Unable to connect to Cloudflare tunnel

Hello, today I tried to setup Cloudflare Access using Cloudflare Teams. I followed the steps in https://developers.cloudflare.com/cloudflare-one/tutorials/ssh but I experienced the following error:

failed to connect to origin error=“websocket: bad handshake”

I have searched for a solution and read every possible solution but none of them worked for me.

Server

Client

  • Windows 10 Build 19043.1165
  • cloudflare 2021.8.7 (built 2021-08-28-1730 UTC) installed using the latest release .exe

Server Logs

[email protected]:~# cloudflared tunnel --loglevel debug run Database
2021-09-12T21:30:55Z DBG Loading configuration from /root/.cloudflared/config.yml
2021-09-12T21:30:55Z INF Starting tunnel tunnelID=[REDACTED]
2021-09-12T21:30:55Z INF Version 2021.8.7
2021-09-12T21:30:55Z INF GOOS: linux, GOVersion: devel +a84af465cb Mon Aug 9 10:31:00 2021 -0700, GoArch: amd64
2021-09-12T21:30:55Z INF Settings: map[cred-file:/root/.cloudflared/[REDACTED].json credentials-file:/root/.cloudflared/[REDACTED].json loglevel:debug]
2021-09-12T21:30:55Z INF cloudflared will not automatically update if installed by a package manager.
2021-09-12T21:30:55Z INF Generated Connector ID: 3b8df647-fe81-42f0-9e3c-311b17072ff2
2021-09-12T21:30:55Z INF Initial protocol http2
2021-09-12T21:30:55Z INF Starting metrics server on 127.0.0.1:42605/metrics
2021-09-12T21:30:55Z DBG looking up edge SRV record domain=_origintunneld._tcp.argotunnel.com
2021-09-12T21:30:55Z DBG edgediscovery - GetAddr: Giving connection its new address connIndex=0
2021-09-12T21:30:55Z DBG Connecting via http2 connIndex=0
2021-09-12T21:30:55Z DBG rpcconnect: tx (bootstrap = (questionId = 0, deprecatedObjectId = <opaque pointer>))
2021-09-12T21:30:55Z DBG rpcconnect: tx (call = (questionId = 1, target = (promisedAnswer = (questionId = 0, transform = [])), interfaceId = 17804583019846587543, methodId = 0, allowThirdPartyTailCall = false, params = (content = <opaque pointer>, capTable = []), sendResultsTo = (caller = void)))
2021-09-12T21:30:55Z DBG rpcconnect: rx (return = (answerId = 0, releaseParamCaps = false, results = (content = <opaque pointer>, capTable = [(senderHosted = 0)])))
2021-09-12T21:30:55Z DBG rpcconnect: tx (finish = (questionId = 0, releaseResultCaps = false))
2021-09-12T21:30:56Z DBG rpcconnect: rx (return = (answerId = 1, releaseParamCaps = false, results = (content = <opaque pointer>, capTable = [])))
2021-09-12T21:30:56Z INF Connection 3c3b51fc-b4e2-4ba3-aa25-133f79164750 registered connIndex=0 location=AMS
2021-09-12T21:30:56Z DBG rpcconnect: tx (finish = (questionId = 1, releaseResultCaps = false))
2021-09-12T21:30:56Z DBG edgediscovery - GetDifferentAddr: Giving connection its new address connIndex=1
2021-09-12T21:30:56Z DBG Connecting via http2 connIndex=1
2021-09-12T21:30:56Z DBG rpcconnect: tx (bootstrap = (questionId = 0, deprecatedObjectId = <opaque pointer>))
2021-09-12T21:30:56Z DBG rpcconnect: tx (call = (questionId = 1, target = (promisedAnswer = (questionId = 0, transform = [])), interfaceId = 17804583019846587543, methodId = 0, allowThirdPartyTailCall = false, params = (content = <opaque pointer>, capTable = []), sendResultsTo = (caller = void)))
2021-09-12T21:30:56Z DBG rpcconnect: rx (return = (answerId = 0, releaseParamCaps = false, results = (content = <opaque pointer>, capTable = [(senderHosted = 0)])))
2021-09-12T21:30:56Z DBG rpcconnect: tx (finish = (questionId = 0, releaseResultCaps = false))
2021-09-12T21:30:56Z DBG rpcconnect: rx (return = (answerId = 1, releaseParamCaps = false, results = (content = <opaque pointer>, capTable = [])))
2021-09-12T21:30:56Z DBG rpcconnect: tx (finish = (questionId = 1, releaseResultCaps = false))
2021-09-12T21:30:56Z INF Connection b087009f-bc56-4c15-91b6-2387793cb3a1 registered connIndex=1 location=FRA
2021-09-12T21:30:57Z DBG edgediscovery - GetDifferentAddr: Giving connection its new address connIndex=2
2021-09-12T21:30:57Z DBG Connecting via http2 connIndex=2
2021-09-12T21:30:57Z DBG rpcconnect: tx (bootstrap = (questionId = 0, deprecatedObjectId = <opaque pointer>))
2021-09-12T21:30:57Z DBG rpcconnect: tx (call = (questionId = 1, target = (promisedAnswer = (questionId = 0, transform = [])), interfaceId = 17804583019846587543, methodId = 0, allowThirdPartyTailCall = false, params = (content = <opaque pointer>, capTable = []), sendResultsTo = (caller = void)))
2021-09-12T21:30:57Z DBG rpcconnect: rx (return = (answerId = 0, releaseParamCaps = false, results = (content = <opaque pointer>, capTable = [(senderHosted = 0)])))
2021-09-12T21:30:57Z DBG rpcconnect: tx (finish = (questionId = 0, releaseResultCaps = false))
2021-09-12T21:30:57Z DBG rpcconnect: rx (return = (answerId = 1, releaseParamCaps = false, results = (content = <opaque pointer>, capTable = [])))
2021-09-12T21:30:57Z INF Connection b680fdec-5842-4003-80fb-9f052b69abc5 registered connIndex=2 location=AMS
2021-09-12T21:30:57Z DBG rpcconnect: tx (finish = (questionId = 1, releaseResultCaps = false))
2021-09-12T21:30:58Z DBG edgediscovery - GetDifferentAddr: Giving connection its new address connIndex=3
2021-09-12T21:30:58Z DBG Connecting via http2 connIndex=3
2021-09-12T21:30:58Z DBG rpcconnect: tx (bootstrap = (questionId = 0, deprecatedObjectId = <opaque pointer>))
2021-09-12T21:30:58Z DBG rpcconnect: tx (call = (questionId = 1, target = (promisedAnswer = (questionId = 0, transform = [])), interfaceId = 17804583019846587543, methodId = 0, allowThirdPartyTailCall = false, params = (content = <opaque pointer>, capTable = []), sendResultsTo = (caller = void)))
2021-09-12T21:30:58Z DBG rpcconnect: rx (return = (answerId = 0, releaseParamCaps = false, results = (content = <opaque pointer>, capTable = [(senderHosted = 0)])))
2021-09-12T21:30:58Z DBG rpcconnect: tx (finish = (questionId = 0, releaseResultCaps = false))
2021-09-12T21:30:58Z DBG rpcconnect: rx (return = (answerId = 1, releaseParamCaps = false, results = (content = <opaque pointer>, capTable = [])))
2021-09-12T21:30:58Z INF Connection efc09576-1a8b-44e9-9380-8e5e96ff6cd8 registered connIndex=3 location=FRA
2021-09-12T21:30:58Z DBG rpcconnect: tx (finish = (questionId = 1, releaseResultCaps = false))

Client Logs

PS C:\Users\johannes> ssh subdomain.mydomain.com
2021-09-12T21:31:05Z DBG Websocket request: GET / HTTP/1.1
Host: subdomain.mydomain.com


2021-09-12T21:31:06Z DBG Access Websocket request: GET / HTTP/1.1
Host: subdomain.mydomain.com
Cf-Access-Token: [REDACTED]


2021-09-12T21:31:06Z DBG Websocket response: "HTTP/1.1 302 Moved Temporarily\r\nTransfer-Encoding: chunked\r\nAccess-Control-Allow-Credentials: true\r\nAlt-Svc: h3=\":443\"; ma=86400, h3-29=\":443\"; ma=86400, h3-28=\":443\"; ma=86400, h3-27=\":443\"; ma=86400\r\nCache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0\r\nCf-Ray: 68dc3da1dec9219f-DUS\r\nConnection: keep-alive\r\nDate: Sun, 12 Sep 2021 21:31:05 GMT\r\nExpect-Ct: max-age=604800, report-uri=\"https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct\"\r\nExpires: Thu, 01 Jan 1970 00:00:01 GMT\r\nLocation: https://mydomain.cloudflareaccess.com/cdn-cgi/access/login/subdomain.mydomain.com?kid=8f132de3860f7a7601faf0b02d80b5f87990110d30f08424b90a8e8dcef819ee&redirect_url=%2F&meta=eyJraWQiOiI2YzNiZmZlZjcxYmIwYTkwYzljYmVmM2I3YzBkNGExYzdiNGI4Yjc2YjgwMjkyYTYyM2FmZDlkYWM0NWQxYzY1IiwiYWxnIjoiUlMyNTYiLCJ0eXAiOiJKV1QifQ.eyJzZXJ2aWNlX3Rva2VuX3N0YXR1cyI6ZmFsc2UsImlhdCI6MTYzMTQ4MjI2NSwic2VydmljZV90b2tlbl9pZCI6IiIsImF1ZCI6IjhmMTMyZGUzODYwZjdhNzYwMWZhZjBiMDJkODBiNWY4Nzk5MDExMGQzMGYwODQyNGI5MGE4ZThkY2VmODE5ZWUiLCJkZXZpY2VfaWQiOiIwNjIxNTJkNi0xMThhLTExZWMtOThhNS03YWMzMWZjYzNiYTYiLCJnYXRld2F5X2FjY291bnRfaWQiOiIwNjdmMmU5N2UxZGFkODY0MDUzZmI3ZmE3MzQ4NGY1ZiIsImlzX2dhdGV3YXkiOnRydWUsIm5iZiI6MTYzMTQ4MjI2NSwidHlwZSI6Im1ldGEiLCJpc193YXJwIjp0cnVlLCJhdXRoX3N0YXR1cyI6Ik5PTkUifQ.LOUPK0aTHakQHB2rtKbmZtQMQ0F4hb57A5jorL2GcvXdkXeSkRe0lVLZ_2SGLTlTjyiAxKEY6w-_Xz9aYo5vwRLTUHOgwP9uxKUgf1Tmm2TQQ22mV1KU14XteGETYqg-aadO1OA68TxhfllvyaEp-4_CKqTgCCGqs2Q9_QbRza5jywrttgJph6Em2fkhYKPHzod-gLZGDseQV8Hh5_bfHmvWOtIS0ClQAH9zDXqaXu7IkamkpvlEm0hPrOLPB09jTRBnCE-32dbwFE9BbZQ1wNK6ZfE_PHMmJoLXl7HQE9KvXq9eZX6jrhIzvD4aLOHA3lzKdF6jTAgeLYfMIqqIUA\r\nNel: {\"success_fraction\":0,\"report_to\":\"cf-nel\",\"max_age\":604800}\r\nReport-To: {\"endpoints\":[{\"url\":\"https:\\/\\/a.nel.cloudflare.com\\/report\\/v3?s=M0aav3OEHVW48GF62xVHjkzRDNv8oFshmqh0MMvpBFfwV%2Beutgbavrnw7A0rDq%2FlZEvdFsZViuWzIA7uw7DLFefLslKy%2B8lOYbg6HF8mKqT3uhmV3FKPGyZ7NH4RQY%2ByDsawCTvR3R5l2FlgFwg%3D%3D\"}],\"group\":\"cf-nel\",\"max_age\":604800}\r\nServer: cloudflare\r\n\r\n0\r\n\r\n"
A browser window should have opened at the following URL:

https://subdomain.mydomain.com/cdn-cgi/access/cli?edge_token_transfer=true&redirect_url=https%3A%2F%2Fsubdomain.mydomain.com%3Ftoken%3D4FBDZW_R-GkfzIPplY_gh8gGS5RnzA8YYk9BTmvAiSQ%253D&send_org_token=true&token=4FBDZW_R-GkfzIPplY_gh8gGS5RnzA8YYk9BTmvAiSQ%3D

If the browser failed to open, please visit the URL above directly in your browser.
2021-09-12T21:31:07Z DBG Access Websocket request: GET / HTTP/1.1
Host: subdomain.mydomain.com
Cf-Access-Token: [REDACTED]


2021-09-12T21:31:08Z DBG Websocket response: "HTTP/1.1 302 Moved Temporarily\r\nTransfer-Encoding: chunked\r\nAccess-Control-Allow-Credentials: true\r\nAlt-Svc: h3=\":443\"; ma=86400, h3-29=\":443\"; ma=86400, h3-28=\":443\"; ma=86400, h3-27=\":443\"; ma=86400\r\nCache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0\r\nCf-Ray: 68dc3daddb9a219f-DUS\r\nConnection: keep-alive\r\nDate: Sun, 12 Sep 2021 21:31:07 GMT\r\nExpect-Ct: max-age=604800, report-uri=\"https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct\"\r\nExpires: Thu, 01 Jan 1970 00:00:01 GMT\r\nLocation: https://mydomain.cloudflareaccess.com/cdn-cgi/access/login/subdomain.mydomain.com?kid=8f132de3860f7a7601faf0b02d80b5f87990110d30f08424b90a8e8dcef819ee&redirect_url=%2F&meta=eyJraWQiOiI2YzNiZmZlZjcxYmIwYTkwYzljYmVmM2I3YzBkNGExYzdiNGI4Yjc2YjgwMjkyYTYyM2FmZDlkYWM0NWQxYzY1IiwiYWxnIjoiUlMyNTYiLCJ0eXAiOiJKV1QifQ.eyJzZXJ2aWNlX3Rva2VuX3N0YXR1cyI6ZmFsc2UsImlhdCI6MTYzMTQ4MjI2Nywic2VydmljZV90b2tlbl9pZCI6IiIsImF1ZCI6IjhmMTMyZGUzODYwZjdhNzYwMWZhZjBiMDJkODBiNWY4Nzk5MDExMGQzMGYwODQyNGI5MGE4ZThkY2VmODE5ZWUiLCJkZXZpY2VfaWQiOiIwNjIxNTJkNi0xMThhLTExZWMtOThhNS03YWMzMWZjYzNiYTYiLCJnYXRld2F5X2FjY291bnRfaWQiOiIwNjdmMmU5N2UxZGFkODY0MDUzZmI3ZmE3MzQ4NGY1ZiIsImlzX2dhdGV3YXkiOnRydWUsIm5iZiI6MTYzMTQ4MjI2NywidHlwZSI6Im1ldGEiLCJpc193YXJwIjp0cnVlLCJhdXRoX3N0YXR1cyI6Ik5PTkUifQ.S4bt_TezfE2AT3I-g0eb0Es_4ImIg6HY-n-2KPm7iuIEHD11eOqcplfVwHtxFnMiTzGFDxyBUa3LUlqY9uV9SCsdhC0muhC_MZfeVS3Gb4avo6aCkn3Sa1SYlXTg6FtfoNdMehoO8BiNJLir37SksJCCJlu_FWLQIMilNPqb99_-6dhOrKJJkFZkFHNpDzKnuXveE49tJEcr9_LN-pXTsCRbtGiQ0SoF6tovfQIJkMaGdZBwzJBuHNdmaww3fwuvHIfkK8CDvALUY01chsu2VOUWsup6wtUHYxTivwgyB4nnJos5ogZD-Im3nfSjufM_diH1EA2mY01jC4NNZ4rebg\r\nNel: {\"success_fraction\":0,\"report_to\":\"cf-nel\",\"max_age\":604800}\r\nReport-To: {\"endpoints\":[{\"url\":\"https:\\/\\/a.nel.cloudflare.com\\/report\\/v3?s=pVTDismaoBcVqQ823JON02p4CGm18IwgWc%2BsJGCz3xrGjxomdu1Pm32xFyme2o1%2FQx0FqYvyoHTe1EDO0E%2FCNKsPhh9HU1E6UNeREvy0FdEWFMNxsn4ww8RLlN5rZcB5PO3p%2BT3yWvsHzT5K9tg%3D%3D\"}],\"group\":\"cf-nel\",\"max_age\":604800}\r\nServer: cloudflare\r\n\r\n0\r\n\r\n"
2021-09-12T21:31:08Z ERR failed to connect to origin error="websocket: bad handshake" originURL=https://subdomain.mydomain.com
websocket: bad handshake
kex_exchange_identification: Connection closed by remote host

The browser windows opens normal and I can login without problems (I get the “Success A token has been returned to the machine that initiated the request. Feel free to close this browser window.” success message)

Some of my configs

  • Webhooks are enabled
  • SSL mode is Strict
  • Universal SSL is activated
  • CNAME record to .cfargotunnel.com is created

C:\Users\myname.ssh\config

Host subdomain.mydomain.com
  ProxyCommand cloudflared access tcp --loglevel debug --hostname %h

cloudflared config on server

tunnel: [REDACTED]
credentials-file: /root/.cloudflared/[REDACTED].json

ingress:
  - hostname: subdomain.mydomain.com
    service: ssh://localhost:22
  - service: http_status:404

My application config in Cloudflare Teams


I hope you have every required information, thanks in advance for your answer

Have you checked if Cloudflare Firewall or other security setting is blocking the request?

Sorry for the late answer.

I left every Cloudflare firewall setting to default and I’ve looked through the firewall settings but everything seems fine. I’ve also deactivated the firewall on my origin but that didn’t help either