access for Infrastructure with Cloudflare Zero Trust. SSH connections works (passwordless login via ephemeral certificates), but command execution and SSH connections are extremely slow. In addition, there are often stability issues such as connection drops and inability to connect to the server.
What steps have you taken to resolve the issue?
Issue Summary
- SSH connection time: 3-5 seconds (acceptable)
- Command response time: 500ms - 2-3+ seconds per command (too slow)
- Normal expectation: 100-150ms command response
Some additional details:
SSH connection failure:
ssh [email protected]
ssh: connect to host 1.2.3.4 port 22: Network is unreachable
Server disconnection:
Received disconnect from 1.2.3.4 port 22:2: cloudflare: unexpected origin message
Current Setup
- Architecture: Multiple servers across different datacenters/providers
- Connection Method: WARP client → Cloudflare Tunnel → SSH servers (public IPs)
- Authentication: Access for Infrastructure with ephemeral SSH certificates
- Tunnel Setup: Single tunnel with multiple connectors (same token on all servers)
Working Components
SSH authentication (no password required)
Ephemeral certificates properly configured
SSH CA trust established on servers (TrustedUserCAKeys)
WARP client connected and enrolled
All servers accessible via SSH
Performance Issue
- SSH connection time: 2-5 seconds (acceptable)
- Command response time: 500ms - 2+ seconds per command (too slow)
- Normal expectation: 50-150ms command response
Example:
ssh [email protected] 'echo test'
# Takes 3+ seconds for simple echo command
Current WARP Configuration
Service Mode: Gateway with WARP
Proxy Settings:
- TCP: On
- UDP: On
- ICMP: On
Split Tunnels: Exclude mode
- Default private ranges excluded (192.168.x.x, 10.x.x.x, 172.16.x.x)
- Server public IPs (1.2.3.4/32) not in exclude list
Details
- Server IPs: Public IPs (not private/RFC1918)
- Geographic Distribution: Servers in different regions
- Internet Speed: No issues with direct connections
- WARP Status: Connected, routing correctly
Comparison Test
# With WARP connected (via Access for Infrastructure)
time ssh [email protected] 'echo test'
# Result: ~3-4 sec
# Direct SSH (without WARP/Access)
time ssh [email protected] 'echo test'
# Result: below 1 sec
Questions
-
Is this expected latency for Access for Infrastructure over public IPs?
-
Are there specific WARP settings to optimize SSH performance without compromising security?
-
Should I consider alternative approaches like:
- Direct cloudflared proxy (legacy method)
- Different service modes(?)
-
Does Cloudflare plan type affect SSH performance inspection?
Environment Details
- Cloudflare Plan: Free
- WARP Client: Latest version on macOS
- Servers: Ubuntu 22.04
- Network: Stable broadband connections
Attempted Solutions
1. Gateway Network Policy
Created policy to optimize SSH traffic:
Name: SSH Performance
Selector: Destination Port
Operator: in
Value: 22
Action: Allow
2. Split Tunnels Optimization
Tried Include Mode:
- Only included server IPs and Cloudflare domains
- Minimal improvement
Tried Exclude Mode:
- Excluded private ranges
- Added various bypass ranges
- No significant improvement
3. SSH Client/Server Optimization
# Client (~/.ssh/config)
ServerAliveInterval 30
TCPKeepAlive yes
Compression yes
# Server (/etc/ssh/sshd_config)
ClientAliveInterval 30
TCPKeepAlive yes
UseDNS no
Any insights or recommendations would be greatly appreciated!