Unable to ssh using cloudflared

cloudflared is setup on a device (raspberry pi) and I have been using it successfully to access websites hosted there through a Cloudflare tunnel. I would like to get ssh working over the tunnel from a mac. I followed the tutorial, but have been unable to get it to work:

bash-3.2$ ssh [email protected]
2022-02-14T19:35:42Z ERR failed to connect to origin error=“websocket: bad handshake” originURL=https://ssh.aohomedesign.com
websocket: bad handshake
kex_exchange_identification: Connection closed by remote host
Connection closed by UNKNOWN port 65535

Hello @tgraf2

Check out https://developers.cloudflare.com/cloudflare-one/faq/teams-troubleshooting/#cloudflared-access-shows-an-error-websocket-bad-handshake to see if any of those ideas help

Thanks for the link. I checked the items in the troubleshooting list and they all look good:

  • “Your cloudflared tunnel is either not running or not connected”
    [tunnel is up and connected, I am able to use the tunnel for http requests]

    cloudflared tunnel info mytunnel
    NAME: mytunnel
    ID: 78d9fbef-e7fb-440d-a735-0ca82153e285
    CREATED: 2022-02-08 17:21:47.094025 +0000 UTC
    e314518c-e750-4fc6-bcda-541ddbc4feb5 2022-02-14T20:59:52Z linux_arm 2022.2.0 2xBOS, 2xPHL

  • “WebSockets are not enabled”
    [websockets are enabled]

  • “Your Cloudflare account has Universal SSL enabled and the SSL/TLS encryption
    mode is set to Off. To resolve, set the SSL/TLS encryption mode to any
    setting other than Off.”
    [SSL/TLS encryption mode is Flexible]

  • “Your requests are blocked by Super Bot Fight Mode.
    To resolve, make sure you set Definitely automated to Allow in the bot
    fight mode settings.”

I will look through the rest of the troubleshooting articles, but so far, no luck: http works, but ssh does not.

I’m having the same issue. I upgraded from 2020.5.1 to 2022.2.0, converted my config to the new ingress scheme. Same error as OP.

   - hostname: myhost-ssh.mydomain.net
     service: ssh://localhost:22
   - service: http_status:404

Is there a way to get debug info from cloudflared? I suspect there is an issue with cloudflared, but I am unable to get any additional info to make progress.

To test this, I ran a new instance of sshd, in debug mode using port 2222, and reconfigured cloudflared recognize this port. Viewing the command line output on the origin, I can see that the sshd is never receiving the connect request. In addition, the ssh command is failing immediately on the mac.

I need to see the detailed logs from the cloudflared to make any progress on this. I appreciate your help.

How about trying the SSH in-browser as per https://developers.cloudflare.com/cloudflare-one/tutorials/ssh-browser ?

It would be a way to start and minimize the problem surface since you would not have to use cloudflared access on the user side.

1 Like

Thanks for getting back to me. I followed the tutorial and got the following screen:

Is there any log in cloudflared tunnel when this happens?
If not, can you run with loglevel: debug and repeat?

I typed the following at the origin:
cloudflared tunnel --loglevel debug
2022-02-17T14:40:55Z DBG Loading configuration from /etc/cloudflared/config.yml
Use cloudflared tunnel run to start tunnel 78d9fbef-e7fb-440d-a735-0ca82153e285
I then tried to access ssh via the browser, as above, with the same result. Can you tell me how to access the logs? Is there anything else I need to do (restart cloudflared?)

When I use:

sudo journalctl -u cloudflared -f

I see no new entries in the log.

@tgraf2 I noticed my DNS for the tunnel was missing. So I added it back via these steps. https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/routing-to-tunnel/dns#route-traffic-from-the-command-line

I’ve got loglevel: trace in my config file and I can see the connection coming in but it hangs and does nothing. Still investigating…

1 Like

Yes this fixed it for me.

Also, make sure your ingress is:
service: ssh://localhost:22

I definitely have a DNS record for ssh:

and I have added the following to the config.yml file:

logfile: ~/Cloudflare/cloudflared.log
loglevel: debug

I then restarted cloudflared, but I don’t see a log. What I missing something?

Yes, the ssh entry in config.yml is:

ssh, port 22

so that seems ok too.

I tested the ingress rule as shown below:

cloudflared tunnel ingress rule https://ssh.aohomedesign.com
Using rules from /etc/cloudflared/config.yml
Matched rule #3
service: HTTP 404

So, the ssh rule appears to be the problem, but I have not been able to find the problem.

I found the problem: the file /etc/cloudflared/config.yml was not getting updated (I was updating ~/Cloudflare/config.yml). Things are working now.

Thanks - This fixed my problem for a Cloudflare tunnel with AWS Linux EC2

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.