Introduction#
Cloudflare Zero Trust Tunnel (formerly Argo Tunnel) allows you to securely expose your services to the internet without opening any inbound ports. This guide covers setting up cloudflared for both SSH and HTTP tunneling.
Why Use Cloudflare Tunnel?#
- No open ports - Your server has no public-facing ports
- Zero Trust security - Authenticate users before they reach your service
- DDoS protection - Traffic flows through Cloudflare’s network
- No public IP needed - Works behind NAT or firewalls
Prerequisites#
- A Cloudflare account
- A domain added to Cloudflare
- A Linux server (Ubuntu/Debian in this guide)
Step 1: Install cloudflared#
1
2
3
4
5
6
| # Download and install cloudflared
curl -L --output cloudflared.deb https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb
sudo dpkg -i cloudflared.deb
# Verify installation
cloudflared --version
|
Step 2: Authenticate with Cloudflare#
1
| cloudflared tunnel login
|
This opens a browser to authenticate. Select your domain and authorize the connection. A certificate is saved to ~/.cloudflared/cert.pem.
Step 3: Create a Tunnel#
1
2
3
4
5
| # Create a new tunnel
cloudflared tunnel create my-tunnel
# List tunnels to verify
cloudflared tunnel list
|
Save the tunnel UUID - you’ll need it for configuration.
Create the configuration file:
1
2
| mkdir -p ~/.cloudflared
nano ~/.cloudflared/config.yml
|
Configuration for HTTP and SSH:#
1
2
3
4
5
6
7
8
9
10
11
12
13
14
| tunnel: <YOUR-TUNNEL-UUID>
credentials-file: /home/<username>/.cloudflared/<TUNNEL-UUID>.json
ingress:
# SSH access
- hostname: ssh.yourdomain.com
service: ssh://localhost:22
# HTTP/HTTPS web service
- hostname: app.yourdomain.com
service: http://localhost:8080
# Catch-all rule (required)
- service: http_status:404
|
Replace:
<YOUR-TUNNEL-UUID> with your tunnel UUID<username> with your Linux username- Hostnames with your actual subdomains
Step 5: Create DNS Records#
1
2
3
| # Route DNS to your tunnel
cloudflared tunnel route dns my-tunnel ssh.yourdomain.com
cloudflared tunnel route dns my-tunnel app.yourdomain.com
|
This creates CNAME records pointing to your tunnel.
Step 6: Run the Tunnel#
Test manually:#
1
| cloudflared tunnel run my-tunnel
|
Install as a system service:#
1
2
3
4
5
6
| sudo cloudflared service install
sudo systemctl enable cloudflared
sudo systemctl start cloudflared
# Check status
sudo systemctl status cloudflared
|
SSH Access via Browser (Zero Trust)#
- Go to Cloudflare Dashboard → Zero Trust
- Navigate to Access → Applications
- Click Add an application → Self-hosted
- Configure:
- Application name: SSH Access
- Session duration: 24 hours
- Application domain:
ssh.yourdomain.com
- Add an Access Policy:
- Policy name: Allow SSH Users
- Action: Allow
- Include: Emails ending in
@yourdomain.com (or specific emails)
Enable Browser-based SSH:#
- Go to Zero Trust → Access → Applications
- Edit your SSH application
- Under Additional settings, enable Browser rendering
- Set SSH as the type
Now access https://ssh.yourdomain.com in a browser for authenticated SSH.
SSH Access via Terminal#
For terminal-based SSH through the tunnel:
On the client machine:#
1
2
3
4
5
6
7
| # Install cloudflared on client
brew install cloudflared # macOS
# or download for your OS
# Add to SSH config (~/.ssh/config)
Host ssh.yourdomain.com
ProxyCommand cloudflared access ssh --hostname %h
|
Connect:#
Verify Everything Works#
1
2
3
4
5
6
7
8
9
10
11
| # Check tunnel status
cloudflared tunnel info my-tunnel
# View logs
sudo journalctl -u cloudflared -f
# Test HTTP endpoint
curl https://app.yourdomain.com
# Test SSH
ssh [email protected]
|
Troubleshooting#
| Issue | Solution |
|---|
| Tunnel not connecting | Check credentials file path in config.yml |
| DNS not resolving | Verify CNAME records in Cloudflare DNS |
| SSH timeout | Ensure SSH service is running on localhost:22 |
| 502 error | Check if your backend service is running |
Security Best Practices#
- Use Access Policies - Require authentication for sensitive services
- Enable 2FA - Add multi-factor authentication in Zero Trust
- Limit IP access - Restrict to specific countries/IPs if needed
- Rotate credentials - Periodically recreate tunnels
- Monitor logs - Set up alerts for suspicious access
Conclusion#
Cloudflare Zero Trust Tunnel provides enterprise-grade security for exposing your services without the risks of open ports. Combined with Access policies, you get authentication, logging, and protection all in one.