Cloudflare SSH proxy (nuc.cydu.net)

How to expose SSH over Cloudflare Tunnel and Access for nuc.cydu.net, plus client setup using cloudflared.

Server tunnel config

• Config path: /etc/cloudflared/config.yml; creds: /usr/local/etc/cloudflared/<tunnel-id>.json; service unit: /etc/systemd/system/cloudflared.service.
• Ingress example for SSH: ```yaml tunnel: credentials-file: /usr/local/etc/cloudflared/.json ingress:
  • hostname: nuc.cydu.net service: ssh://localhost:22 # adjust if SSH listens on another port
  • service: http_status:404 # catch-all, must be last ```
• Validate and restart after edits:
• sudo cloudflared tunnel validate --config /etc/cloudflared/config.yml
• sudo systemctl restart cloudflared
• If adding the hostname for the first time: cloudflared tunnel route dns <tunnel-name> nuc.cydu.net.

Zero Trust Access app

• Navigate: Zero Trust -> Access -> Applications -> Add application -> Self-hosted.
• App basics: Name nuc-ssh, Domain nuc.cydu.net, session length as desired.
• Enable SSH: in Additional settings (Configure SSH), toggle SSH on; use Client (cloudflared) for CLI or Browser for web SSH.
• Policy: Policies tab -> Add policy -> Action Allow -> Include -> add Emails or an Access Group (create under Access -> Groups to bundle emails/IdP groups). Optional: Require MFA.
• Connect tab: use Download SSH config (or "CLI setup") for the client-side ProxyCommand helper.

Web SSH (browser)

• In the Access app, switch SSH transport to Browser (Additional settings -> Configure SSH).
• Open the app in Zero Trust (Access -> Applications -> nuc-ssh -> Open) and use the web terminal.
• Keep the SSH user and server ready; browser mode still enforces the same Access policy.

Client setup

• Install/upgrade cloudflared:
• Debian/Ubuntu via repo: sudo apt update && sudo apt install --only-upgrade cloudflared (add Cloudflare repo first if missing).
• Manual binary: curl -L https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64 -o /tmp/cloudflared && sudo install -m 755 /tmp/cloudflared /usr/local/bin/cloudflared
• Check version: cloudflared version
• SSH config (from helper; minimal example): Host nuc.cydu.net HostName nuc.cydu.net ProxyCommand cloudflared access ssh --hostname %h User <ssh-user> Connect with ssh nuc.cydu.net; a browser login will pop once per session.
• Fallback TCP bridge (if ProxyCommand fails): cloudflared access tcp --hostname nuc.cydu.net --url localhost:2222 ssh -p 2222 <ssh-user>@localhost

Troubleshooting

• "Invalid SSH identification string": you hit the Access HTTP page. Fix the ingress to use ssh:// toward a live SSH daemon and ensure the Access app has SSH enabled (client transport).
• "Forbidden" or login loop: your email/group is not included in the Allow policy; adjust policy or group membership.
• SSH port unreachable: confirm local SSH is listening and firewall allows the target port; check journalctl -u cloudflared -f for tunnel errors.
• After any config change, re-validate and restart the cloudflared service as above.