SSH access using tunnels

I love to use Cloudflare’s tunnels to access web services from my server without having to open ports (80 and 443). Additionally I can have HTTPS secure access without any concerns with certificates since all of that is carried by Cloudflare. So I just have in my server to create the tunnel, associate a public hostname to the http service and from any place in the Internet a browser just have to open that URL hostname to access securely the web service.

I would now like to do the same for a ssh access, and I know that I can do that this time associating another public hostname with a ssh service like: ssh:// Nevertheless I just had success using the integrated ssh client application that Cloudflare provide. If I want to use a regular ssh client I need to also open a tunnel in the device where that client is running. So my question is:

Can’t I ssh to a ssh service tunnelled in my server using a regular ssh client without having in the client side to open also a tunnel?
Notice that in http accesses I just have in the client side to use a regular web browser no need to setup a tunnel in the client device!

By the way my ultimate goal is to use this tunnel approach with other services like mqtt traffic to access a mqtt broker running in a server without having to open the 1883 port. But if for that, my IoT devices have to open a tunnel in their client side (like the way I explained above for ssh), this approach is impracticable.


To access any port that is not HTTP/S you need to have cloudflared running on the client as well. Cloudflare does offer browse rendered SSH, but if you want a normal SSH client or MQTT, you will need it on the client side.

1 Like

Thanks for your reply! Much appreciated!

Yes that was my conclusion either!
I wonder why just http(s) ports do not need the cloudflared in the client side!
Is this a Cloudflare option or a technical restriction?

Imagine that I need to host a mqtt broker behind a NAT that I do not control and therefore I can not forward the mqtt trafiic (port 1883). Since my IoT devices that need to connect to the broker need to have cloudflared running, and almost all of them are simply MCU devices (like ESP32) without the capability of running complex apps, I am unable to use that broker, right?

Have you any advice how that broker could be used?


I am unsure the reason, but I know Cloudflare’s services are a lot of HTTP/S, so they have more infrastructure behind it.

If you want other forwarding options, maybe look at something like ngrok would fit your needs more.

1 Like

Yesterday I tried ngrok but the free option is quite limited and the paid one quite expensive for what I wanted. But your tip putted me in the right direction since I discovered a similar service (that can be self-hosted). It’s name is frp: GitHub - fatedier/frp: A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.

Regards ant thanks once again for your help!