jester/knowledge-base
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
5dee426686
knowledge-base/network/cf-tunnel-ssh.md

3.8 KiB
Raw Blame History

Cloudflare Tunnel — Dev Container SSH Access

Overview

Cloudflare Tunnel provides SSH access to dev containers for developers using local VS Code or terminal. No VPN client required. Uses the same hostname as the browser IDE.

Architecture

Developer laptop
  ↓ ssh dev-6070.zerolaghub.dev
Cloudflare edge
  ↓ CF Tunnel (persistent, runs on bastion)
Bastion VM (private IP, no public exposure)
  ↓ SSH proxy jump
Dev container (10.100.x.x)

HTTPS and SSH share the same hostname. Cloudflare routes them separately:

  • HTTPS → Traefik → API → container (browser IDE)
  • SSH → CF Tunnel → bastion → container

Current State

  • CF Tunnel created and connected to bastion VM
  • Cloudflare Zero Trust free plan active (covers up to 50 users)
  • Tunnel configuration not fully complete
  • SSH hostname mapping not yet configured
  • Bastion SSH proxy jump not yet configured
  • Dev containers SSH not yet verified reachable from bastion
  • Portal SSH config snippet not yet built

Remaining Steps

1. Configure tunnel ingress in Cloudflare Zero Trust dashboard

In Zero Trust → Networks → Tunnels → your tunnel → Configure:

Add a public hostname:

  • Subdomain: * (wildcard) or specific dev-ssh
  • Domain: zerolaghub.dev
  • Service type: SSH
  • URL: localhost:22

This routes SSH traffic arriving at Cloudflare for *.zerolaghub.dev through the tunnel to port 22 on the bastion.

2. Configure bastion SSH for proxy jump

On the bastion, edit /etc/ssh/sshd_config to allow the bastion to act as a jump host into dev containers:

# Allow TCP forwarding for proxy jump
AllowTcpForwarding yes
PermitOpen any

Or scope it to the container subnet only:

PermitOpen 10.100.0.0/24:22

Restart SSH: systemctl restart sshd

3. Ensure dev containers have SSH running

Each dev container needs an SSH server running and accessible from the bastion:

# In dev container
apt-get install -y openssh-server
systemctl enable ssh
systemctl start ssh

The agent should handle this as part of dev container provisioning — add to agent's dev provisioning pipeline.

4. Developer one-time setup

Developer adds this to ~/.ssh/config (portal will surface this as a copyable snippet):

Host *.zerolaghub.dev
    ProxyCommand cloudflared access ssh --hostname %h
    User dev

After that:

ssh dev-6070.zerolaghub.dev

5. VS Code Remote SSH

Developer opens VS Code → Remote Explorer → Add new host:

ssh dev-6070.zerolaghub.dev

VS Code handles the rest — connects through the tunnel, mounts the workspace.

Security Notes

  • Bastion has no public IP — all SSH access goes through CF Tunnel only
  • CF Tunnel is outbound-only from bastion to Cloudflare — no inbound ports open
  • Zero Trust free tier: up to 50 users, core access control included
  • Developer must have cloudflared installed locally for the ProxyCommand
  • code-server runs --auth none — SSH access is separate and enforced at the OS level by the SSH server in the container

Portal Integration (Future)

Portal dev container page should show:

SSH Access
──────────
Copy this to your ~/.ssh/config:

Host *.zerolaghub.dev
    ProxyCommand cloudflared access ssh --hostname %h
    User dev

Then connect with:
ssh dev-6070.zerolaghub.dev

One-time setup. Works for all dev containers after that.

Troubleshooting

Issue Likely Cause
cloudflared: command not found Developer needs to install cloudflared client
Connection refused SSH not running in container or bastion jump not configured
Permission denied SSH key not added to container's dev user
Tunnel not connecting cloudflared service not running on bastion — check systemctl status cloudflared