ZeroTrust Tunnel SSH via Browser

I have been trying for three days to get this to work, and it is driving me crazy.

I want to access my Raspberry Pi 4 behind a CG NAT. I set up a tunnel using this command:

cloudflared service install eyJhIjoi(Imaginefullkey)

The tunnel works so far. When I expose web services like Portainer, Nginx, or other stuff, it works. However, trying to SSH over the browser is making me want to hit my head against the wall.

I created a public hostname with proxy type “” service SSH localhost:22. I also created an application that points to and enabled selected browser render mode SSH. For the policy, I selected “allow,” a simple email, and required country Germany.

When I try to access, I need to identify myself with my email, and then I get an error window.

I am at a point where I don’t know what I should do anymore. Does someone have proper guidance that can help me get this working?

Is any other configuration necessary on the Raspberry Pi itself?

So is your Pi running Windows ? I noticed you’re using a .exe.

Nope, that was a typo. It is running the standard rasbian 64-bit CLI or so-called minimum distribution.

I’m using the command line configured tunnel, as opposed to the dashboard configured. My PC is off right now so I can’t get the config but I don’t mind sharing it with you. Would you care to do a screen sharing session later and we can compare notes? I’m willing to help someone else get this working because it was a huge pain for me. I’m in the Eastern USA timezone.

I would be very happy if someone could help me with this, as I’ve been driving myself crazy about it lately. I could then take the knowledge I gain and make it available to others, since the Cloudflare documentation isn’t particularly good in this regard.

I’m based in Germany, timezone UTC/GMT +2.

When are you approximately at home or on the computer, so I can keep an eye on the notifications here?

I am UTC-4 so that’s about 6 hours behind you. I will be home around 5:00PM local time, which should be 11:00PM for you. Are you on Discord? We could chat there if it would be easier. My name is skykingjwc #7371.

Yes im on discord i have send you a request.

Could you share your solution guys? Having the same problem.

Certainly, I wouldn’t want to impose this on anyone to continue dealing with.

As of now, it seems that this entire SSH web terminal solution simply works incredibly poorly and is poorly documented. It really should be seen as a beta feature, and unfortunately, one cannot rely on it because it works sometimes and then doesn’t at other times. The only thing I can recommend is to use your own web service for this purpose, preferably hosted on a Docker container and then accessed via a normal Cloudflare tunnel – that always works.

Here’s an example of services you can set up:

Unfortunately, Cloudflare browser rendering simply does not work, just to confirm that conclusively. This could be due to network technical issues such as GC-NAT.

I just tried setting up an SSH tunnel with browser rendering and didn’t run into any problems.

Tunnel with the following:

Type: SSH
URL: localhost:22

Access Application basically everything on default except that I enabled browser rendering for SSH.

Everything worked as it should.

If it doesn’t work for you, I recommend that you share some of your actual settings. There’s no point in guessing what might be wrong.

1 Like

I meet an error as below:
2023-11-29T08:07:20Z ERR error=“dial tcp connect: connection refused” cfRay=82d95b3baa7804ff-HKG event=1 ingressRule=0 originService=ssh://localhost:22
2023-11-29T08:07:20Z ERR Request failed error=“dial tcp connect: connection refused” connIndex=1 dest= event=0 ip= type=ws

but actually I can ssh into my target server, port 22 be exposed.

Have you checked whether sshd actually listens on localhost?

The config looks should have these lines:

Port 22
AddressFamily any
ListenAddress ::

截屏2023-12-05 14.15.08