Securing SSH access with Cloudflare Tunnels

Protect SSH via a Cloudflare tunnel and application for further access control, security and a browser-based SSH client.

1. Create a tunnel as outlined in “TIL: How to share local networks online using Cloudflare Tunnels” but rather than setting the public hostname to redirect to a HTTP(S) service, configure it for type “SSH” and URL “localhost:22”.
2. Create an application as outlined in “TIL: Setting up Cloudflare Zero Trust Applications and Policies for access control” with an internal access policy.
3. Go to “Advanced settings” and configure “Browser rendering settings” to enable “Allow automatic Cloudflared authentication” and configure “SSH” for “Browser rendering”.
4. On your client add the following to your SSH config to automatically use cloudflared for access:

Host <ssh-hostname>
  ProxyCommand /opt/homebrew/bin/cloudflared access ssh --hostname %

This will now require authentication via Cloudflare (as well as standard SSH authentication defined by your server) and also give you the ability to access SSH via a URL in the browser.

Further

It’s possible to further secure your server by closing port 22 and handling all authentication via Cloudflare, but that is not something I have (yet) considered worthwhile. See the Cloudflare docs for further information.