ZeroTrust SSH tunnel not working

Dear Community!

I have started using ZeroTrust tunnels and want to add SSH access with it to my remote servers.

Everything seems to be configured correctly, SSL/TLS is enabled (set to Full) in Cloudflare, cloudflared is installed on the server (Ubuntu 22) and running, tunnel is up and healthy, reported by Cloudflare.

I have configured a Public hostname, set to SSH “localhost:22”, I can see that the ingress rule is received by the server.

However when I try to access through this Public hostname (proxy is configured and running) I get an error: Connection closed by remote host, Connection closed by UNKNOWN port 65535

I have reviewed all posts on the internet related to Cloudflare and SSH but none of them gave any solution for me.

What else should I check?

Hi!

Your post lacks some information on your client-side setup. Are you using WARP or Cloudflared to establish the connection?

Sorry, I’m using cloudflared on client-side as well.

The ssh config is the following:

Host ssh.example.com # Replaced real hostname
ProxyCommand /opt/homebrew/bin/cloudflared access ssh --hostname %h

When trying to connect with debug logging:

OpenSSH_9.4p1, LibreSSL 3.3.6
debug1: Reading configuration data /Users/username/.ssh/config
debug1: /Users/username/.ssh/config line 4: Applying options for ssh.example.com
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 21: include /etc/ssh/ssh_config.d/* matched no files
debug1: /etc/ssh/ssh_config line 54: Applying options for *
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/Users/username/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/Users/username/.ssh/known_hosts2'
debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling
debug1: Executing proxy command: exec /opt/homebrew/bin/cloudflared access ssh --hostname ssh.example.com
debug1: identity file /Users/username/.ssh/id_rsa type 0
debug1: identity file /Users/username/.ssh/id_rsa-cert type -1
debug1: identity file /Users/username/.ssh/id_ecdsa type -1
debug1: identity file /Users/username/.ssh/id_ecdsa-cert type -1
debug1: identity file /Users/username/.ssh/id_ecdsa_sk type -1
debug1: identity file /Users/username/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /Users/username/.ssh/id_ed25519 type -1
debug1: identity file /Users/username/.ssh/id_ed25519-cert type -1
debug1: identity file /Users/username/.ssh/id_ed25519_sk type -1
debug1: identity file /Users/username/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /Users/username/.ssh/id_xmss type -1
debug1: identity file /Users/username/.ssh/id_xmss-cert type -1
debug1: identity file /Users/username/.ssh/id_dsa type -1
debug1: identity file /Users/username/.ssh/id_dsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_9.4
kex_exchange_identification: Connection closed by remote host
Connection closed by UNKNOWN port 65535

Tried on Linux as well. Same config and error.

Do you maybe have any options for Host * that might interfere? What happens if you use ssh.example.com instead of %h?

Host ssh.example.com # Replaced real hostname
ProxyCommand /opt/homebrew/bin/cloudflared access ssh --hostname ssh.example.com

Or like this:

Host ssh.example.com # Replaced real hostname
Hostname ssh.example.com
ProxyCommand /opt/homebrew/bin/cloudflared access ssh --hostname %h

Also, is your SSHD even listening on localhost?
Check what ListenAddress you have in /etc/ssh/sshd_config on your server.

Do you maybe have any options for Host * that might interfere? What happens if you use ssh.example.com instead of %h ?

I don’t have any other config in ssh config. From the logs debug1: Executing proxy command: exec /opt/homebrew/bin/cloudflared access ssh --hostname ssh.example.com I think the variable substitution works correctly, but I will try hard coding the value there.

Also, is your SSHD even listening on localhost?
Check what ListenAddress you have in /etc/ssh/sshd_config on your server.

For sure it is listening. I have even tried ssh localhost -p 22 on the server, just to be sure nothing is blocking this. Right now, it is even allowed by firewall from anywhere.

Your log says you do have this here. Can you check in that file?

debug1: /etc/ssh/ssh_config line 54: Applying options for *

Yes you were right, I was just overriding in my home directory.

Anyway, I found the problem. I tried using a second level subdomain, so like ssh.servers.example.com which is not covered by a certificate in Cloudflare Free tier.

When I changed to a first level subdomain, it worked instantly. I got the hint from the DNS Zone management console, highlighting this domain as not covered by a certificate.

Thank you for your help!

1 Like

However, one more question still remains :slight_smile:

When establishing a connection, the docs says:

When the command is run, cloudflared will launch a browser window to prompt you to authenticate with your identity provider before establishing the connection from your terminal.

However I don’t see any authentication, it just starts the connection. Is there anything I need to configure to make this work?

Have you created a Zero Trust application for ssh.example.com?

Sorry, I forgot to answer myself here, yes I had to create an application for this domain in ZeroTrust Access.

Is it somehow possible to submit improvements to documentation? It seems a little bit simple or outdated.