How to create a secure tunnel for SSH and SFTP with Cloudflare

Why should I create a secure tunnel?

With Tunnel, you do not send traffic to an external IP, instead, a lightweight daemon in your infrastructure (cloudflared) creates outbound-only connections to Cloudflare’s global network-[Network of Contents]: [is the channel in which owners can post their content and the audience can see the contents posted by the owners]; so you can close unused ports with your firewall in your infrastructure. To create your tunnel your infrastructure (domain+name server) must be inside the cloudflare network.

What i need to create a secure tunnel?

An account-[Account]: [an Account contains the personal information that is assigned to those who register and access with email and password] in cloudflare with your domain name linked to your server with the name server configurations; the cloudflared application than can be downloaded for every operating system here: https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/downloads/

What is Zero Trust application?

Zero Trust is a security framework requiring all users, whether in or outside the organization’s network, to be authenticated, authorized, and continuously validated for security configuration and posture before being granted or keeping accessAccess [the simple access to a website as a visitor] to applications and data. When you create your tunnel for SSH and SFTP with cloudflare you will need to associate it with a Zero Trust application.

Start your secure tunnel

Once cloudflared is downloaded, you can create the first tunnel simply via terminal or by webui.

TERMINAL

Type this command to authenticate:

$ cloudflared tunnel login

Create a tunnel and give it a name:

$ cloudflared tunnel create <NAME>

From the output of the command, take note of the tunnel’s UUID and the path to your tunnel’s credentials file.

Confirm that the tunnel has been successfully created by running:

$ cloudflared tunnel list

Read the official documents to create a tunnel via terminal: https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/install-and-setup/tunnel-guide/local/

WEBUI

1. Log in to Zero Trust and go to Access > Tunnels.
2. Select Create a tunnel.
3. Enter a name for your tunnel. We suggest choosing a name that reflects the type of resources you want to connect through this tunnel (for example, enterprise-VPC-01).
4. Select Save tunnel.
5. Next, you will need to install cloudflared and run it. To do so, check that the environment under Choose an environment reflects the operating system on your machine, then copy the command in the box below and paste it into a terminal window. Run the command.
6. Once the command has finished running, your connector will appear in Zero Trust.
7. Select Next.

Read the official documents to create a tunnel via webui: https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/install-and-setup/tunnel-guide/remote/

Connect with SSH through Cloudflare Tunnel

The Secure Shell Protocol (SSH) enables users to remotely access devices through the command line. With Cloudflare Zero Trust, you can make your SSH server available over the Internet without the risk of opening inbound ports on the server.

Cloudflare Zero Trust offers two solutions to provide secure access to SSH servers:

• Private subnet routing with Cloudflare WARP to Tunnel
• Public hostname routing with cloudflared access

The cloudflared access is the one we have used here.

Remember that cloudflared is a continuously updated software-[Program/Software]: [the instructions that control what a computer does; computer programs] and it is therefore necessary to read the official documents to be sure that you are using the best possible procedures for the version used.

Use SSH from terminal or webui

Use your new public hostname (for example ssh.example.com) to reach your SSH application via terminal:

$ ssh [username]@ssh.example.com

You can also use the web interface to acces to the ssh terminal via web; to do so additional steps are required: you should simply enable browser rendering in your application. Read the official document about this arguments here: https://developers.cloudflare.com/cloudflare-one/applications/non-http/#rendering-in-the-browser

Use SFTP with the SSH Cloudflare Tunnel

SFTP, or Secure File Transfer Protocol, is a secure file transfer protocol that uses secure shell encryption-[Encryption]: [to change electronic information or signals into a secret code (= system of letters, numbers, or symbols) that people cannot understand or use on normal equipment] to provide a high level of security for sending and receiving file transfers. To use SFTP in your clients additional step is required to connect the client to the tunnel; simply open your terminal (from the client you want to connect) and type this command:

$ cloudflared access tcp --hostname ssh.example.com --url localhost:2222

Next time you want to connect via SFTP (with any enabled software) insert as hostname localhost:2222 and the credentials of your SFTP username of the server; when you close your terminal, the connection end and will not be possible to connect again until you open the terminal and type again this command.

Adjust security settings

When all procedures work perfectly, you can now close the ports used by SSH and SFTP (usually port 22) through the firewall; in this way, only those in possession of the cloudflared application and/or the necessary certificates will be able to connect.

Read always the official documents

As I wrote a while ago, I advise you to always read and learn from the official cloudflare documents because these software could also have changes over time. This document is written without having received any official support from cloudflare and is intended as an example for those who work in our organization.