SSH-over-Tunnel Only Works with Gateway & Warp Enabled

Zero Trust Cloudflare Tunnel
1

Running Cloudflare Pro Account

I’ve burnt the weekend trying to get SSH from my Digital Ocean Droplet working with Tunnel. I got it only working on ZeroTrust Gateway with Warp.

I watched multiple videos tutorials, read all the documentation and followed it exactly and can only manage to connect to SSH when Zero Trust is enabled on my Mac Desktop running Ventura.

Steps I’ve taken.

  1. Created an Access Application (SSH) with a new subdomain. (ssh.domain.net)
  2. Created a policy for allowing emails ending in @domain.net
  3. Created a Short-lived Certificate and installed it on the origin server and modified sshd_config to use it.
  4. Configured the Tunnel and subdomain (ssh.domain.net)
  5. Service type: SSH://localhost
  6. Protect with Access, Enabled (SSH) and Proxy Type “”
  7. Installed cloudflared and service on RockyLinux with the dashboard command.
  8. Logged into the tunnel with command ~cloudflared tunnel login
  9. Copied the URL to a browser, and choose domain.net, certificates set.
  10. Verified tunnel is connected with ~cloudflared tunnel list and in the dashboard.
  11. On my Mac, I ran the dashboard command to install cloudflared.
  12. Ran the command ~cloudflared access ssh-config --hostname ssh.domain.net and copied output to my .ssh/config file which looks like:
Match host ssh.domain.net exec "/opt/homebrew/bin/cloudflared access ssh-gen --hostname %h"
  Hostname ssh.domain.net
  ProxyCommand /opt/homebrew/bin/cloudflared access ssh --hostname %h
  IdentityFile ~/.cloudflared/%h-cf_key
  CertificateFile ~/.cloudflared/%h-cf_key-cert.pub
  1. Made sure I had a user created on the origin that matched the [email protected] email.

When I attempt to access SSH with the command [email protected] when not connected to ZeroTrust I get the error.

failed to find Access application at https://ssh.domain.net

If I connect to ZeroTrust and try again, the browser pops to the Access page, I authenticate my email address with the code, then I get presented with the page to authenticate my SSH session and I’m logged in.

Also, the examples on this page with Advanced Differing Usernames doesn’t work, an error when restarting SSHD.

What am I missing here?

It would be great to have a current Cloudflare SSH Tunnel Tutorial Video created, the one that is up on the YT channel is two years old and of the older system.